Set context for unbound.log on selinux systems

I4f3265c16320613d4ba74a02df1361c5d9cf2fb1 moved this file to
/var/lib/unbound on selinux systems, as it was getting permissions
errors trying to write into /var/log.

This turns out to make it harder to collect the logs from projects
like devstack.  It's simpler if we just have the log file in a
consistent place.  On selinux systems, set the context, and revert
things to just writing into /usr/log/unbound.log

Change-Id: I6bb58ef0d6bf4cbbb7fd4066e01b7a01d05009c3
This commit is contained in:
Ian Wienand 2022-05-12 15:16:08 +10:00
parent 504d33b399
commit 4be8c66630
1 changed files with 9 additions and 7 deletions

View File

@ -68,16 +68,10 @@ mv /tmp/forwarding.conf /etc/unbound/
chown root:root /etc/unbound/forwarding.conf
chmod a+r /etc/unbound/forwarding.conf
if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora|openeuler|rocky) ]] ; then
LOG_FILE="/var/lib/unbound/unbound.log"
else
LOG_FILE="/var/log/unbound.log"
fi
UNBOUND_LOGGING_CONF="\
server:
chroot: \"\"
logfile: \"$LOG_FILE\"
logfile: \"/var/log/unbound.log\"
# Log debug messages
verbosity: 5"
echo "$UNBOUND_LOGGING_CONF" > /tmp/unbound-logging.conf
@ -99,6 +93,14 @@ chmod a+r $UNBOUND_CONFD/unbound-logging.conf
touch /var/log/unbound.log
chown unbound /var/log/unbound.log
chmod 0644 /var/log/unbound.log
# NOTE(ianw) 2022-05-22 : not 100% sure why but emperically unbound
# runs under named context. Generally it doesn't log here on rhel-ish
# distros, but for consistency it's much easier if we just have one
# log file in the same place across distros. Thus set the context to
# allow it.
if [[ -e /usr/bin/chcon ]]; then
chcon -t named_log_t /var/log/unbound.log
fi
if [[ "$DISTRO_NAME" =~ (opensuse) ]] ; then
# NOTE(ianw) 2021-03-17 : something about building the suse chroot