Re: [syslog-ng] syslog-ng Digest, Vol 92, Issue 18
Message: 12
Subject: Re: [syslog-ng] having an issue with syslog and SElinux
On 2012-12-18 14:40, Frank Scalzo wrote:
kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner } for pid=861 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
How do i fix this without disabling SElinux
Which Linux distribution are you using? And which versions of syslog-ng and selinux? A copy of your syslog-ng configuration file would also be helpful.
Im running the following Red Hat Enterprise Linux Server release 6.3 (Santiago) selinux-3.7.19-187 syslog-ng 3.2.5 Installer-Version: 3.2.5 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116 Compile-Date: Jan 15 2012 19:47:30 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: on Enable-Linux-Caps: off Enable-Pcre: on Enable-Pacct: off conf below: @version:3.2 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { flush_lines(100); log_fetch_limit(100); log_iw_size(100); log_fifo_size(1000); time_reopen (10); log_fifo_size (1000); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; ## Additions for central syslog source s_udp { udp(); }; source s_tcp { tcp(ip(0.0.0.0) port(514)); }; destination d_hosts { file("/var/log/hosts/$HOST/$YEAR$MONTH$DAY" owner(syslog) group(syslog) perm(0644) dir_perm(0755) create_dirs(yes)); }; log { source(s_udp); destination(d_hosts); }; log { source(s_tcp); destination(d_hosts); }; # For testing: aka logger "my little pony" #log { source(s_sys); destination(d_hosts); }; ## End additions for central syslog # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: On Dec 20, 2012, at 8:59 AM, syslog-ng-request@lists.balabit.hu wrote:
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. syslog-ng Insider - December 2012 (Peter Czanik) 2. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 (bugzilla@bugzilla.balabit.com) 3. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 (bugzilla@bugzilla.balabit.com) 4. [Bug 214] Build / Install Issues on AIX (bugzilla@bugzilla.balabit.com) 5. [Bug 214] Build / Install Issues on AIX (bugzilla@bugzilla.balabit.com) 6. [Bug 173] Compile issues with syslog-ng_3.3.4.tar.gz (bugzilla@bugzilla.balabit.com) 7. [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 (bugzilla@bugzilla.balabit.com) 8. [Bug 42] capabilities, chown, chmod (bugzilla@bugzilla.balabit.com) 9. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 (bugzilla@bugzilla.balabit.com) 10. [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 (bugzilla@bugzilla.balabit.com) 11. [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 (bugzilla@bugzilla.balabit.com) 12. Re: having an issue with syslog and SElinux (Jose Pedro Oliveira)
----------------------------------------------------------------------
Message: 1 Date: Thu, 20 Dec 2012 12:01:01 +0100 From: Peter Czanik <czanik@balabit.hu> Subject: [syslog-ng] syslog-ng Insider - December 2012 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <50D2EFED.9080108@balabit.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dear syslog-ng users,
This is the 19th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at documentation@balabit.com <mailto:documentation@balabit.com>
FEATURED NEWS
syslog-ng 3.4 beta1 is released
-------------------------------
Version 3.4 beta1was released thisweek, right before the Christmasholidays. It has many new features and bug fixes even since the last alpha release, most notably a new AMQP destination a JSON parser and a reworked syslog parser and network configuration, which makes configuring syslog-ng even more simple and flexible.
For a complete list of changes, check the announcement at https://lists.balabit.hu/pipermail/syslog-ng-announce/2012-December/000150.h...
For binary package availability check our 3^rd party binary page at http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/...
balabit.logstore 0.1.0 is released
----------------------------------
The second version of the balabit.logstore project was announced last week. It is a library written in Clojure, that tries to provide a convenient API to read syslog-ng PE LogStore files. Development is still in its early phases, but it can already read unencrypted logstore files, search in them and print many useful information about them. Compared to the previous version, this has a Java API.
For more details, check the announcement at https://lists.balabit.hu/pipermail/syslog-ng/2012-December/019788.html
NEW RELEASES:
*
syslog-ng OSE 3.4 beta1: https://lists.balabit.hu/pipermail/syslog-ng-announce/2012-December/000150.h...
*
balabit.logstore 0.1.0: https://lists.balabit.hu/pipermail/syslog-ng/2012-December/019788.html
ARCHIVE
http://insider.blogs.balabit.com/
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
------------------------------
Message: 2 Date: Thu, 20 Dec 2012 13:02:58 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 To: syslog-ng@lists.balabit.hu Message-ID: <20121220120258.155B339DC65@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=213
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |3.3.8 CC| |algernon@balabit.hu AssignedTo|bazsi@balabit.hu |algernon@balabit.hu
--- Comment #3 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 13:02:57 --- Thanks for the report and the patch, I will apply this to 3.3's git head shortly, with some minor modifications: I don't want to replace GLOB_NOMAGIC with GLOB_NOCHECK, as they're not the same.
With GLOB_NOMAGIC, "/etc/syslog-ng/foo.conf" both would return foo.conf, but for "/etc/syslog-ng/conf.d/*.conf", NOCHECK would return the pattern, NOMAGIC would return GLOB_NOMATCH. So on platforms that do have NOMAGIC, syslog-ng should use it, on others, it should fall back to NOCHECK as the next best option.
I plan to do this with something along these lines:
#ifndef GLOB_NOMAGIC #define GLOB_NOMAGIC GLOB_NOCHECK #endif
Or better yet, implement NOMAGIC if the platform does not support it. I'll see which option is more feasible in our case.
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 3 Date: Thu, 20 Dec 2012 13:03:08 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 To: syslog-ng@lists.balabit.hu Message-ID: <20121220120308.8D50439DC58@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=213
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 4 Date: Thu, 20 Dec 2012 13:06:40 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 214] Build / Install Issues on AIX To: syslog-ng@lists.balabit.hu Message-ID: <20121220120640.1E33C39DC6B@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=214
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |algernon@balabit.hu AssignedTo|bazsi@balabit.hu |algernon@balabit.hu
--- Comment #2 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 13:06:40 --- (In reply to comment #1)
Also to note, version 3.2.5 does not have any issues with lib/syslog-ng/libafsocket.so dependencies... the ldd output doesn't seem to indicate a requirement for libsyslog-ng-crypto.
libsyslog-ng-crypto was split out of libsyslog-ng in 3.3.
My guess is that libsyslog-ng-crypto gets installed into /opt/local/syslogng/lib/syslog-ng/, which is not on the dynamic loader's path, and the AIX linker thingies do not support RPATH.
The best course of action here would be to link libsyslog-ng-crypto directly into libsyslog-ng, I believe. Or, move it out of lib/syslog-ng, into lib/ itself.
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 5 Date: Thu, 20 Dec 2012 13:06:52 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 214] Build / Install Issues on AIX To: syslog-ng@lists.balabit.hu Message-ID: <20121220120652.23B0039DC75@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=214
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |3.3.8 Status|NEW |ASSIGNED
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 6 Date: Thu, 20 Dec 2012 13:09:21 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 173] Compile issues with syslog-ng_3.3.4.tar.gz To: syslog-ng@lists.balabit.hu Message-ID: <20121220120921.688A011E004@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=173
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO
--- Comment #4 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 13:09:21 --- (In reply to comment #3)
(In reply to comment #2)
Is this still and issue, or can I close it? I don't think this is a bug in syslog-ng...
I am facing the same issue while compiling syslog-ng-3.4.0-alpha3 on CentoOS 6.3 . [...] when i set the env varilable export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig , eventlog went through fine but glib gave errors checking for GLIB... no configure: error: Package requirements (glib-2.0 >= 2.10.1 gmodule-2.0 gthread-2.0) were not met: [...]
Can you attach the config.log files from all three configure runs? That would help me figure out what goes wrong.
Thanks!
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 7 Date: Thu, 20 Dec 2012 13:12:03 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 To: syslog-ng@lists.balabit.hu Message-ID: <20121220121203.AA09339DC23@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=61
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|3.0.6 |3.4.1
--- Comment #5 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 13:12:03 --- This is partially fixed in 3.4 already with the network() statement, we only need to force syslog() to set last_addr_family to IPv4.
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 8 Date: Thu, 20 Dec 2012 13:15:24 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 42] capabilities, chown, chmod To: syslog-ng@lists.balabit.hu Message-ID: <20121220121524.A692E39DCAA@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=42
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |algernon@balabit.hu Resolution| |FIXED Status|REOPENED |RESOLVED
--- Comment #10 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 13:15:23 --- I'm closing this issue, as I believe it is not relevant for recent syslog-ng anymore.
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 9 Date: Thu, 20 Dec 2012 14:12:50 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc 4.2.0 To: syslog-ng@lists.balabit.hu Message-ID: <20121220131250.317AC39DC2A@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=213
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|ASSIGNED |RESOLVED
--- Comment #4 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 14:12:49 --- (In reply to comment #3)
Or better yet, implement NOMAGIC if the platform does not support it. I'll see which option is more feasible in our case.
This is what I ended up doing, as the code required was pretty simple. I pushed the fix for both the iv_event.h include and the GLOB_NOMAGIC implementation to 3.3's master, both will be part of syslog-ng 3.3.8.
Thanks for the report!
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 10 Date: Thu, 20 Dec 2012 14:19:41 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 To: syslog-ng@lists.balabit.hu Message-ID: <20121220131941.CE0DC39DC95@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=61
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|3.4.1 |3.3.8
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 11 Date: Thu, 20 Dec 2012 14:23:47 +0100 (CET) From: bugzilla@bugzilla.balabit.com Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog forwarding to assume IPv6 To: syslog-ng@lists.balabit.hu Message-ID: <20121220132347.5C94639DCAC@lists.balabit.hu> Content-Type: text/plain; charset="UTF-8"
https://bugzilla.balabit.com/show_bug.cgi?id=61
Gergely Nagy <algernon@balabit.hu> changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|ASSIGNED |RESOLVED
--- Comment #6 from Gergely Nagy <algernon@balabit.hu> 2012-12-20 14:23:47 --- I ended up fixing this in 3.3, by forcing the syslog() destination to use IPv4, similar to how the source does it. In 3.4, network() can be used if one wants syslog over IPv6.
-- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
------------------------------
Message: 12 Date: Thu, 20 Dec 2012 13:58:55 +0000 From: Jose Pedro Oliveira <jpo@di.uminho.pt> Subject: Re: [syslog-ng] having an issue with syslog and SElinux To: syslog-ng@lists.balabit.hu Message-ID: <50D3199F.8020004@di.uminho.pt> Content-Type: text/plain; charset=ISO-8859-1
On 2012-12-18 14:40, Frank Scalzo wrote:
kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner } for pid=861 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
How do i fix this without disabling SElinux
Which Linux distribution are you using? And which versions of syslog-ng and selinux? A copy of your syslog-ng configuration file would also be helpful.
jpo -- Jos? Pedro Oliveira * mailto:jpo@di.uminho.pt *
------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 92, Issue 18 *****************************************
On 2012-12-20 14:19, Frank Scalzo wrote:
Message: 12
Subject: Re: [syslog-ng] having an issue with syslog and SElinux
On 2012-12-18 14:40, Frank Scalzo wrote:
kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner } for pid=861 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
How do i fix this without disabling SElinux
Which Linux distribution are you using? And which versions of syslog-ng and selinux? A copy of your syslog-ng configuration file would also be helpful.
Im running the following
Red Hat Enterprise Linux Server release 6.3 (Santiago) selinux-3.7.19-187 syslog-ng 3.2.5 Installer-Version: 3.2.5 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116 Compile-Date: Jan 15 2012 19:47:30 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: on Enable-Linux-Caps: off Enable-Pcre: on Enable-Pacct: off
conf below:
@version:3.2
# syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. #
options { flush_lines(100); log_fetch_limit(100); log_iw_size(100); log_fifo_size(1000); time_reopen (10); log_fifo_size (1000); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); };
source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; ## Additions for central syslog source s_udp { udp(); };
source s_tcp { tcp(ip(0.0.0.0) port(514)); };
destination d_hosts {
file("/var/log/hosts/$HOST/$YEAR$MONTH$DAY"
owner(syslog)
group(syslog)
perm(0644)
dir_perm(0755)
create_dirs(yes));
};
log { source(s_udp); destination(d_hosts); };
log { source(s_tcp); destination(d_hosts); };
# For testing: aka logger "my little pony"
#log { source(s_sys); destination(d_hosts); };
## End additions for central syslog # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
The reported selinux policy violation is caused by the d_hosts destination. To correct the problem use the audit2allow tool (from the policycoreutils-python package) to generate new selinux rules. For an usage example check the page: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/ht... jpo -- José Pedro Oliveira * mailto:jpo@di.uminho.pt *
participants (2)
-
Frank Scalzo
-
Jose Pedro Oliveira