Description of problem: The syslog-ng.ctl file is moving from /var/run/ to /var/lib/syslog-ng/ to be along side the syslog-ng.persist file. Currently the file cannot be created due to the policy. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. install a recent syslog-ng (like 3.1.1 from here: http://www.silfreed.net/download/repo/packages/syslog-ng/) 2. service syslog-ng start 3. observe error messages in /var/log/messages and audit.log (below) Additional info: audit.log: type=AVC msg=audit(1296776969.363:11853): avc: denied { setrlimit } for pid=4780 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process type=SYSCALL msg=audit(1296776969.363:11853): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fffb40dcfc0 a2=ffffffffffffffa8 a3=7fffb40dcd40 items=0 ppid=4779 pid=4780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) messages: Feb 3 18:49:29 wash syslog-ng[4782]: Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Permission denied (13)'
What is your release of selinux-policy? # rpm -q selinux-policy # matchpathcon /var/lib/syslog-ng/syslog-ng.ctl /var/lib/syslog-ng/syslog-ng.ctl system_u:object_r:syslogd_var_lib_t:s0 # # sesearch -A -s syslogd_t -t syslogd_t -c process -p setrlimit Found 1 semantic av rules: allow syslogd_t syslogd_t : process { fork sigchld sigkill sigstop signull signal getsched setpgid setrlimit } ;
Apparently I'm running f13, not f14 (working on fixing that). Regardless, your matchpathcon shows up for me: # matchpathcon /var/lib/syslog-ng/syslog-ng.ctl /var/lib/syslog-ng/syslog-ng.ctl system_u:object_r:syslogd_var_lib_t:s0 # rpm -q selinux-policy selinux-policy-3.7.19-76.fc13.noarch The syslog-ng.ctl file is created at startup time for syslog-ng; could this be a problem w/ /var/lib/syslog-ng? # matchpathcon /var/lib/syslog-ng/ /var/lib/syslog-ng system_u:object_r:syslogd_var_lib_t:s0 ^ this looks correct to me? Maybe my syslog-ng daemon is running in the wrong context for some reason?
THe problem is /var/lib/syslog-ng was created with the wrong context. restorecon -R -v /var/lib/syslog-ng will fix the problem. Is this directory listed in the content of the rpm spec file? Did you create it by hand? If the directory does not exist, does the init script create it?
Since upgrading to F14 this problem has gone away. I don't expect syslog > 3.0 to show up in F13 anyway, so I'll go ahead close this bug. Thanks for your help w/ learning some new selinux commands!
Daniel, I forgot to check the context before I ran restorecon (prior to upgrading to F14), but it also didn't change anything (assuming changes get printed when running w/ '-v'). The /var/lib/syslog-ng directory is owned by the syslog-ng package and the syslog-ng.ctl file is created at run-time.