Hide Forgot
Description of problem: When using rsyslog instead of sysklogd on RHEL >= 5.5, setroubleshootd is started before rsyslog and is therefore unable to bind to the logging socket. As a result, setroubleshootd does not work. Version-Release number of selected component (if applicable): setroubleshoot-2.0.5-5.el5 How reproducible: Enable SElinux Uninstall sysklogd Install rsyslog, setroubleshoot Reboot Create an SELinux denial Try to solve it using setroubleshoot Actual results: setroubleshootd does not report any SElinux denies in /var/log/messages Expected results: setroubleshootd should log an explaination of the AVC denial in /var/log/messages. Additional info: As of RHEL 5.5, some init scripts, including rsyslog's one, include additional LSB startup information: (taken from /etc/init.d/rsyslog) ### BEGIN INIT INFO # Provides: $syslog # Required-Start: $local_fs $network $remote_fs # Required-Stop: $local_fs $network $remote_fs # Default-Stop: 0 1 2 3 4 5 6 # Short-Description: Enhanced system logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, # among others, MySQL, syslog/tcp, RFC 3195, permitted # sender lists, filtering on any message part, and fine # grain output format control. ### END INIT INFO The defined chkconfig start position for both sysklogd and rsyslog is 12. However, chkconfig additionally processes the LSB information if present and the service providing the $remote_fs dependency (netfs) is only started at position 25. As a result, rsyslog is started at position 26. setroubleshootd is started at position 23, though. sysklogd installations are not affected, as they do not contain any additional LSB dependencies (yet) and are still started at position 12. There are a couple of ways to fix this. One might question whether rsyslogd should be started after netfs at all, as 26 is quite late for a basic service like syslog. Giving up the $remote_fs dependency and moving rsyslog back to position 12 would solve the issue. Adding a LSB-style dependency on $syslog to /etc/rc.d/init.d/setroubleshoot is less invasive, though and would let chkconfig deal with the startup ordering. One might also just move setroubleshoot to position 27.
setroubleshoot relies on the audit system not the syslog system
It reads from the audit system and logs to the syslog system.
I would say this is an rsyslog or bug.
Karel, thanks for bringing this up. Too bad it's this late in the life-cycle. At the time of filing this bz, the rsyslog package had files located under /usr, which could be mounted over network. That was probably the reason for depending on $remote_fs. Since RHEL 5.8, all the binaries and modules were moved out of /usr, so the dependency is probably not needed anymore. As of now, the package in RHEL 6 only depends on $local_fs. I'm not sure if it's worth changing as it's really late, given that nobody else complained and given that this looks more like a setroubleshoot bug. :] If setroubleshoot needs syslog, it should depend on it.