[syslog-ng] syslog-ng Digest, Vol 92, Issue 18
Frank Scalzo
fscalzo at gmail.com
Thu Dec 20 15:19:35 CET 2012
> Message: 12
> Subject: Re: [syslog-ng] having an issue with syslog and SElinux
>
>
> On 2012-12-18 14:40, Frank Scalzo wrote:
>> kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner
>> } for pid=861 comm="syslog-ng" capability=3
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
>>
>>
>> How do i fix this without disabling SElinux
>
> Which Linux distribution are you using? And which versions of syslog-ng
> and selinux? A copy of your syslog-ng configuration file would
> also be helpful.
Im running the following
Red Hat Enterprise Linux Server release 6.3 (Santiago)
selinux-3.7.19-187
syslog-ng 3.2.5
Installer-Version: 3.2.5
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116
Compile-Date: Jan 15 2012 19:47:30
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: off
Enable-SQL: on
Enable-Linux-Caps: off
Enable-Pcre: on
Enable-Pacct: off
conf below:
@version:3.2
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
flush_lines(100);
log_fetch_limit(100);
log_iw_size(100);
log_fifo_size(1000);
time_reopen (10);
log_fifo_size (1000);
use_dns (yes);
use_fqdn (yes);
create_dirs (yes);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
## Additions for central syslog
source s_udp { udp(); };
source s_tcp { tcp(ip(0.0.0.0) port(514)); };
destination d_hosts {
file("/var/log/hosts/$HOST/$YEAR$MONTH$DAY"
owner(syslog)
group(syslog)
perm(0644)
dir_perm(0755)
create_dirs(yes));
};
log { source(s_udp); destination(d_hosts); };
log { source(s_tcp); destination(d_hosts); };
# For testing: aka logger "my little pony"
#log { source(s_sys); destination(d_hosts); };
## End additions for central syslog
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
On Dec 20, 2012, at 8:59 AM, syslog-ng-request at lists.balabit.hu wrote:
> Send syslog-ng mailing list submissions to
> syslog-ng at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
> syslog-ng-request at lists.balabit.hu
>
> You can reach the person managing the list at
> syslog-ng-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
> 1. syslog-ng Insider - December 2012 (Peter Czanik)
> 2. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc
> 4.2.0 (bugzilla at bugzilla.balabit.com)
> 3. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc
> 4.2.0 (bugzilla at bugzilla.balabit.com)
> 4. [Bug 214] Build / Install Issues on AIX
> (bugzilla at bugzilla.balabit.com)
> 5. [Bug 214] Build / Install Issues on AIX
> (bugzilla at bugzilla.balabit.com)
> 6. [Bug 173] Compile issues with syslog-ng_3.3.4.tar.gz
> (bugzilla at bugzilla.balabit.com)
> 7. [Bug 61] udp6 source declaration causes syslog forwarding to
> assume IPv6 (bugzilla at bugzilla.balabit.com)
> 8. [Bug 42] capabilities, chown, chmod
> (bugzilla at bugzilla.balabit.com)
> 9. [Bug 213] Build Failure on AIX with syslog-ng-3.3.6 and gcc
> 4.2.0 (bugzilla at bugzilla.balabit.com)
> 10. [Bug 61] udp6 source declaration causes syslog forwarding to
> assume IPv6 (bugzilla at bugzilla.balabit.com)
> 11. [Bug 61] udp6 source declaration causes syslog forwarding to
> assume IPv6 (bugzilla at bugzilla.balabit.com)
> 12. Re: having an issue with syslog and SElinux (Jose Pedro Oliveira)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Dec 2012 12:01:01 +0100
> From: Peter Czanik <czanik at balabit.hu>
> Subject: [syslog-ng] syslog-ng Insider - December 2012
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Message-ID: <50D2EFED.9080108 at balabit.hu>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> Dear syslog-ng users,
>
>
> This is the 19th issue of the syslog-ng Insider, a monthly newsletter
> that brings you syslog-ng related news.
>
> Your feedback and news tips about the next issue is welcome at
> documentation at balabit.com <mailto:documentation at balabit.com>
>
>
> FEATURED NEWS
>
>
> syslog-ng 3.4 beta1 is released
>
> -------------------------------
>
> Version 3.4 beta1was released thisweek, right before the
> Christmasholidays. It has many new features and bug fixes even since the
> last alpha release, most notably a new AMQP destination a JSON parser
> and a reworked syslog parser and network configuration, which makes
> configuring syslog-ng even more simple and flexible.
