I took Fedora 8's rsyslog v2.0.2 SRPM and rebuilt it for v3.12.1
I'm using the same init script. When I used that init script
(i.e., "/etc/init.d/rsyslog start") on v2.0.2, the only
SELinux problem I had was the domain transition, as
documented here:
http://tanso.net/rsyslog/
However, when I rebuilt the RPM for v3.12.1, and used the
same init script to run it, I get many SELinux errors.
Eventually, I worked out all the things I had to allow for
rsyslog v3.12.1 to run properly. It's enclosed below as a
semanage module.
Just curious if there was some change to rsyslog between
versions 2 and 3 which would make rsyslog, even when running
properly in domain syslogd_exec_t, to cause so many SELinux
denials, including not being able to do TCP bind??
Thanks for any clues,
johnn
p.s. Here's the module that finally worked. Will document on
wiki when all is done.
==========
module rsyslog 1.0;
require {
class dir search;
class file { getattr read write };
class filesystem remount;
class tcp_socket { create accept read setopt bind
name_bind node_bind listen };
type boot_t;
type auditd_log_t;
type var_log_t;
type syslogd_t;
type syslogd_port_t;
type port_t;
type mount_t;
type system_map_t;
type inaddr_any_node_t;
type unspec_node_t;
role system_r;
};
allow syslogd_t boot_t:dir search;
allow syslogd_t auditd_log_t:dir search;
allow syslogd_t auditd_log_t:file { getattr read };
allow syslogd_t self:tcp_socket { create accept read setopt
bind listen };
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t port_t:tcp_socket name_bind;
allow syslogd_t system_map_t:file { read getattr };
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t unspec_node_t:tcp_socket node_bind;
==========
I'm using the same init script. When I used that init script
(i.e., "/etc/init.d/rsyslog start") on v2.0.2, the only
SELinux problem I had was the domain transition, as
documented here:
http://tanso.net/rsyslog/
However, when I rebuilt the RPM for v3.12.1, and used the
same init script to run it, I get many SELinux errors.
Eventually, I worked out all the things I had to allow for
rsyslog v3.12.1 to run properly. It's enclosed below as a
semanage module.
Just curious if there was some change to rsyslog between
versions 2 and 3 which would make rsyslog, even when running
properly in domain syslogd_exec_t, to cause so many SELinux
denials, including not being able to do TCP bind??
Thanks for any clues,
johnn
p.s. Here's the module that finally worked. Will document on
wiki when all is done.
==========
module rsyslog 1.0;
require {
class dir search;
class file { getattr read write };
class filesystem remount;
class tcp_socket { create accept read setopt bind
name_bind node_bind listen };
type boot_t;
type auditd_log_t;
type var_log_t;
type syslogd_t;
type syslogd_port_t;
type port_t;
type mount_t;
type system_map_t;
type inaddr_any_node_t;
type unspec_node_t;
role system_r;
};
allow syslogd_t boot_t:dir search;
allow syslogd_t auditd_log_t:dir search;
allow syslogd_t auditd_log_t:file { getattr read };
allow syslogd_t self:tcp_socket { create accept read setopt
bind listen };
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t port_t:tcp_socket name_bind;
allow syslogd_t system_map_t:file { read getattr };
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t unspec_node_t:tcp_socket node_bind;
==========