1 |
Hello, |
2 |
|
3 |
Googling and bugs.gentoo.org didn't help so I'm trying here. |
4 |
|
5 |
For some reason syslog-ng finds it necessary to write to /proc/kmsg. The |
6 |
policy does not allow this, so syslog-ng fails to start. Syslog-ng |
7 |
complains that it can't open /proc/kmsg for reading, but according to |
8 |
the policy it does have the rights to do so. |
9 |
|
10 |
changing "allow syslogd_t proc_kmsg_t:file { getattr read};" in |
11 |
syslog.td into "allow syslogd_t proc_kmsg_t:file { getattr read write};" |
12 |
gets rid of the error, but why does syslog-ng need write access to |
13 |
/proc/kmsg? That doesn't make sense to me. |
14 |
|
15 |
Is the policy on my system wrong or is syslog-ng configured wrong? |
16 |
Looking at syslog-ng.conf it looks like syslog-ng doesn't open |
17 |
/proc/kmsg as a file, but as a socket. Is that causing the problem or is |
18 |
it something else? |
19 |
Changing syslog-ng.conf and replace "pipe" with "file" results in |
20 |
complaints about failing socket operations on non-socket objects, so |
21 |
that doesn't help either. |
22 |
|
23 |
|
24 |
avc message: |
25 |
----------------- |
26 |
avc: denied { write } for pid=5029 exe=/usr/sbin/syslog-ng name=kmsg |
27 |
dev= ino=4106 scontext=system_u:system_r:syslogd_t |
28 |
tcontext=system_u:object_r:proc_kmsg_t tclass=file |
29 |
|
30 |
|
31 |
>From syslog.td: |
32 |
-------------------- |
33 |
ifdef(`klogd.te', `', ` |
34 |
# Allow access to /proc/kmsg for syslog-ng |
35 |
allow syslogd_t proc_t:dir search; |
36 |
allow syslogd_t proc_kmsg_t:file { getattr read}; |
37 |
allow syslogd_t kernel_t:system { syslog_mod syslog_console }; |
38 |
|
39 |
|
40 |
From /etc/syslog-ng/syslog-ng.conf: |
41 |
-------------------------------------------- |
42 |
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; |
43 |
|
44 |
|
45 |
System config: |
46 |
-------- |
47 |
kernel hardened-dev-sources-2.6.5 |
48 |
syslog-ng-1.6.4 |
49 |
x86 arch (athlon-tbird) |
50 |
|
51 |
|
52 |
If someone can help me understand what's going on and what should be |
53 |
done to get syslog-ng running without complaints, I'd be most grateful. |
54 |
|
55 |
regards, |
56 |
nixnut |
57 |
|
58 |
-- |
59 |
gentoo-hardened@g.o mailing list |