[syslog-ng] Syslog-ng refuses to create directories on Linux
John Chajecki
John.Chajecki at leicester.gov.uk
Tue Feb 24 17:55:14 CET 2009
Ok, got it going!
It seems that the syslog-ng process hung after changing the AppArmor profile so the changes didn't apply. Had to restart the daemon to be sure every time I made a change. In the end just adding the directory /media/syslog/HOSTS/** with RWIX was sufficient.
_
John Chajecki
Senior Infrastructure Engineer
Information Division
Resources Department
Leicester City Council
>>> "John Chajecki" <John.Chajecki at leicester.gov.uk> 24/02/2009 15:51 >>>
Sandor,
Thanks, that seems to be it. I hadn't even thought of that.
I temporarily disabled AppArmour and it started working.
I've since turned it back on and tried to amend the profile to make it work but no joy. For example I've added the directory /media/* to the profile with rw rights but still getting the permissions issue. I've tired experimenting with other rights like inherit and setuid/setguid but its still still failing. It would seem counterproductive if the only way to ge syslog -ng to work is to turn AppArmour off.
I'm still trying to get my head around this, but are apps only protected if they have a profile configured in AppArmour?
Would it work if I simply deleted the syslog-ng profile from AppArmour?
_
John Chajecki
Senior Infrastructure Engineer
Information Division
Resources Department
Leicester City Council
>>> "Sandor Geller (IT)" <Sandor.Geller at morganstanley.com> 24/02/2009 15:10 >>>
Hi,
Welcome to the wonderful world of AppArmor :)
Regards,
Sandor
On Tue, Feb 24, 2009 at 4:06 PM, John Chajecki
<John.Chajecki at leicester.gov.uk> wrote:
>
> We have been running a syslog server on a Solaris server for some time. The server collects syslogs from a number of sources and places the log
> data into separate files for each system according to the host IP address and date. Recently, we have begun migrating the facility to a Linux server running Novell SuSE Linux 10. (SLES10) 64bit.
>
> We are running syslog-ng version 2.0.9-6.1 for the 64bit platform which I obtained from OpenSuSE and that is supposed to be compatible with SLES10.
>
> The problem is that although I am using essentially the same config file I am getting my log filled with:
>
> Feb 24 14:55:04 itssyslog syslog-ng[10090]: Error opening file for writing; filename='/media/syslog/HOSTS/192.168.1.146', error='Permission denied (13)'
>
> The directories /media, /media/syslog and /media/syslog/HOSTS have permissions of 0640.
>
> This is what happens in strace:
>
> open("/var/run/syslog-ng.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0600) = 7
> write(7, "10090", 5) = 5
> close(7) = 0
> open("/dev/null", O_RDONLY) = 7
> dup2(7, 0) = 0
> close(7) = 0
> open("/dev/null", O_WRONLY) = 7
> dup2(7, 1) = 1
> dup2(7, 2) = 2
> close(7) = 0
> setsid() = 10090
> poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}], 2, 0) = 0
> uname({sys="Linux", node="itssyslog", ...}) = 0
> open("/var/log/messages", O_WRONLY|O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY, 0640) = 7
> fcntl(7, F_GETFD) = 0
> fcntl(7, F_SETFD, FD_CLOEXEC) = 0
> fchown(7, 0, 4294967295) = 0
> fchown(7, 4294967295, 0) = 0
> fchmod(7, 0640) = 0
> poll([{fd=7, events=POLLOUT, revents=POLLOUT}, {fd=3, events=POLLIN}, {fd=4, eve
> nts=POLLIN}], 3, 29983) = 1
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
> write(7, "Feb 24 14:16:50 itssyslog syslog"..., 83) = 83
> poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN, revents=POLLIN}], 2, 29983) = 1
> recvfrom(4, "<22>Feb 24 14:12:24 192.168.193."..., 8192, 0, {sa_family=AF_INET,
> sin_port=htons(61643), sin_addr=inet_addr("192.168.1.146")}, [16]) = 155
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
> brk(0x5be000) = 0x5be000
> brk(0x5df000) = 0x5df000
> open("/media/syslog/HOSTS/192.168.1.146/2009/02/24/192.168.1.146.log", O_WRONLY|
> O_NONBLOCK|O_APPEND|O_CREAT|O_NOCTTY, 0640) = -1 ENOENT (No such file or directory)
> stat("/media", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0
> stat("/media/syslog", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0
> stat("/media/syslog/HOSTS", {st_mode=S_IFDIR|0640, st_size=4096, ...}) = 0
> stat("/media/syslog/HOSTS/192.168.1.146", 0x7fff7eb5c400) = -1 ENOENT (No such file or directory)
> mkdir("/media/syslog/HOSTS/192.168.1.146", 0640) = -1 EACCES (Permission denied)
> recvfrom(4, 0x583fe0, 8192, 0, 0x7fff7eb5c780, 0x7fff7eb5c80c) = -1 EAGAIN (Resource temporarily unavailable)
> poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}], 2, 0) = 0
> .....
>
>
> For some reason, the syslog-ng daemon tries to create the directory structure but fails with the Permission denied error. itssyslog:/var/log #
> The daemon is running as root:
>
> ps -ef |grep syslog-ng
> root 10077 1 0 14:15 ? 00:00:00 /sbin/syslog-ng
>
> I have tried creating a directory structure manually and I have no problem creating, writing to and removing the directories.
>
> Just to test, I created another directory stucture /syslog/HOSTS with permissions 0777. I restarted the syslog-ng service but I got the same error. I also ran the syslog-ng executable manually as root, but still got the same problem.
>
> What's stopping syslog-ng from creating the directory structure?
> Does it perhaps run in a chroot jail by default?
> As I mentioned, this worked fine on the Solaris system.
>
> John.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list