Mailing List Archive

I have absolutely no idea about selinux ... But: may it be that the fact that now plugins - separate libraries - are loaded by rsyslogd to do the job?

rainer

----- Urspr?ngliche Nachricht -----
Von: "Johnny Tan" <linuxweb at gmail.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 11.03.08 19:08
Betreff: [rsyslog] rsyslog v3 and selinux

I took Fedora 8's rsyslog v2.0.2 SRPM and rebuilt it for v3.12.1

I'm using the same init script. When I used that init script
(i.e., "/etc/init.d/rsyslog start") on v2.0.2, the only
SELinux problem I had was the domain transition, as
documented here:
http://tanso.net/rsyslog/

However, when I rebuilt the RPM for v3.12.1, and used the
same init script to run it, I get many SELinux errors.
Eventually, I worked out all the things I had to allow for
rsyslog v3.12.1 to run properly. It's enclosed below as a
semanage module.

Just curious if there was some change to rsyslog between
versions 2 and 3 which would make rsyslog, even when running
properly in domain syslogd_exec_t, to cause so many SELinux
denials, including not being able to do TCP bind??

Thanks for any clues,
johnn

p.s. Here's the module that finally worked. Will document on
wiki when all is done.

==========
module rsyslog 1.0;

require {
class dir search;
class file { getattr read write };
class filesystem remount;
class tcp_socket { create accept read setopt bind
name_bind node_bind listen };
type boot_t;
type auditd_log_t;
type var_log_t;
type syslogd_t;
type syslogd_port_t;
type port_t;
type mount_t;
type system_map_t;
type inaddr_any_node_t;
type unspec_node_t;
role system_r;
};

allow syslogd_t boot_t:dir search;
allow syslogd_t auditd_log_t:dir search;
allow syslogd_t auditd_log_t:file { getattr read };
allow syslogd_t self:tcp_socket { create accept read setopt
bind listen };
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t port_t:tcp_socket name_bind;
allow syslogd_t system_map_t:file { read getattr };
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t unspec_node_t:tcp_socket node_bind;
==========
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

On 2008-03-11, Johnny Tan <linuxweb at gmail.com> wrote:
>
> However, when I rebuilt the RPM for v3.12.1, and used the
> same init script to run it, I get many SELinux errors.
> Eventually, I worked out all the things I had to allow for
> rsyslog v3.12.1 to run properly. It's enclosed below as a
> semanage module.

These seems very strange:

> allow syslogd_t boot_t:dir search;
> allow syslogd_t system_map_t:file { read getattr };

Why does it want to read /boot/System.map* ?

> allow syslogd_t auditd_log_t:dir search;
> allow syslogd_t auditd_log_t:file { getattr read };

And why read /var/log/audit/* ?



-jf

That's part of the klog(d) code I inherited from sysklogd. I've never
questioned if there is another way to do it. It seems to use these to
obtain kernel symbols.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Jan-Frode Myklebust
> Sent: Wednesday, March 12, 2008 12:39 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] rsyslog v3 and selinux
>
> On 2008-03-11, Johnny Tan <linuxweb at gmail.com> wrote:
> >
> > However, when I rebuilt the RPM for v3.12.1, and used the
> > same init script to run it, I get many SELinux errors.
> > Eventually, I worked out all the things I had to allow for
> > rsyslog v3.12.1 to run properly. It's enclosed below as a
> > semanage module.
>
> These seems very strange:
>
> > allow syslogd_t boot_t:dir search;
> > allow syslogd_t system_map_t:file { read getattr };
>
> Why does it want to read /boot/System.map* ?
>
> > allow syslogd_t auditd_log_t:dir search;
> > allow syslogd_t auditd_log_t:file { getattr read };
>
> And why read /var/log/audit/* ?
>
>
>
> -jf
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Jan-Frode Myklebust wrote:
>> allow syslogd_t auditd_log_t:dir search;
>> allow syslogd_t auditd_log_t:file { getattr read };
>
> And why read /var/log/audit/* ?

This is custom. I prefer to install auditd and have the
SELinux logs separated out from /var/log/messages. Then I
use imfile to convert the audit logs to syslog in order to
send it over to the central logger.

Yes, it's a waste of a syslog "local" facility, but I'm not
aware of any other way unless I remove auditd and have those
go back into /var/log/messages.

johnn

On 2008-03-12, Johnny Tan <linuxweb at gmail.com> wrote:
>
> This is custom. I prefer to install auditd and have the
> SELinux logs separated out from /var/log/messages. Then I
> use imfile to convert the audit logs to syslog in order to
> send it over to the central logger.
>
> Yes, it's a waste of a syslog "local" facility, but I'm not
> aware of any other way unless I remove auditd and have those
> go back into /var/log/messages.

