syslog-ng with selinux and targeted policy on RHEL4

By thomas, 18 July, 2006
We use syslog-ng with remote logging to keep track of our logs. The targeted policy doesn't allow syslog-ng to operate by default. The following lines added to local.te in /etc/selinux/targeted/src/policy/domains/misc will allow syslog-ng to bind to port 514 and access proc kmsg for kernel messages (such as avc messages!) # syslog-ng network stuff allow syslogd_t syslogd_port_t:udp_socket name_bind; allow syslogd_t syslogd_port_t:tcp_socket name_bind; allow syslogd_t reserved_port_t:tcp_socket name_bind; # syslog-ng random bits allow syslogd_t random_device_t:chr_file read; allow syslogd_t urandom_device_t:chr_file read; allow syslogd_t usr_t:lnk_file read; allow syslogd_t self:capability { chown fowner fsetid }; allow syslogd_t var_log_t:dir { create setattr }; # syslog-ng /proc/kmsg allow syslogd_t proc_t:dir search; allow syslogd_t proc_kmsg_t:file { getattr read write }; allow syslogd_t self:capability sys_admin; allow syslogd_t kernel_t:system { syslog_mod syslog_console }; We keep our logs in a different directory than /var/log, you need to chcon the directory you wish to keep logs in, so syslog-ng can write there, create directories, etc.

[root@loghost]# chcon system_u:object_r:var_log_t /syslog-ng Our syslog-ng.conf has remote hosts in a subdirectory and also keeps a cummulative log for epylog. [includecode#../confs/syslog-ng.conf]