| 1 |
Hello, Robert. |
| 2 |
|
| 3 |
Do you have the package "app-admin/setools" installed? If so, you can run |
| 4 |
"cat /var/log/audit/audit.log | audit2why" to get an explanation of why the |
| 5 |
denials occur, with suggestions for fixing them. |
| 6 |
|
| 7 |
Of course, if your system is logging AVC denials elsewhere, adjust the |
| 8 |
command accordingly. |
| 9 |
|
| 10 |
Care to give that a try and output a result or two from it? |
| 11 |
|
| 12 |
HTH, |
| 13 |
Brant |
| 14 |
|
| 15 |
On Nov 12, 2016 11:45, "Robert Sharp" <selinux@×××××××××××××××.org> wrote: |
| 16 |
|
| 17 |
Hi there, |
| 18 |
|
| 19 |
is this the best place to raise questions about SELinux, or would I be |
| 20 |
better trying chat? I am making a big effort to get to enforcing strict on |
| 21 |
a simple server and I am struggling a little. |
| 22 |
|
| 23 |
For example, I run Rsyslog and I have lots of AVCs concerning denied |
| 24 |
sendto's to /dev/log. The target context is usually sysadm_t, which does |
| 25 |
not seem right, and I also notice that Rsyslog is in the same context. I |
| 26 |
would expect it to be in a context involving syslog somehow. I have |
| 27 |
restarted the service from the sysadm_r role and it makes no difference. |
| 28 |
Also, I do not get asked to authenticate when starting the service, whereas |
| 29 |
other services require this, and, there is no entry for rsyslog in |
| 30 |
rc-status display despite it being installed in the default runlevel. |
| 31 |
|
| 32 |
Example AVCs: |
| 33 |
|
| 34 |
type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for |
| 35 |
pid=6043 comm="smtp" path="/dev/log" scontext=system_u:system_r:postfix_smtp_t |
| 36 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
| 37 |
|
| 38 |
type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for |
| 39 |
pid=5949 comm="cleanup" path="/dev/log" |
| 40 |
scontext=system_u:system_r:postfix_cleanup_t |
| 41 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
| 42 |
|
| 43 |
type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for |
| 44 |
pid=3099 comm="krb5kdc" path="/dev/log" scontext=system_u:system_r:krb5kdc_t |
| 45 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
| 46 |
|
| 47 |
|
| 48 |
There does not appear to be any specific rsyslog selinux package so I |
| 49 |
assume it should all be syslog-related and already in the core policy |
| 50 |
(although I cannot find it there). I also note that Red Hat has a page on |
| 51 |
setting up Rsyslog in SELinux so I feel fairly sure it should work. It only |
| 52 |
tells you how to change the ports, however. I am using TCP on port 514 but |
| 53 |
I don't think I need to do anything according to RH. |
| 54 |
|
| 55 |
Have I missed something, done something fundamentally wrong, or just need |
| 56 |
to add something to stop the AVCs? Not keen on blindly fixing things so I |
| 57 |
want to know what I need to do and why before I do it. |
| 58 |
|
| 59 |
Thanks in anticipation, |
| 60 |
Robert Sharp |
Archives