You should really fix the ACL and turn selinux back on. Depending on the path you are trying to read, it's not to hard to add some permissions based on the audit.log and make the module needed to let rsyslog run happily.
On Mon, Feb 2, 2015 at 8:37 PM, Otis Gospodnetic <[email protected] > wrote: > Hi, > > This is CentOS 6.5 (Final). > > Indeed it was SELinux. Silenced it via echo 0 > /selinux/enforce and now > rsyslog is happy. > > Thanks David! > > Otis > -- > Monitoring * Alerting * Anomaly Detection * Centralized Log Management > Solr & Elasticsearch Support * http://sematext.com/ > > > On Mon, Feb 2, 2015 at 6:56 PM, David Lang <[email protected]> wrote: > > > On Mon, 2 Feb 2015, Otis Gospodnetic wrote: > > > > This may be related, from /var/log/audit/audit.log: > >> > >> type=AVC msg=audit(1422920373.711:10802239): avc: denied { read } for > >> pid=4704 comm="in:imfile" path="inotify" dev=inotifyfs ino=1 > >> scontext=unconfined_u:system_r:syslogd_t:s0 > >> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > >> type=SYSCALL msg=audit(1422920373.711:10802239): arch=c000003e syscall=0 > >> success=no exit=-13 a0=4 a1=7faa0438e930 a2=2000 a3=f items=0 ppid=1 > >> pid=4704 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 > >> tty=(none) ses=484294 comm="in:imfile" exe="/sbin/rsyslogd" > >> subj=unconfined_u:system_r:syslogd_t:s0 key=(null) > >> > >> I found this after noticing log message started appearing in > >> /var/log/messages every 5 seconds (after I added the imfile input listed > >> below) causing /var/log/audit/audit.log to grow rapidly and rotate > every 5 > >> seconds or so: > >> > >> Feb 2 23:40:04 logsene-reports auditd[18337]: Audit daemon rotating log > >> files > >> > >> > >> Anyone knows what this is about? > >> > > > > that looks like a SELinux or AppArmor permission problem. > > > > David Lang > > > > Thanks, > >> Otis > >> -- > >> Monitoring * Alerting * Anomaly Detection * Centralized Log Management > >> Solr & Elasticsearch Support * http://sematext.com/ > >> > >> > >> On Mon, Feb 2, 2015 at 6:34 PM, Otis Gospodnetic < > >> [email protected] > >> > >>> wrote: > >>> > >> > >> Hi, > >>> > >>> Trying to tell the latest 8.7.0 rsyslog's imfile as follows, but it's > >>> complaining about Permission denied.... which looks wrong... > >>> > >>> module(load="imfile" mode="inotify" PollingInterval="10") > >>> > >>> input(type="imfile" > >>> File="/mnt/opt/jetty/logs/jetty.stderrout.log" > >>> Tag="jetty:" > >>> ReadMode="0") > >>> > >>> Feb 2 23:28:12 qqq-reports rsyslogd-2046: imfile warning: directory > >>> '/mnt/opt/jetty/logs': Permission denied [try > >>> http://www.rsyslog.com/e/2046 ] > >>> > >>> ec2-user@qqq-reports ~]$ ls -al /mnt/opt/ | grep jetty > >>> drwxr-xr-x. 12 root root 4096 Jan 31 13:48 jetty > >>> > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/ | grep logs > >>> drwxr-xr-x. 2 root root 12288 Jan 31 22:14 logs > >>> > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/logs/jetty.log > >>> -rw-r--r--. 1 root root 194510 Jan 31 22:18 > /mnt/opt/jetty/logs/jetty.log > >>> > >>> I don't see any info in /var/log/messages about rsyslog dropping > >>> privileges when I restart it. > >>> Plus, everything is readable and the parent directory has the +x for > >>> everyone on it. > >>> > >>> What am I doing wrong? > >>> > >>> Thanks, > >>> Otis > >>> -- > >>> Monitoring * Alerting * Anomaly Detection * Centralized Log Management > >>> Solr & Elasticsearch Support * http://sematext.com/ > >>> > >>> > >>> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > >> _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
