[syslog-ng]FYI: Fedora Core 3, syslog-ng, and SELinux

Jose Pedro Oliveira syslog-ng@lists.balabit.hu
Sat, 23 Apr 2005 22:29:09 +0100 (WEST)


FYI: Fedora Core 3, syslog-ng, and SELinux
------------------------------------------------------------

It is now possible to run syslog-ng in a Fedora Core 3 with
SELinux in ENFORCING mode. The only installation requirements
that should be met are the following:

    1) upgrade selinux-policy-targeted to 1.17.30-2.96

    2) enable the selinux use_syslogng boolean

           setsebool -P use_syslogng 1

    3) build and install the syslog-ng RPM

       libol RPMS are available in Fedora Extras mirrors
       syslog-ng SRPM is available for download here
       https://bugzilla.fedora.us/show_bug.cgi?id=1332


Note:
This boolean exists at least since selinux-policy-targeted
1.17.30-2.90, but it is only from release 2.96 that all the
syslog_ng rules for a standard RedHat/Fedora syslog/syslog-ng
configuration are in place.


References:

* /etc/selinux/targeted/src/policy/domains/program/syslogd.te
  (from selinux-policy-targeted-sources-1.17.30-2.96)

	----------
	...
	bool use_syslogng false;

	if (use_syslogng) {
	# Allow access to /proc/kmsg for syslog-ng
	allow syslogd_t proc_t:dir search;
	allow syslogd_t proc_kmsg_t:file { getattr read };
	allow syslogd_t kernel_t:system { syslog_mod syslog_console };
	allow syslogd_t self:capability { sys_admin chown fsetid };
	allow syslogd_t var_log_t:dir { create setattr };
	}
	----------

* selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064

* selinux-policy-targeted and syslog-ng (take 2)
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185

-- 
José Pedro Oliveira
* mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo *
* gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *