1 |
Hi there, |
2 |
|
3 |
is this the best place to raise questions about SELinux, or would I be |
4 |
better trying chat? I am making a big effort to get to enforcing strict |
5 |
on a simple server and I am struggling a little. |
6 |
|
7 |
For example, I run Rsyslog and I have lots of AVCs concerning denied |
8 |
sendto's to /dev/log. The target context is usually sysadm_t, which does |
9 |
not seem right, and I also notice that Rsyslog is in the same context. I |
10 |
would expect it to be in a context involving syslog somehow. I have |
11 |
restarted the service from the sysadm_r role and it makes no difference. |
12 |
Also, I do not get asked to authenticate when starting the service, |
13 |
whereas other services require this, and, there is no entry for rsyslog |
14 |
in rc-status display despite it being installed in the default runlevel. |
15 |
|
16 |
Example AVCs: |
17 |
|
18 |
type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for |
19 |
pid=6043 comm="smtp" path="/dev/log" |
20 |
scontext=system_u:system_r:postfix_smtp_t |
21 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
22 |
|
23 |
type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for |
24 |
pid=5949 comm="cleanup" path="/dev/log" |
25 |
scontext=system_u:system_r:postfix_cleanup_t |
26 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
27 |
|
28 |
type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for |
29 |
pid=3099 comm="krb5kdc" path="/dev/log" |
30 |
scontext=system_u:system_r:krb5kdc_t tcontext=staff_u:sysadm_r:sysadm_t |
31 |
tclass=unix_dgram_socket permissive=1 |
32 |
|
33 |
|
34 |
There does not appear to be any specific rsyslog selinux package so I |
35 |
assume it should all be syslog-related and already in the core policy |
36 |
(although I cannot find it there). I also note that Red Hat has a page |
37 |
on setting up Rsyslog in SELinux so I feel fairly sure it should work. |
38 |
It only tells you how to change the ports, however. I am using TCP on |
39 |
port 514 but I don't think I need to do anything according to RH. |
40 |
|
41 |
Have I missed something, done something fundamentally wrong, or just |
42 |
need to add something to stop the AVCs? Not keen on blindly fixing |
43 |
things so I want to know what I need to do and why before I do it. |
44 |
|
45 |
Thanks in anticipation, |
46 |
Robert Sharp |