[syslog-ng] syslog-ng Digest, Vol 92, Issue 18

Jose Pedro Oliveira jpo at di.uminho.pt
Thu Dec 20 15:53:04 CET 2012 

On 2012-12-20 14:19, Frank Scalzo wrote:
>> Message: 12
> 
>> Subject: Re: [syslog-ng] having an issue with syslog and SElinux
>>
>>
>> On 2012-12-18 14:40, Frank Scalzo wrote:
>>> kernel: : type=1400 audit(1355841452.964:21866): avc:  denied  { fowner
>>> } for  pid=861 comm="syslog-ng" capability=3 
>>> scontext=system_u:system_r:syslogd_t:s0
>>> tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
>>>
>>>
>>> How do i fix this without disabling SElinux
>>
>> Which Linux distribution are you using? And which versions of syslog-ng
>> and selinux? A copy of your syslog-ng configuration file would
>> also be helpful.
> 
> Im running the following
> 
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
> selinux-3.7.19-187
> syslog-ng 3.2.5
> Installer-Version: 3.2.5
> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116
> Compile-Date: Jan 15 2012 19:47:30
> Enable-Threads: on
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-SSL: off
> Enable-SQL: on
> Enable-Linux-Caps: off
> Enable-Pcre: on
> Enable-Pacct: off
> 
> 
> conf below:
> 
> @version:3.2
> 
> # syslog-ng configuration file.
> #
> # This should behave pretty much like the original syslog on RedHat. But
> # it could be configured a lot smarter.
> #
> # See syslog-ng(8) and syslog-ng.conf(5) for more information.
> #
> 
> options { 
>         flush_lines(100);
> 	log_fetch_limit(100);
> 	log_iw_size(100);
> 	log_fifo_size(1000);
> 	time_reopen (10);
>         log_fifo_size (1000);
>         use_dns (yes);
>         use_fqdn (yes);
>         create_dirs (yes);
>         keep_hostname (yes);
>         };
> 
> source s_sys {
> 	file ("/proc/kmsg" program_override("kernel: "));
> 	unix-stream ("/dev/log");
> 	internal();
> 	# udp(ip(0.0.0.0) port(514));
> };
> 
> destination d_cons { file("/dev/console"); };
> destination d_mesg { file("/var/log/messages"); };
> destination d_auth { file("/var/log/secure"); };
> destination d_mail { file("/var/log/maillog" flush_lines(10)); };
> destination d_spol { file("/var/log/spooler"); };
> destination d_boot { file("/var/log/boot.log"); };
> destination d_cron { file("/var/log/cron"); };
> destination d_kern { file("/var/log/kern"); };
> destination d_mlal { usertty("*"); };
> 
> filter f_kernel     { facility(kern); };
> filter f_default    { level(info..emerg) and
>                         not (facility(mail)
>                         or facility(authpriv) 
>                         or facility(cron)); };
> filter f_auth       { facility(authpriv); };
> filter f_mail       { facility(mail); };
> filter f_emergency  { level(emerg); };
> filter f_news       { facility(uucp) or
>                         (facility(news) 
>                         and level(crit..emerg)); };
> filter f_boot   { facility(local7); };
> filter f_cron   { facility(cron); };
> 
> #log { source(s_sys); filter(f_kernel); destination(d_cons); };
> log { source(s_sys); filter(f_kernel); destination(d_kern); };
> log { source(s_sys); filter(f_default); destination(d_mesg); };
> log { source(s_sys); filter(f_auth); destination(d_auth); };
> log { source(s_sys); filter(f_mail); destination(d_mail); };
> log { source(s_sys); filter(f_emergency); destination(d_mlal); };
> log { source(s_sys); filter(f_news); destination(d_spol); };
> log { source(s_sys); filter(f_boot); destination(d_boot); };
> log { source(s_sys); filter(f_cron); destination(d_cron); };
> ## Additions for central syslog
> source s_udp { udp(); };
> 
> source s_tcp { tcp(ip(0.0.0.0) port(514)); };
> 
> 
> destination d_hosts {
> 
>   file("/var/log/hosts/$HOST/$YEAR$MONTH$DAY"
> 
>   owner(syslog)
> 
>   group(syslog)
> 
>   perm(0644)
> 
>   dir_perm(0755)
> 
>   create_dirs(yes));
> 
> };
> 
> 
> log { source(s_udp); destination(d_hosts); };
> 
> log { source(s_tcp); destination(d_hosts); };
> 
> 
> # For testing: aka logger "my little pony"
> 
> #log { source(s_sys); destination(d_hosts); };
> 
> 
> ## End additions for central syslog
> # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

The reported selinux policy violation is caused by the d_hosts
destination. To correct the problem use the audit2allow tool
(from the policycoreutils-python package) to generate
new selinux rules. For an usage example check the page:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html


jpo
-- 
José Pedro Oliveira
* mailto:jpo at di.uminho.pt *

More information about the syslog-ng mailing list