Configuring SELINUX to allow logging to a file that's outside /var/log

If you look at the context set for the directory /var/log you'll noticed the following things.

First, the directory /var/log has the following selinux context set:

$ ls -Z /var | grep "log$"
drwxr-xr-x. root root    system_u:object_r:var_log_t:s0   log

Second, the log file, /var/log/messages, has no additional context:

$ ls -Z /var/log/messages
-rw------- root root ?                                /var/log/messages

So it would seem that you only need to set a context similar to the one on /var/log on whatever directory you're planning on writing this additional log file to. Something like this should do it.

Method #1: replicating selinux label

Below will copy the context that's associated with /var/log and apply it to /opt/blah as well.

$ mkdir /opt/blah
$ ls -Z /opt | grep blah
drwxr-xr-x  root root ?                                   blah

# label directory with context
$ chcon --reference /var/log /opt/blah

# see the newly added context
$ ls -Z /opt/ | grep blah
drwxr-xr-x. root root    system_u:object_r:var_log_t:s0   blah

Method #2: applying context directly

You can also apply them directly like so:

$ chcon system_u:object_r:var_log_t:s0 /opt/blah

I'm away from a system where I can confirm the need to run these commands but I believe you need to tell SELinux to pick up these newly applied contexts to the filesystem as well.

$ semanage fcontext -a -t var_log_t "/opt(/.*)?"
$ restorecon -R -v /opt

confirm changes

# confirm identical to /var/log context
$ ls -Z /var/ | grep "log$"
drwxr-xr-x. root root    system_u:object_r:var_log_t:s0   log

References

• RHEL Deployment Guide - Chapter 44. Working With SELinux
• CentOS SELinux Howto
• ⁠5.6.2. Persistent Changes: semanage fcontext

Related videos on Youtube