Google

« logrotate fails to rotate logs on RHEL4
Intel 855/915/945G Integrated Graphics and 1920×1200 resolution in xorg »

syslog-ng with selinux and targeted policy on RHEL4

We use syslog-ng with remote logging to keep track of our logs. The targeted policy doesn’t allow syslog-ng to operate by default. The following lines added to local.te in /etc/selinux/targeted/src/policy/domains/misc will allow syslog-ng to bind to port 514 and access proc kmsg for kernel messages (such as avc messages!)
# syslog-ng network stuff
allow syslogd_t syslogd_port_t:udp_socket name_bind;
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t reserved_port_t:tcp_socket name_bind;
# syslog-ng random bits
allow syslogd_t random_device_t:chr_file read;
allow syslogd_t urandom_device_t:chr_file read;
allow syslogd_t usr_t:lnk_file read;
allow syslogd_t self:capability { chown fowner fsetid };
allow syslogd_t var_log_t:dir { create setattr };
# syslog-ng /proc/kmsg
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read write };
allow syslogd_t self:capability sys_admin;
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
 We keep our logs in a different directory than /var/log, you need to chcon the directory you wish to keep logs in, so syslog-ng can write there, create directories, etc.


[root@loghost]# chcon system_u:object_r:var_log_t /syslog-ng
 Our syslog-ng.conf has remote hosts in a subdirectory and also keeps a cummulative log for epylog. # syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 10 Aug 2002
#       - for Red Hat 7.3
#       - totally do away with klogd
#       - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002
#       - use the log_prefix option as per Balazs Scheidler's email
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 05 Apr 2003
#       - corrected filters 'f_filter2' and 'f_filter6'
#     these filters were only allowing messages of one specific
#     priority level; they should be allowing messages from that
#     priority and upper levels.
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 25 Jan 2005
#   - Don't sync the d_mail destination
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 01 Feb 2005
#   - /PROC/kmsg is a file not a pipe.
#     (https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006963.html)
#

options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (off);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    file ("/proc/kmsg" log_prefix("kernel: "));
    unix-stream ("/dev/log");
    internal();
    # udp(ip(0.0.0.0) port(514));
};

# network
source net {
    tcp();
    udp();
};


destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };

# ias specific
destination remote {
   file("/syslog-ng/remote/$HOST/$FACILITY-$YEAR-$MONTH.log"
         sync(0) log_fifo_size(10) create_dirs(yes)
         owner(syslog-ng) group(syslog-ng) perm(0660) dir_perm(0770));
};

destination epylog {
   file("/syslog-ng/$YEAR-$MONTH-$DAY/$FACILITY.log"
        sync(0) log_fifo_size(10) create_dirs(yes)
        owner(syslog-ng) group(syslog-ng) perm(0660) dir_perm(0770));
};

#filter f_filter1   { facility(kern); };
filter f_filter2   { level(info..emerg) and
                     not facility(mail,authpriv,cron); };
filter f_filter3   { facility(authpriv); };
filter f_filter4   { facility(mail); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(uucp) or
                     (facility(news) and level(crit..emerg)); };
filter f_filter7   { facility(local7); };
filter f_filter8   { facility(cron); };

#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

# ias specific
log { source(s_sys); destination(remote); };
log { source(net); destination(remote); };
log { source(s_sys); destination(epylog); };
log { source(net); destination(epylog); };

This entry was posted on Tuesday, July 18th, 2006 at 07:08 and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “syslog-ng with selinux and targeted policy on RHEL4”

  1. Jeremy Says:
    October 27th, 2006 at 07:15

    Thank you for the tip – I’m working on setting up a centralized log server and have run into SELinux obstacles twice now. The first one was that syslog-ng wouldn’t create directories in /var/log even though it would create files. That one was solved by ’setsebool -P use_syslogng=1′.

  2. rajeshkumar Says:
    December 2nd, 2006 at 00:26

    i am rajesh kumar

    mailid yrkumar11@gmail.com

    i am using RHEL but i am facing same problem with syslog-ng its not creating saparate file and directories what i do

Leave a Reply