SELinux

Security-Enhanced Linux (SELinux) adds an extra layer of system security and requires a few additional steps when installing LogCraft.

SELinux status

First, check if SELinux is enabled with the command:

bash

% getenforce
Enforcing
%

If the output is Permissive or Disabled, skip this page; otherwise, continue to the next section.

Adjust SELinux context

First, update the SELinux type for the LogCraft log directory:

bash

semanage fcontext -a -t var_log_t '/opt/logcraft/var/log(/.*)?'

Details

The semanage fcontext command manages the SELinux file context settings. The command adds an entry to /etc/selinux/targeted/contexts/files/file_contexts.local, specifying that LOGCRAFT_HOME/var/log is of type var_log_t.

The changes can be observed with:

bash

ls -Zd /opt/logcraft/var/log

Before applying the modification, the directory should have the type usr_t. Afterward, it should be var_log_t.

semanage not found?

Install it with sudo dnf install -y policycoreutils-python-utils (Redhat/RHEL or Rocky Linux)

Finally, apply the new context with:

bash

restorecon -Rv /opt/logcraft/var/log

Reload systemctl

After updating SELinux, reload systemctl:

bash

systemctl daemon-reload

Then start LogCraft with:

bash

systemctl restart logcraft

Troubleshooting

If SELinux is enforced and the directory types are not adjusted, LogCraft may fail to start. The following error appears in the system logs:

bash

% cat /var/log/messages
...
systemd[1404]: logcraft.service: Failed to set up standard output: Permission denied
systemd[1404]: logcraft.service: Failed at step STDOUT spawning /opt/logcraft/bin/logcraft: Permission denied
...
%

SELinux ​

SELinux status ​

Adjust SELinux context ​

Reload systemctl ​

Troubleshooting ​

SELinux

SELinux status

Adjust SELinux context

Reload systemctl

Troubleshooting