Hmmm.. I have been wondering about how to collect the auditd logs
centrally. Could you please share how you do it ? Would be great
if you manage to keep the format on the receiving host..



-jf

Jan-Frode Myklebust wrote:
> Hmmm.. I have been wondering about how to collect the auditd logs
> centrally. Could you please share how you do it ?

I use imfile, this is my client stanza:
==
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
==


And on the server side:
==
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
local6.* ?HostAudit
==


> Would be great
> if you manage to keep the format on the receiving host..

The format is NOT kept due to the syslog prefix. However
audit2allow can still read and process the file.

If I need the original format (like for ausearch, and maybe
other tools), I would need to run something like this on the
server side, in the directory for the host I'm wanting to do
the analysis on:

sed 's/^.*tag_audit_log://' audit_log | ausearch -i


Is that what you meant?
johnn

I guess you can keep the format if you use a template with just %msg%
inside it:

$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
$template auditFormat, "%msg%"
local6.* ?HostAudit;auditFormat

I have not tested this, just guessing. If you try it out and it does not
work, I'd appreciate if you could post me a line as written by rsyslog
and an original line. I'll see what I can do with these ;)

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Johnny Tan
> Sent: Friday, March 14, 2008 3:15 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog v3 and selinux
>
> Jan-Frode Myklebust wrote:
> > Hmmm.. I have been wondering about how to collect the auditd logs
> > centrally. Could you please share how you do it ?
>
> I use imfile, this is my client stanza:
> ==
> # auditd audit.log
> $InputFileName /var/log/audit/audit.log
> $InputFileTag tag_audit_log:
> $InputFileStateFile audit_log
> $InputFileSeverity info
> $InputFileFacility local6
> $InputRunFileMonitor
> ==
>
>
> And on the server side:
> ==
> $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
> local6.* ?HostAudit
> ==
>
>
> > Would be great
> > if you manage to keep the format on the receiving host..
>
> The format is NOT kept due to the syslog prefix. However
> audit2allow can still read and process the file.
>
> If I need the original format (like for ausearch, and maybe
> other tools), I would need to run something like this on the
> server side, in the directory for the host I'm wanting to do
> the analysis on:
>
> sed 's/^.*tag_audit_log://' audit_log | ausearch -i
>
>
> Is that what you meant?
> johnn
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

On 2008-03-14, Johnny Tan <linuxweb at gmail.com> wrote:
>==
> The format is NOT kept due to the syslog prefix. However
> audit2allow can still read and process the file.
>
> If I need the original format (like for ausearch, and maybe
> other tools), I would need to run something like this on the
> server side, in the directory for the host I'm wanting to do
> the analysis on:
>
> sed 's/^.*tag_audit_log://' audit_log | ausearch -i
>
> Is that what you meant?

Yes, thanks!




-jf

Ummm... I forgot two important chraceters, else you'll have no line
feeds and all in one line...
(see the \n after %msg$)!

$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
$template auditFormat, "%msg%\n"
local6.* ?HostAudit;auditFormat


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, March 14, 2008 3:30 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog v3 and selinux
>
> I guess you can keep the format if you use a template with just %msg%
> inside it:
>
> $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
> $template auditFormat, "%msg%"
> local6.* ?HostAudit;auditFormat
>
> I have not tested this, just guessing. If you try it out and it does
> not
> work, I'd appreciate if you could post me a line as written by rsyslog
> and an original line. I'll see what I can do with these ;)
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Johnny Tan
> > Sent: Friday, March 14, 2008 3:15 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog v3 and selinux
> >
> > Jan-Frode Myklebust wrote:
> > > Hmmm.. I have been wondering about how to collect the auditd logs
> > > centrally. Could you please share how you do it ?
> >
> > I use imfile, this is my client stanza:
> > ==
> > # auditd audit.log
> > $InputFileName /var/log/audit/audit.log
> > $InputFileTag tag_audit_log:
> > $InputFileStateFile audit_log
> > $InputFileSeverity info
> > $InputFileFacility local6
> > $InputRunFileMonitor
> > ==
> >
> >
> > And on the server side:
> > ==
> > $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
> > local6.* ?HostAudit
> > ==
> >
> >
> > > Would be great
> > > if you manage to keep the format on the receiving host..
> >
> > The format is NOT kept due to the syslog prefix. However
> > audit2allow can still read and process the file.
> >
> > If I need the original format (like for ausearch, and maybe
> > other tools), I would need to run something like this on the
> > server side, in the directory for the host I'm wanting to do
> > the analysis on:
> >
> > sed 's/^.*tag_audit_log://' audit_log | ausearch -i
> >
> >
> > Is that what you meant?
> > johnn
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog