1 |
Hello, Robert. |
2 |
|
3 |
Do you have the package "app-admin/setools" installed? If so, you can run |
4 |
"cat /var/log/audit/audit.log | audit2why" to get an explanation of why the |
5 |
denials occur, with suggestions for fixing them. |
6 |
|
7 |
Of course, if your system is logging AVC denials elsewhere, adjust the |
8 |
command accordingly. |
9 |
|
10 |
Care to give that a try and output a result or two from it? |
11 |
|
12 |
HTH, |
13 |
Brant |
14 |
|
15 |
On Nov 12, 2016 11:45, "Robert Sharp" <selinux@×××××××××××××××.org> wrote: |
16 |
|
17 |
Hi there, |
18 |
|
19 |
is this the best place to raise questions about SELinux, or would I be |
20 |
better trying chat? I am making a big effort to get to enforcing strict on |
21 |
a simple server and I am struggling a little. |
22 |
|
23 |
For example, I run Rsyslog and I have lots of AVCs concerning denied |
24 |
sendto's to /dev/log. The target context is usually sysadm_t, which does |
25 |
not seem right, and I also notice that Rsyslog is in the same context. I |
26 |
would expect it to be in a context involving syslog somehow. I have |
27 |
restarted the service from the sysadm_r role and it makes no difference. |
28 |
Also, I do not get asked to authenticate when starting the service, whereas |
29 |
other services require this, and, there is no entry for rsyslog in |
30 |
rc-status display despite it being installed in the default runlevel. |
31 |
|
32 |
Example AVCs: |
33 |
|
34 |
type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for |
35 |
pid=6043 comm="smtp" path="/dev/log" scontext=system_u:system_r:postfix_smtp_t |
36 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
37 |
|
38 |
type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for |
39 |
pid=5949 comm="cleanup" path="/dev/log" |
40 |
scontext=system_u:system_r:postfix_cleanup_t |
41 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
42 |
|
43 |
type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for |
44 |
pid=3099 comm="krb5kdc" path="/dev/log" scontext=system_u:system_r:krb5kdc_t |
45 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
46 |
|
47 |
|
48 |
There does not appear to be any specific rsyslog selinux package so I |
49 |
assume it should all be syslog-related and already in the core policy |
50 |
(although I cannot find it there). I also note that Red Hat has a page on |
51 |
setting up Rsyslog in SELinux so I feel fairly sure it should work. It only |
52 |
tells you how to change the ports, however. I am using TCP on port 514 but |
53 |
I don't think I need to do anything according to RH. |
54 |
|
55 |
Have I missed something, done something fundamentally wrong, or just need |
56 |
to add something to stop the AVCs? Not keen on blindly fixing things so I |
57 |
want to know what I need to do and why before I do it. |
58 |
|
59 |
Thanks in anticipation, |
60 |
Robert Sharp |