Description of problem: It appeared as if bug 222195 was abandoned by the syslog-ng maintainer (since it was an selinux problem) and not picked up by the selinux maintainer. Thus, I'm creating a new bug (and 222195 should be closed). Running syslog-ng and selinux-policy-targeted with syslogd_disable_trans=1 causes /dev/log to be labeled as device_t and not devlog_t. Version-Release number of selected component (if applicable): This is a fresh updated install, so the versions as of today are: syslog-ng-1.6.12-1.fc6 selinux-policy-targeted-2.4.6-48.fc6 How reproducible: Every time. Steps to Reproduce: 1. Install syslog-ng and selinux-policy-targeted 2. /sbin/setsebool syslogd_disable_trans on 3. Reboot machine Actual results: ls -lZ /dev/log returns: system_u:object_r:device_t Expected results: Running /sbin/restorecon /dev/log, then ls -lZ /dev/log returns: system_u:object_r:devlog_t Likewise, if syslogd_disable_trans=0, ls -lZ /dev/log returns system_u:object_r:devlog_t Additional info:
Yes this is one of the risks of disable_trans. In the future we want to remove disable_trans and add a run_unconfined boolean. Disableing trans on syslog will cause most of the other confined domains to blow up since the /dev/log will be mislabeled. If there are missing rules required to get syslog to run in enforcing mode, you can use audit2allow to generate custom policy.