LogCraft Manual

Appearance

SELinux

Security-Enhanced Linux (SELinux) adds an extra layer of system security and requires a few additional steps when installing LogCraft.

SELinux status

First, check if SELinux is enabled with the command:

bash
% getenforce
Enforcing
%

If the output is Permissive or Disabled, skip this page; otherwise, continue to the next section.

Adjust SELinux context

LogCraft is installed under /opt/logcraft, which is outside the paths the default SELinux policy knows about.

Apply the following semanage fcontext rules to cover the directories used by LogCraft.

bash
semanage fcontext -a -t bin_t      '/opt/logcraft/bin/logcraft'
semanage fcontext -a -t bin_t      '/opt/logcraft/pgsql/bin(/.*)?'
semanage fcontext -a -t lib_t      '/opt/logcraft/pgsql/lib(/.*)?'
semanage fcontext -a -t var_lib_t  '/opt/logcraft/var/pgdata(/.*)?'
semanage fcontext -a -t var_log_t  '/opt/logcraft/var/log(/.*)?'
semanage fcontext -a -t var_run_t  '/opt/logcraft/var/run(/.*)?'

Installing semanage

The utility semanage can be installed with sudo dnf install -y policycoreutils-python-utils (RHEL, Rocky, AlmaLinux).

Details

The semanage fcontext command manages the SELinux file context settings by adding entries to /etc/selinux/targeted/contexts/files/file_contexts.local to persist the rules for each path used by LogCraft.

The changes can be observed with the ls -Zd command, for example:

bash
ls -Zd /opt/logcraft

Before applying the modification, the directory should have the type usr_t. Afterward, it should be var_log_t.

Then, apply the new context with:

bash
restorecon -Rv /opt/logcraft

semanage not found?

Install it with sudo dnf install -y policycoreutils-python-utils (Redhat/RHEL or Rocky Linux)

Reload systemctl

After updating SELinux, reload systemctl:

bash
systemctl daemon-reload

Then start LogCraft with:

bash
systemctl restart logcraft

Troubleshooting

If SELinux is enforced and the directory types are not adjusted, LogCraft may fail to start. The following error appears in the system logs:

bash
% cat /var/log/messages
...
systemd[1404]: logcraft.service: Failed to set up standard output: Permission denied
systemd[1404]: logcraft.service: Failed at step STDOUT spawning /opt/logcraft/bin/logcraft: Permission denied
...
%

Copyright © 2023-present LogCraft, SAS