From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20041109 Firefox/0.10.1 Description of problem: I am trying to get syslog to log some messages to a server across the network ( @hostname format in syslog.conf ), and others to a named pipe ( |pipefilename in syslog.conf ) which are both perfectly legal syslog options but the targeted selinux policy stops them working. I have tried removing syslog from the enforced services ( setsebool syslogd_disable_trans 1 ) but that causes other daemons to generate errors, I believe over the permissions on /dev/log. I suspect these are both bugs, though if they aren't I would appreciate suggestions on how I might proceed.
What AVC messages are you seeing in the messages file. I am not seeing any problems with network (@hostname) I have never done anything with |pipefilename Dan
The errors I get for the @otherhost line are Feb 9 12:43:01 pon kernel: audit(1107952981.738:0): avc: denied { create } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket Feb 9 12:43:01 pon kernel: audit(1107952981.738:0): avc: denied { bind } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket Feb 9 12:43:01 pon kernel: audit(1107952981.738:0): avc: denied { getattr } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket Feb 9 12:43:01 pon kernel: audit(1107952981.738:0): avc: denied { write } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket Feb 9 12:43:01 pon kernel: audit(1107952981.739:0): avc: denied { net_admin } for pid=24204 exe=/sbin/syslogd capability=12 scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=capability Feb 9 12:43:01 pon kernel: audit(1107952981.739:0): avc: denied { nlmsg_read } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket Feb 9 12:43:01 pon kernel: audit(1107952981.739:0): avc: denied { read } for pid=24204 exe=/sbin/syslogd scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=netlink_route_socket this is with enforcing off, only the first error is reported with enforcing on.With the |pipefilename I also get the lines Feb 4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: denied { search } for pid=16095 exe=/sbin/syslogd name=virus dev=md0 ino=835611 scontext=root:system_r:syslogd_t tcontext=root:object_r:user_home_t tclass=dir Feb 4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: denied { read write } for pid=16095 exe=/sbin/syslogd name=fifo dev=md0 ino=835610 scontext=root:system_r:syslogd_t tcontext=root:object_r:user_home_t tclass=fifo_file Feb 4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: denied { ioctl } for pid=16095 exe=/sbin/syslogd path=/root/virus/fifo dev=md0 ino=835610 scontext=root:system_r:syslogd_t tcontext=root:object_r:user_home_t tclass=fifo_file though maybe some of the problems are down to where I put the fifo file.
Ok there is a discrepancy between FC3 policy and rawhide that needs to be fixed. Adding the following will fix the @host problem. allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; The second problem is a bit more difficult. Putting the pipe in some directory other than root or a home directory would be more reasonable from an SELinux sense. I could add permissions to say /var/run? Allow syslog to communicate with var_run allow syslogd_t var_run_t:fifo_file rw_file_perms; Dan
/var/run is a much more sensible place for the fifo (I might have put it there to start with but I got confused as to whether /var/run is a real directory - it isn't on Solaris) I have tried those additions and am now getting the line Feb 9 15:50:23 squirrel2 kernel: audit(1107964223.491:0): avc: denied { net_admin } for pid=25878 exe=/sbin/syslogd capability=12 scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=capability
Is it failing with this message? I have this as a dontaudit up in rawhide? Dan
No I think it is a real error, because network syslog messages don't arrive when enforcing is on, but do if I turn enforcing off.
Ok I am adding allow syslogd_t self:capability net_admin; selinux-policy-targeted-1.17.30-2.81 selinux-policy-*-1.21.10-1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-251.html