Do you think it is better to run syslog-ng with or without SELinux
Consider the following: 1) SELinux goal is to contain the attacker if the case of a compromise. 2) SELinux takes a lot of work to setup. Since you are also adding both MySQL and PHP-syslog-ng it will take even more work. 3) Once you have it setup, do you have a way to easily rebuld the same configuration if needed? Hence consider the following formula. better = ("level of effort" (1-10)/"ease of rebuild"(1-10)) * "time available"(estimated hours) / "estimated risk of compromise"(1-10) * "required level of risk adversion (include legal requirements)"(1-10)* "Risk of position in case attack"(1-10) Hence if you have the time to learn SELinux and and have high requirements to contain any successful attacks, then SELinux is better. If you don't have a lot of time and don't have high requirements and can easily rebuild the system if it's compromised then don't worry about SELinux. Hence "better" is all about your risks and the tradeoffs you need to make. -- Pe5ky Tac0 -------------- Yum, Fish Tacos !! Muath Al Khalaf wrote:
Thank you very much. I have disabled SELinux and every thing goes fine. Do you think it is better to run syslog-ng with or without SELinux especially that I may use MySQL and PHP-syslog-ng?
Kind regards
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Jose Pedro Oliveira Sent: Saturday, May 27, 2006 6:59 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Starting syslog-ng as root
Muath Al Khalaf wrote:
Hi, I am using Redhat Enterprise 4. I am using the official rpm image built by Balabit for RHE 4 with their startup script. The executable did not return anything (at least in front of me inside console). For strace I do not know how to use it.
You may be having problems with SELinux. In RHEL4, CentOS, and Fedora Core 3 you need to enable the use_syslogng SELinux boolean before starting the syslog-ng daemon [1].
To check the use_syslogng boolean status
getsebool -a | grep syslogng
To enable it (and saving its value)
setsebool -P use_syslogng 1
jpo
[1] - you need to have the a recent selinux-policy-targeted -- José Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html