Sandor, Thanks, that seems to be it. I hadn't even thought of that. I temporarily disabled AppArmour and it started working. I've since turned it back on and tried to amend the profile to make it work but no joy. For example I've added the directory /media/* to the profile with rw rights but still getting the permissions issue. I've tired experimenting with other rights like inherit and setuid/setguid but its still still failing. It would seem counterproductive if the only way to ge syslog -ng to work is to turn AppArmour off. I'm still trying to get my head around this, but are apps only protected if they have a profile configured in AppArmour? Would it work if I simply deleted the syslog-ng profile from AppArmour? _ John Chajecki Senior Infrastructure Engineer Information Division Resources Department Leicester City Council
"Sandor Geller (IT)" <Sandor.Geller@morganstanley.com> 24/02/2009 15:10 >>> Hi,
Welcome to the wonderful world of AppArmor :) Regards, Sandor On Tue, Feb 24, 2009 at 4:06 PM, John Chajecki <John.Chajecki@leicester.gov.uk> wrote:
We have been running a syslog server on a Solaris server for some time. The server collects syslogs from a number of sources and places the log data into separate files for each system according to the host IP address and date. Recently, we have begun migrating the facility to a Linux server running Novell SuSE Linux 10. (SLES10) 64bit.
We are running syslog-ng version 2.0.9-6.1 for the 64bit platform which I obtained from OpenSuSE and that is supposed to be compatible with SLES10.
The problem is that although I am using essentially the same config file I am getting my log filled with:
Feb 24 14:55:04 itssyslog syslog-ng[10090]: Error opening file for writing; filename='/media/syslog/HOSTS/192.168.1.146', error='Permission denied (13)'
The directories /media, /media/syslog and /media/syslog/HOSTS have permissions of 0640.
This is what happens in strace:
open("/var/run/syslog-ng.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0600) = 7 write(7, "10090", 5) = 5 close(7) = 0 open("/dev/null", O_RDONLY) = 7 dup2(7, 0) = 0 close(7) = 0 open("/dev/null", O_WRONLY) = 7 dup2(7, 1) = 1 dup2(7, 2) = 2 close(7) = 0 setsid() = 10090 poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}], 2, 0) = 0 uname({sys="Linux", node="itssyslog", ...}) = 0 open("/var/log/messages", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY, 0640) = 7 fcntl(7, F_GETFD) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 fchown(7, 0, 4294967295) = 0 fchown(7, 4294967295, 0) = 0 fchmod(7, 0640) = 0 poll([{fd=7, events=POLLOUT, revents=POLLOUT}, {fd=3, events=POLLIN}, {fd=4, eve nts=POLLIN}], 3, 29983) = 1 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0 write(7, "Feb 24 14:16:50 itssyslog syslog"..., 83) = 83 poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN, revents=POLLIN}], 2, 29983) = 1 recvfrom(4, "<22>Feb 24 14:12:24 192.168.193."..., 8192, 0, {sa_family=AF_INET, sin_port=htons(61643), sin_addr=inet_addr("192.168.1.146")}, [16]) = 155 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0 brk(0x5be000) = 0x5be000 brk(0x5df000) = 0x5df000 open("/media/syslog/HOSTS/192.168.1.146/2009/02/24/192.168.1.146.log", O_WRONLY| O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY, 0640) = -1 ENOENT (No such file or directory) stat("/media", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0 stat("/media/syslog", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0 stat("/media/syslog/HOSTS", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0 stat("/media/syslog/HOSTS/192.168.1.146", 0x7fff7eb5c400) = -1 ENOENT (No such file or directory) mkdir("/media/syslog/HOSTS/192.168.1.146", 0640) = -1 EACCES (Permission denied) recvfrom(4, 0x583fe0, 8192, 0, 0x7fff7eb5c780, 0x7fff7eb5c80c) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}], 2, 0) = 0 .....
For some reason, the syslog-ng daemon tries to create the directory structure but fails with the Permission denied error. itssyslog:/var/log # The daemon is running as root:
ps -ef |grep syslog-ng root 10077 1 0 14:15 ? 00:00:00 /sbin/syslog-ng
I have tried creating a directory structure manually and I have no problem creating, writing to and removing the directories.
Just to test, I created another directory stucture /syslog/HOSTS with permissions 0777. I restarted the syslog-ng service but I got the same error. I also ran the syslog-ng executable manually as root, but still got the same problem.
What's stopping syslog-ng from creating the directory structure? Does it perhaps run in a chroot jail by default? As I mentioned, this worked fine on the Solaris system.
John.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html