[syslog-ng] [PATCH] Added SElinux module for running syslog-ng on RHEL5.

Jan-Frode Myklebust janfrode at tanso.net
Sun May 20 16:45:53 CEST 2007 

Here's a small patch adding a small SElinux module that makes it
possible to run syslog-ng on RHEL5 with SElinux in default enforcing
mode.

---
 contrib/rhel-packaging/syslog_ng.te        |   20 ++++++++++++++++++++
 contrib/rhel-packaging/syslog_ng.te.README |   14 ++++++++++++++
 2 files changed, 34 insertions(+), 0 deletions(-)
 create mode 100644 contrib/rhel-packaging/syslog_ng.te
 create mode 100644 contrib/rhel-packaging/syslog_ng.te.README

diff --git a/contrib/rhel-packaging/syslog_ng.te b/contrib/rhel-packaging/syslog_ng.te
new file mode 100644
index 0000000..449756c
--- /dev/null
+++ b/contrib/rhel-packaging/syslog_ng.te
@@ -0,0 +1,20 @@
+module syslog_ng 1.0;
+
+require {
+	class sock_file { getattr unlink };
+	class tcp_socket { create bind setopt name_bind node_bind listen };
+	class dir { write add_name };
+	class file { create write getattr read };
+	type device_t;
+	type syslogd_t;
+	type rsh_port_t;
+	type inaddr_any_node_t;
+	type var_t;
+};
+
+allow syslogd_t device_t:sock_file { getattr unlink };
+allow syslogd_t rsh_port_t:tcp_socket name_bind;
+allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
+allow syslogd_t self:tcp_socket { create listen  bind setopt };
+allow syslogd_t var_t:dir { write add_name };
+allow syslogd_t var_t:file { create write getattr read };
diff --git a/contrib/rhel-packaging/syslog_ng.te.README b/contrib/rhel-packaging/syslog_ng.te.README
new file mode 100644
index 0000000..df316a1
--- /dev/null
+++ b/contrib/rhel-packaging/syslog_ng.te.README
@@ -0,0 +1,14 @@
+"syslog_ng.te" is the necessary selinux module to allow syslog-ng
+running on RHEL5 (with selinux in default enforcing mode). It's
+necessary for up for letting the syslogd_t domain access /proc/kmsg,
+listen on 514/tcp and write /var/syslog-ng.persist.
+
+To build and load it, execute:
+
+	checkmodule -M -m -o syslog_ng.mod syslog_ng.te
+	semodule_package -o syslog_ng.pp -m syslog_ng.mod
+	semodule -i ./syslog_ng.pp
+
+The module can be removed from the system by executing:
+
+	semodule --remove=syslog_ng
-- 
1.5.1

More information about the syslog-ng mailing list