Here's a small patch adding a small SElinux module that makes it possible to run syslog-ng on RHEL5 with SElinux in default enforcing mode. --- contrib/rhel-packaging/syslog_ng.te | 20 ++++++++++++++++++++ contrib/rhel-packaging/syslog_ng.te.README | 14 ++++++++++++++ 2 files changed, 34 insertions(+), 0 deletions(-) create mode 100644 contrib/rhel-packaging/syslog_ng.te create mode 100644 contrib/rhel-packaging/syslog_ng.te.README diff --git a/contrib/rhel-packaging/syslog_ng.te b/contrib/rhel-packaging/syslog_ng.te new file mode 100644 index 0000000..449756c --- /dev/null +++ b/contrib/rhel-packaging/syslog_ng.te @@ -0,0 +1,20 @@ +module syslog_ng 1.0; + +require { + class sock_file { getattr unlink }; + class tcp_socket { create bind setopt name_bind node_bind listen }; + class dir { write add_name }; + class file { create write getattr read }; + type device_t; + type syslogd_t; + type rsh_port_t; + type inaddr_any_node_t; + type var_t; +}; + +allow syslogd_t device_t:sock_file { getattr unlink }; +allow syslogd_t rsh_port_t:tcp_socket name_bind; +allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; +allow syslogd_t self:tcp_socket { create listen bind setopt }; +allow syslogd_t var_t:dir { write add_name }; +allow syslogd_t var_t:file { create write getattr read }; diff --git a/contrib/rhel-packaging/syslog_ng.te.README b/contrib/rhel-packaging/syslog_ng.te.README new file mode 100644 index 0000000..df316a1 --- /dev/null +++ b/contrib/rhel-packaging/syslog_ng.te.README @@ -0,0 +1,14 @@ +"syslog_ng.te" is the necessary selinux module to allow syslog-ng +running on RHEL5 (with selinux in default enforcing mode). It's +necessary for up for letting the syslogd_t domain access /proc/kmsg, +listen on 514/tcp and write /var/syslog-ng.persist. + +To build and load it, execute: + + checkmodule -M -m -o syslog_ng.mod syslog_ng.te + semodule_package -o syslog_ng.pp -m syslog_ng.mod + semodule -i ./syslog_ng.pp + +The module can be removed from the system by executing: + + semodule --remove=syslog_ng -- 1.5.1