Description of problem: syslog-ng >= 2.0 uses as persist file for storing some information. It's not proper documented at the moment but also can't be disabled. Following ruleset would help: # syslog-ng >= 2.0 allow syslogd_t var_t:dir { write add_name read }; allow syslogd_t var_t:file { create read write getattr }; An additional one-time event on restart during update isn't catched, but I don't know the reason at all. Further restart do not show such messages again - so perhaps an issue of the old installed version. Apr 11 17:11:44 s audit(1176304304.525:3018): avc: denied { read } for pid=19775 comm="syslog-ng" name="[14436979]" dev=pipefs ino=14436979 scontext=root:system_r:syslogd_t tcontext=root:system_r:unconfined_t tclass=fifo_file Apr 11 17:11:44 s audit(1176304304.541:3019): avc: denied { read } for pid=19777 comm="syslog-ng" name="[14436979]" dev=pipefs ino=14436979 scontext=root:system_r:syslogd_t tcontext=root:system_r:unconfined_t tclass=fifo_file
Sorry I seem to have lost this bugzilla, some where along the way. What is the path to the persists file? We need a new context for it.
File is: /var/state/syslog-ng/syslog-ng.persist
Easiest fix is to chcon -R -t syslogd_var_run_t /var/state/syslog-ng Looking at FC7 I do not see this file. Is this something that has been removed?
syslog-ng for RHEL4 is from silfreed.net repository: http://www.silfreed.net/download/repo/rhel/4/$basearch/silfreednet The location of the file can be specified during configure, default was /var/syslog-ng.persist (which is a very bad location), so I suggested silfreed.net maintainer to change this to a better location, currently /var/state/syslog-ng/syslog-ng.persist - I don't know which location FC7 spec specifies.
This is fixed in the upstream and there are workarounds so I am closing.