LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices

Rate this Entry

SELinux, syslog-ng, and the like

Posted 06-19-2012 at 11:12 AM by sag47
Updated 08-05-2012 at 01:58 AM by sag47

So recently in my home setup I installed a scheme for centralized logging. I use rsyslog or syslog on the client servers and syslog-ng on the central server. This is nothing new and has been done before.

rsyslog + syslog-ng = gold.

I have a script which parses the syslog-ng logs across all the servers, filters them, and then sends and email with a summary and unusual logs. Each time I got an email I would get, on average, ~200-500 log messages of SELinux errors and alerts.

The errors looked something like this.

Code:
Jun 19 08:00:01 stealth: setroubleshoot: SELinux is preventing /sbin/syslog-ng from using the fowner capability. For complete SELinux messages. run sealert -l 3e6b6041-071a-483d-a3f8-79e7ec50e2a6
Jun 19 08:00:01 stealth.home: setroubleshoot: dbus avc(node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc:  denied  { fowner } for  pid=462 comm="syslog-ng" capability=3  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability node=stealth.home type=SYSCALL msg=audit(1340107201.216:9899): arch=c000003e syscall=91 success=no exit=-1 a0=e a1=1a0 a2=3e9 a3=1 items=0 ppid=1 pid=462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="syslog-ng" exe="/sbin/syslog-ng" subj=system_u:system_r:syslogd_t:s0 key=(null)
Jun 19 08:00:01 stealth.home: setroubleshoot: AuditRecordReceiver.feed() got node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc:  denied  { fowner } for  pid=462 comm="syslog-ng" capability=3  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
And those messages repeated on. After googling around I found that certain policy stuff was out of date and that it needed to be modified for the current syslog-ng. I was looking up modifying the policy and started looking in the package repository (yum on Fedora 16) for the policy sources. I talked to a buddy who is better at SELinux than I and he said it's all about policy modules now. You no longer have to modify policy source code and rebuild the sources.

This is neat I thought, so I googled around and found this great article.
http://fedorasolved.org/security-sol...odule-building

I then proceeded to build my policy module and install it. I did all commands as root user.

Code:
cd /root
mkdir selinux
cd selinux
man audit2allow
#you always want to look at the man page an understand the options before running any command
audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log
ls
#syslog-ng-modified.pp and syslog-ng-modified.te show up in the directory
vim syslog-ng-modified.te
semodule -i syslog-ng-modified.pp
Here is the source of syslog-ng-modified.te.
Code:
module syslog-ng-modified 1.0;

require {
        type syslogd_t;
        class capabilityfowner;
}

#============= syslogd_t ==============
allow syslogd_t self:capability fowner;
After running semodule -i the policy was installed. I was curious where it was installed so I looked it up.
Code:
updatedb
locate syslog-ng-modified.pp
I found it at the following locattions.
  • /etc/selinux/targeted/modules/active/modules/syslog-ng-modified.pp
  • /root/selinux/syslog-ng-modified.pp

I further investigated what other modules there were but no need for me to keep ranting about that. Since then, my logs have been relatively quiet except for security concerns and I got SELinux and syslog-ng to play nice together. Pretty cool experience.

SAM
Views 3684 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    Note, setroubleshoot-server continued to be noisy on my server. After some research I found that setroubleshoot-server sends email alerts on AVC denies and other SELinux warnings. However, for a server it's not necessary to have installed.

    I removed it to cut down on log noise because I don't care if something gets denied. Let me rephrase that, I don't need to be emailed every time SELinux denies something because I won't change the security to allow certain things.

    Removed packages include:
    • setroubleshoot-server
    • setroubleshoot (depends on setroubleshoot-server)
    • setroubleshoot-plugins (depends on setroubleshoot-server)
    Posted 06-19-2012 at 11:23 AM by sag47 sag47 is offline
    Updated 06-19-2012 at 11:25 AM by sag47
 

  



All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration