Hi, If it helps, here's what somebody on our team (but new to SELinux) said:
I tried adding every permission I could think of to the policy, but Rsyslog still complained about missing a permission. To fix this, in the end, I set selinux to allow all access to Rsyslog: > semanage permissive -d syslogd_t I don't know enough about SELinux to be able to tell if the above if great, OK, or bad and should not be done. And if it's bad, yes, I would imagine a better approach would be useful to document... Jeremy, maybe you know? Thanks, Otis -- Monitoring * Alerting * Anomaly Detection * Centralized Log Management Solr & Elasticsearch Support * http://sematext.com/ On Tue, Feb 3, 2015 at 2:38 AM, Rainer Gerhards <[email protected]> wrote: > 2015-02-03 4:40 GMT+01:00 Jeremy Hoel <[email protected]>: > > > You should really fix the ACL and turn selinux back on. Depending on the > > path you are trying to read, it's not to hard to add some permissions > based > > on the audit.log and make the module needed to let rsyslog run happily. > > > > > would someone willing to provide some instructions on how to do this (in > cookbook terms) -- or even add this to the rsyslog doc? > > If someone has a website link that just explains what to do, this may be > sufficient (we could link to it from a couple of relevant pages of the > doc). > > Rainer > > > On Mon, Feb 2, 2015 at 8:37 PM, Otis Gospodnetic < > > [email protected] > > > wrote: > > > > > Hi, > > > > > > This is CentOS 6.5 (Final). > > > > > > Indeed it was SELinux. Silenced it via echo 0 > /selinux/enforce and > now > > > rsyslog is happy. > > > > > > Thanks David! > > > > > > Otis > > > -- > > > Monitoring * Alerting * Anomaly Detection * Centralized Log Management > > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > > > > On Mon, Feb 2, 2015 at 6:56 PM, David Lang <[email protected]> wrote: > > > > > > > On Mon, 2 Feb 2015, Otis Gospodnetic wrote: > > > > > > > > This may be related, from /var/log/audit/audit.log: > > > >> > > > >> type=AVC msg=audit(1422920373.711:10802239): avc: denied { read } > > for > > > >> pid=4704 comm="in:imfile" path="inotify" dev=inotifyfs ino=1 > > > >> scontext=unconfined_u:system_r:syslogd_t:s0 > > > >> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > > >> type=SYSCALL msg=audit(1422920373.711:10802239): arch=c000003e > > syscall=0 > > > >> success=no exit=-13 a0=4 a1=7faa0438e930 a2=2000 a3=f items=0 ppid=1 > > > >> pid=4704 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > fsgid=0 > > > >> tty=(none) ses=484294 comm="in:imfile" exe="/sbin/rsyslogd" > > > >> subj=unconfined_u:system_r:syslogd_t:s0 key=(null) > > > >> > > > >> I found this after noticing log message started appearing in > > > >> /var/log/messages every 5 seconds (after I added the imfile input > > listed > > > >> below) causing /var/log/audit/audit.log to grow rapidly and rotate > > > every 5 > > > >> seconds or so: > > > >> > > > >> Feb 2 23:40:04 logsene-reports auditd[18337]: Audit daemon rotating > > log > > > >> files > > > >> > > > >> > > > >> Anyone knows what this is about? > > > >> > > > > > > > > that looks like a SELinux or AppArmor permission problem. > > > > > > > > David Lang > > > > > > > > Thanks, > > > >> Otis > > > >> -- > > > >> Monitoring * Alerting * Anomaly Detection * Centralized Log > Management > > > >> Solr & Elasticsearch Support * http://sematext.com/ > > > >> > > > >> > > > >> On Mon, Feb 2, 2015 at 6:34 PM, Otis Gospodnetic < > > > >> [email protected] > > > >> > > > >>> wrote: > > > >>> > > > >> > > > >> Hi, > > > >>> > > > >>> Trying to tell the latest 8.7.0 rsyslog's imfile as follows, but > it's > > > >>> complaining about Permission denied.... which looks wrong... > > > >>> > > > >>> module(load="imfile" mode="inotify" PollingInterval="10") > > > >>> > > > >>> input(type="imfile" > > > >>> File="/mnt/opt/jetty/logs/jetty.stderrout.log" > > > >>> Tag="jetty:" > > > >>> ReadMode="0") > > > >>> > > > >>> Feb 2 23:28:12 qqq-reports rsyslogd-2046: imfile warning: > directory > > > >>> '/mnt/opt/jetty/logs': Permission denied [try > > > >>> http://www.rsyslog.com/e/2046 ] > > > >>> > > > >>> ec2-user@qqq-reports ~]$ ls -al /mnt/opt/ | grep jetty > > > >>> drwxr-xr-x. 12 root root 4096 Jan 31 13:48 jetty > > > >>> > > > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/ | grep logs > > > >>> drwxr-xr-x. 2 root root 12288 Jan 31 22:14 logs > > > >>> > > > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/logs/jetty.log > > > >>> -rw-r--r--. 1 root root 194510 Jan 31 22:18 > > > /mnt/opt/jetty/logs/jetty.log > > > >>> > > > >>> I don't see any info in /var/log/messages about rsyslog dropping > > > >>> privileges when I restart it. > > > >>> Plus, everything is readable and the parent directory has the +x > for > > > >>> everyone on it. > > > >>> > > > >>> What am I doing wrong? > > > >>> > > > >>> Thanks, > > > >>> Otis > > > >>> -- > > > >>> Monitoring * Alerting * Anomaly Detection * Centralized Log > > Management > > > >>> Solr & Elasticsearch Support * http://sematext.com/ > > > >>> > > > >>> > > > >>> _______________________________________________ > > > >> rsyslog mailing list > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > >> http://www.rsyslog.com/professional-services/ > > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > > >> DON'T LIKE THAT. > > > >> > > > >> _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > > > DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
