FYI: Fedora Core 3, syslog-ng, and SELinux ------------------------------------------------------------ It is now possible to run syslog-ng in a Fedora Core 3 with SELinux in ENFORCING mode. The only installation requirements that should be met are the following: 1) upgrade selinux-policy-targeted to 1.17.30-2.96 2) enable the selinux use_syslogng boolean setsebool -P use_syslogng 1 3) build and install the syslog-ng RPM libol RPMS are available in Fedora Extras mirrors syslog-ng SRPM is available for download here https://bugzilla.fedora.us/show_bug.cgi?id=1332 Note: This boolean exists at least since selinux-policy-targeted 1.17.30-2.90, but it is only from release 2.96 that all the syslog_ng rules for a standard RedHat/Fedora syslog/syslog-ng configuration are in place. References: * /etc/selinux/targeted/src/policy/domains/program/syslogd.te (from selinux-policy-targeted-sources-1.17.30-2.96) ---------- ... bool use_syslogng false; if (use_syslogng) { # Allow access to /proc/kmsg for syslog-ng allow syslogd_t proc_t:dir search; allow syslogd_t proc_kmsg_t:file { getattr read }; allow syslogd_t kernel_t:system { syslog_mod syslog_console }; allow syslogd_t self:capability { sys_admin chown fsetid }; allow syslogd_t var_log_t:dir { create setattr }; } ---------- * selinux-policy-targeted prevents syslog-ng from using /proc/kmsg https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064 * selinux-policy-targeted and syslog-ng (take 2) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185 -- José Pedro Oliveira * mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *