+++ This bug was initially created as a clone of Bug #428422 +++ While testing bug #275041 found out that the actual problem with not being able to use non-default socket file (/dev/log) is in selinux policy, that does not allow to work with sockets in /var/log/ (var_log_t:sock_file). Would it make sense to allow using additional socket files in /var/log/ directory? The log below shows that using the described steps to reproduce in bz# 275041 works when in Permissive mode but does not in Enforcing mode. SELinux policy: RHEL4 - selinux-policy-targeted-1.17.30-2.149 RHEL5 - selinux-policy-2.4.6-108.el5 == SELinux in permissive == # getenforce Permissive # vim /etc/sysconfig/syslog # grep /etc/sysconfig/syslog -e newsock SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock" # service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] # logger -d -u /var/log/newsock something # rpm -q sysklogd sysklogd-1.4.1-26_EL.ia64 # grep /var/log/messages -e something Jan 11 07:31:53 ia64-4as root: something == SELinux enforcing targeted == # setenforce 1 # service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] # logger -d -u /var/log/newsock something connect: Connection refused. # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.149.noarch == AVCs == # /etc/init.d/syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] # getenforce Enforcing # ausearch -sv no -ts 07:43 ---- time->Fri Jan 11 07:43:27 2008 type=PATH msg=audit(1200055407.304:46): flags=10 inode=2593753 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=SOCKADDR msg=audit(1200055407.304:46): saddr=01002F7661722F6C6F672F6E6577736F636B type=SYSCALL msg=audit(1200055407.304:46): arch=c0000032 syscall=1191 success=no exit=-13 a0=a a1=60000fffffffade0 a2=12 a3=0 items=1 pid=883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="syslogd" exe="/sbin/syslogd" type=AVC msg=audit(1200055407.304:46): avc: denied { create } for pid=883 comm="syslogd" name="newsock" scontext=root:system_r:syslogd_t tcontext=root:object_r:var_log_t tclass=sock_file # ausearch -sv no -ts 07:43 | audit2allow allow syslogd_t var_log_t:sock_file create; <<-- more permissions will be needed (unlink, ...)
Fixed in RHEL5. You would need custom policy for RHEl4.