I use spool files to queue rsyslog messages when my syslog server is unreachable: $WorkDirectory /var/spool/rsyslog $ActionQueueFileName buffer # unique name prefix for spool files Rsyslog tries to search /var/spool/rsyslog type=AVC msg=audit(1289833491.152:21549): avc: denied { search } for pid=9429 comm="rsyslogd" name="spool" dev=dm-4 ino=404 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1289833491.152:21549): arch=c000003e syscall=4 success=no exit=-2 a0=7fffa9cc0990 a1=7fffa9cc0900 a2=7fffa9cc0900 a3=fffffffa items=1 ppid=9428 pid=9429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1679 comm="rsysl ogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=CWD msg=audit(1289833491.152:21549): cwd="/" type=PATH msg=audit(1289833491.152:21549): item=0 name="/var/spool/rsyslog/buffer.qi"
This is local customization, you need to add a custom policy # grep rsyslogd /var/log/audit/audit.log | audit2allow -M mysyslog # semodule -i mysyslog.pp
Hi Dan, I'm just using documented configuration settings, in a default location from the rsyslog examples. /var/spool/rsyslog is already labeled as var_log_t, so rsyslog has permissions to create the queues and everything, that's all working fine. It's the { search } of /var/spool that's generating the AVC. I'm not sure what the { search } permission does, and how much harm there is in allowing it? I guess it's something rsyslog shouldn't be doing.
Your right, my mistake. Miroslav can you add files_search_spool(syslogd_t)
Fixed in selinux-policy-3.9.9-1.fc15.noarch.