Description of problem: When using the remote logging capabilities of rsyslog and turning on disk queuing, the directory /var/spool/rsyslog is missing. When creating it manually some selinux adjustments must be done. /etc/rsyslog.conf reads as follow: $WorkDirectory /var/spool/rsyslog # default location for work (spool) files $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown *.* @@10.0.0.1 Version-Release number of selected component (if applicable): rsyslog-3.22.1-3.el5_5.1 How reproducible: Always Steps to Reproduce: 1. configure rsyslogd as described above 2. stop remote syslog server to provoke qfiles being written 3. sealert -a /var/log/audit/audit.log shows AVCs Actual results: type=AVC msg=audit(1293784547.828:140849): avc: denied { search } for pid=22409 comm="rsyslogd" name="spool" dev=dm-5 ino=65537 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1293784547.828:140849): arch=40000003 syscall=195 success=no exit=-13 a0=bfe39630 a1=bfe39510 a2=8feff4 a3=3 items=0 ppid=22408 pid=22409 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24271 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1293784663.744:140852): avc: denied { write } for pid=22471 comm="rsyslogd" name="rsyslog" dev=dm-5 ino=65764 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1293784663.744:140852): arch=40000003 syscall=5 success=no exit=-13 a0=8a927a8 a1=41 a2=180 a3=0 items=0 ppid=1 pid=22471 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24271 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key= Expected results: No Selinux AVC Additional info: On RHEL5 the following policy would help: module rsyslog 1.0; require { type syslogd_t; type var_spool_t; class dir { write remove_name search add_name }; class file { write read create unlink getattr }; } #============= syslogd_t ============== allow syslogd_t var_spool_t:dir { write remove_name search add_name }; allow syslogd_t var_spool_t:file { write read create unlink getattr }; Alternatively one can change the fcontext of the spool directory: semanage fcontext -a -t var_log_t "/var/spool/rsyslog(/.*)?" restorecon -v -r /var/spool/rsyslog Another alternative would possibly be to define the rsyslog spool somewhere in /var/log instead.
I am seeing on my RHEL5 machine # matchpathcon /var/spool/rsyslog /var/spool/rsyslog system_u:object_r:var_log_t I have selinux-policy-2.4.6-300.el5. The preview of this policy is available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Hi Miroslav, On http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I just see a empty page with a Red Hat logo :-( I'll test it ASAP if I get access to the preview. A bug fix is quite important on a project we are working on. Thanks, Luc
Luc try again.
Thanks Dan, works now :-) I'll try to get some time to test it in the next few days... Thanks, Luc
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html