Summary SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to eventpoll:[28163] (initrc_t). Detailed Description SELinux denied access requested by /sbin/syslogd. It is not expected that this access is required by /sbin/syslogd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for eventpoll:[28163], restorecon -v eventpoll:[28163]. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "syslogd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P syslogd_disable_trans=1." The following command will allow this access: setsebool -P syslogd_disable_trans=1 Additional Information Source Context root:system_r:syslogd_t Target Context root:system_r:initrc_t Target Objects eventpoll:[28163] [ unix_stream_socket ] Affected RPM Packages sysklogd-1.4.1-39.2 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 athlon Alert Count 1 Line Numbers Raw Audit Messages avc: denied { read, write } for comm="syslogd" dev=sockfs egid=0 euid=0 exe="/sbin/syslogd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[28166]" path="eventpoll:[28163]" pid=5888 scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0 suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0 I get this error installing Xandro Bridgeways on RHEL5 (no updates) in a VMware image.
i have no idea what this is? Does syslog need access to a named pipe started from init? eventpoll?
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Does this cause any problems, IE does the syslog work in enforcing mode? You might need to use audit2allow -a -M mysyslog to build a loadable policy module to allow this.
SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to eventpoll:[28163] (initrc_t). This error was generated during the install of our product. I suspect this event is generated by one of our apps which obtains a file descriptor from epoll_create. The application modifies the syslog configuration and restarts the syslog daemon. The file descriptor is leaked when the daemon is restarted. I haven't verified this yet but it seems to fit: 1) I only see this during installation. 2) It explains the initrc_t context if we use /etc/init.d/syslog 3) It explains the odd descriptor name. 4) syslog works fine after installation Does this seem to be a reasonable scenario? I'm rather new to SELinux.
Yes that is exactly the foot print of this error.