Bug 1410930

Summary: syslog-ng 3.5.6, selinux, audisp and /dev/log conflicts
Product: [Fedora] Fedora EPEL Reporter: John Jasen <jjasen>
Component: syslog-ngAssignee: Jose Pedro Oliveira <jose.p.oliveira.oss>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: jose.p.oliveira.oss, mrunge, peter, rayvd
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-08 22:27:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Jasen 2017-01-06 21:15:12 UTC 
Description of problem:

syslog-ng, as packaged in EPEL-7, is not especially systemd aware; nor is it particularly SELinux-aware. It attempts to unlink/relink /dev/log on start, which has several failure conditions.

Version-Release number of selected component (if applicable):
syslog-ng 3.5.6.3el7

How reproducible:

trivial

Steps to Reproduce:
1. install C7 or RHEL7
1.1: set SElinux to targeted/enforcing
2. configure auditd to to use audisp syslog plugin
3. start auditd
4. install syslog-ng from EPEL
5. start syslog-ng (system() in this case will use /dev/log)


Actual results:

systemctl: syslog-ng will fail to start, being unable to unlink/relink /dev/log
shell: syslog-ng -f /etc/syslog-ng/syslog-ng.conf: audisp will not be able to use the recreated /dev/log, as its in the wrong context.

Expected results:

Both working.

Additional info:

syslog-ng 3.8.1 from the copr-be.cloud.fedoraproject.org handles this case better.

recommend up-revving to syslog 3.8.1 or greater, as 3.5.6 is broken.
Comment 1 Troy Dawson 2024-07-08 22:27:51 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.