>
> For a complete list of changes, check the announcement at
> https://lists.balabit.hu/pipermail/syslog-ng-announce/2012-December/000150.html
>
> For binary package availability check our 3^rd party binary page at
> http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/downloads/3rd_party
>
>
> balabit.logstore 0.1.0 is released
>
> ----------------------------------
>
> The second version of the balabit.logstore project was announced last
> week. It is a library written in Clojure, that tries to provide a
> convenient API to read syslog-ng PE LogStore files. Development is still
> in its early phases, but it can already read unencrypted logstore files,
> search in them and print many useful information about them. Compared to
> the previous version, this has a Java API.
>
> For more details, check the announcement at
> https://lists.balabit.hu/pipermail/syslog-ng/2012-December/019788.html
>
>
>
> NEW RELEASES:
>
> *
>
> syslog-ng OSE 3.4 beta1:
> https://lists.balabit.hu/pipermail/syslog-ng-announce/2012-December/000150.html
>
> *
>
> balabit.logstore 0.1.0:
> https://lists.balabit.hu/pipermail/syslog-ng/2012-December/019788.html
>
> ARCHIVE
>
>
> http://insider.blogs.balabit.com/
>
> --
> Peter Czanik (CzP) <czanik at balabit.hu>
> BalaBit IT Security / syslog-ng upstream
> http://czanik.blogs.balabit.com/
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Dec 2012 13:02:58 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 213] Build Failure on AIX with
> syslog-ng-3.3.6 and gcc 4.2.0
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220120258.155B339DC65 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=213
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Target Milestone|--- |3.3.8
> CC| |algernon at balabit.hu
> AssignedTo|bazsi at balabit.hu |algernon at balabit.hu
>
>
>
>
> --- Comment #3 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 13:02:57 ---
> Thanks for the report and the patch, I will apply this to 3.3's git head shortly, with some minor modifications: I don't want to replace GLOB_NOMAGIC with
> GLOB_NOCHECK, as they're not the same.
>
> With GLOB_NOMAGIC, "/etc/syslog-ng/foo.conf" both would return foo.conf, but for "/etc/syslog-ng/conf.d/*.conf", NOCHECK would return the pattern, NOMAGIC
> would return GLOB_NOMATCH. So on platforms that do have NOMAGIC, syslog-ng should use it, on others, it should fall back to NOCHECK as the next best option.
>
> I plan to do this with something along these lines:
>
> #ifndef GLOB_NOMAGIC
> #define GLOB_NOMAGIC GLOB_NOCHECK
> #endif
>
> Or better yet, implement NOMAGIC if the platform does not support it. I'll see which option is more feasible in our case.
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 20 Dec 2012 13:03:08 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 213] Build Failure on AIX with
> syslog-ng-3.3.6 and gcc 4.2.0
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220120308.8D50439DC58 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=213
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Status|NEW |ASSIGNED
>
>
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 20 Dec 2012 13:06:40 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 214] Build / Install Issues on AIX
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220120640.1E33C39DC6B at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=214
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> CC| |algernon at balabit.hu
> AssignedTo|bazsi at balabit.hu |algernon at balabit.hu
>
>
>
>
> --- Comment #2 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 13:06:40 ---
> (In reply to comment #1)
>> Also to note, version 3.2.5 does not have any issues with lib/syslog-ng/libafsocket.so dependencies... the ldd output doesn't seem to indicate a requirement
>> for libsyslog-ng-crypto.
>>
>
> libsyslog-ng-crypto was split out of libsyslog-ng in 3.3.
>
> My guess is that libsyslog-ng-crypto gets installed into /opt/local/syslogng/lib/syslog-ng/, which is not on the dynamic loader's path, and the AIX linker
> thingies do not support RPATH.
>
> The best course of action here would be to link libsyslog-ng-crypto directly into libsyslog-ng, I believe. Or, move it out of lib/syslog-ng, into lib/ itself.
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 20 Dec 2012 13:06:52 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 214] Build / Install Issues on AIX
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220120652.23B0039DC75 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=214
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Target Milestone|--- |3.3.8
> Status|NEW |ASSIGNED
>
>
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 20 Dec 2012 13:09:21 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 173] Compile issues with
> syslog-ng_3.3.4.tar.gz
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220120921.688A011E004 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=173
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Status|REOPENED |NEEDINFO
>
>
>
>
> --- Comment #4 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 13:09:21 ---
> (In reply to comment #3)
>> (In reply to comment #2)
>>> Is this still and issue, or can I close it? I don't think this is a bug in syslog-ng...
