On 2012-12-20 14:19, Frank Scalzo wrote:
Message: 12
Subject: Re: [syslog-ng] having an issue with syslog and SElinux
On 2012-12-18 14:40, Frank Scalzo wrote:
kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner } for pid=861 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
How do i fix this without disabling SElinux
Which Linux distribution are you using? And which versions of syslog-ng and selinux? A copy of your syslog-ng configuration file would also be helpful.
Im running the following
Red Hat Enterprise Linux Server release 6.3 (Santiago) selinux-3.7.19-187 syslog-ng 3.2.5 Installer-Version: 3.2.5 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116 Compile-Date: Jan 15 2012 19:47:30 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: on Enable-Linux-Caps: off Enable-Pcre: on Enable-Pacct: off
conf below:
@version:3.2
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. #
options { flush_lines(100); log_fetch_limit(100); log_iw_size(100); log_fifo_size(1000); time_reopen (10); log_fifo_size (1000); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); };
source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; ## Additions for central syslog source s_udp { udp(); };
source s_tcp { tcp(ip(0.0.0.0) port(514)); };
destination d_hosts {
file("/var/log/hosts/$HOST/$YEAR$MONTH$DAY"
owner(syslog)
group(syslog)
perm(0644)
dir_perm(0755)
create_dirs(yes));
};
log { source(s_udp); destination(d_hosts); };
log { source(s_tcp); destination(d_hosts); };
# For testing: aka logger "my little pony"
#log { source(s_sys); destination(d_hosts); };
## End additions for central syslog # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
The reported selinux policy violation is caused by the d_hosts destination. To correct the problem use the audit2allow tool (from the policycoreutils-python package) to generate new selinux rules. For an usage example check the page: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/ht... jpo -- José Pedro Oliveira * mailto:jpo@di.uminho.pt *