>>>
>>
>> I am facing the same issue while compiling syslog-ng-3.4.0-alpha3 on CentoOS 6.3 .
> [...]
>> when i set the env varilable export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig , eventlog went through fine but glib gave errors
>> checking for GLIB... no
>> configure: error: Package requirements (glib-2.0 >= 2.10.1 gmodule-2.0 gthread-2.0) were not met:
> [...]
>
> Can you attach the config.log files from all three configure runs? That would help me figure out what goes wrong.
>
> Thanks!
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 20 Dec 2012 13:12:03 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog
> forwarding to assume IPv6
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220121203.AA09339DC23 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=61
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Target Milestone|3.0.6 |3.4.1
>
>
>
>
> --- Comment #5 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 13:12:03 ---
> This is partially fixed in 3.4 already with the network() statement, we only need to force syslog() to set last_addr_family to IPv4.
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 20 Dec 2012 13:15:24 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 42] capabilities, chown, chmod
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220121524.A692E39DCAA at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=42
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> CC| |algernon at balabit.hu
> Resolution| |FIXED
> Status|REOPENED |RESOLVED
>
>
>
>
> --- Comment #10 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 13:15:23 ---
> I'm closing this issue, as I believe it is not relevant for recent syslog-ng anymore.
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 20 Dec 2012 14:12:50 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 213] Build Failure on AIX with
> syslog-ng-3.3.6 and gcc 4.2.0
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220131250.317AC39DC2A at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=213
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Resolution| |FIXED
> Status|ASSIGNED |RESOLVED
>
>
>
>
> --- Comment #4 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 14:12:49 ---
> (In reply to comment #3)
>> Or better yet, implement NOMAGIC if the platform does not support it. I'll see which option is more feasible in our case.
>
> This is what I ended up doing, as the code required was pretty simple. I pushed the fix for both the iv_event.h include and the GLOB_NOMAGIC implementation to
> 3.3's master, both will be part of syslog-ng 3.3.8.
>
> Thanks for the report!
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 10
> Date: Thu, 20 Dec 2012 14:19:41 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog
> forwarding to assume IPv6
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220131941.CE0DC39DC95 at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=61
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Target Milestone|3.4.1 |3.3.8
>
>
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 11
> Date: Thu, 20 Dec 2012 14:23:47 +0100 (CET)
> From: bugzilla at bugzilla.balabit.com
> Subject: [syslog-ng] [Bug 61] udp6 source declaration causes syslog
> forwarding to assume IPv6
> To: syslog-ng at lists.balabit.hu
> Message-ID: <20121220132347.5C94639DCAC at lists.balabit.hu>
> Content-Type: text/plain; charset="UTF-8"
>
> https://bugzilla.balabit.com/show_bug.cgi?id=61
>
>
> Gergely Nagy <algernon at balabit.hu> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Resolution| |FIXED
> Status|ASSIGNED |RESOLVED
>
>
>
>
> --- Comment #6 from Gergely Nagy <algernon at balabit.hu> 2012-12-20 14:23:47 ---
> I ended up fixing this in 3.3, by forcing the syslog() destination to use IPv4, similar to how the source does it. In 3.4, network() can be used if one wants
> syslog over IPv6.
>
>
> --
> Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching all bug changes.
>
>
> ------------------------------
>
> Message: 12
> Date: Thu, 20 Dec 2012 13:58:55 +0000
> From: Jose Pedro Oliveira <jpo at di.uminho.pt>
> Subject: Re: [syslog-ng] having an issue with syslog and SElinux
> To: syslog-ng at lists.balabit.hu
> Message-ID: <50D3199F.8020004 at di.uminho.pt>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 2012-12-18 14:40, Frank Scalzo wrote:
>> kernel: : type=1400 audit(1355841452.964:21866): avc: denied { fowner
>> } for pid=861 comm="syslog-ng" capability=3
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
>>
>>
>> How do i fix this without disabling SElinux
>
> Which Linux distribution are you using? And which versions of syslog-ng
> and selinux? A copy of your syslog-ng configuration file would
> also be helpful.
>
> jpo
> --
> Jos? Pedro Oliveira
> * mailto:jpo at di.uminho.pt *
>
>
> ------------------------------
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> End of syslog-ng Digest, Vol 92, Issue 18
> *****************************************
More information about the syslog-ng
mailing list