SELinux, syslog-ng, and the like
So recently in my home setup I installed a scheme for centralized logging. I use rsyslog or syslog on the client servers and syslog-ng on the central server. This is nothing new and has been done before.
rsyslog + syslog-ng = gold.
I have a script which parses the syslog-ng logs across all the servers, filters them, and then sends and email with a summary and unusual logs. Each time I got an email I would get, on average, ~200-500 log messages of SELinux errors and alerts.
The errors looked something like this.
And those messages repeated on. After googling around I found that certain policy stuff was out of date and that it needed to be modified for the current syslog-ng. I was looking up modifying the policy and started looking in the package repository (yum on Fedora 16) for the policy sources. I talked to a buddy who is better at SELinux than I and he said it's all about policy modules now. You no longer have to modify policy source code and rebuild the sources.
This is neat I thought, so I googled around and found this great article.
http://fedorasolved.org/security-sol...odule-building
I then proceeded to build my policy module and install it. I did all commands as root user.
Here is the source of syslog-ng-modified.te.
After running semodule -i the policy was installed. I was curious where it was installed so I looked it up.
I found it at the following locattions.
I further investigated what other modules there were but no need for me to keep ranting about that. Since then, my logs have been relatively quiet except for security concerns and I got SELinux and syslog-ng to play nice together. Pretty cool experience.
SAM
rsyslog + syslog-ng = gold.
I have a script which parses the syslog-ng logs across all the servers, filters them, and then sends and email with a summary and unusual logs. Each time I got an email I would get, on average, ~200-500 log messages of SELinux errors and alerts.
The errors looked something like this.
Code:
Jun 19 08:00:01 stealth: setroubleshoot: SELinux is preventing /sbin/syslog-ng from using the fowner capability. For complete SELinux messages. run sealert -l 3e6b6041-071a-483d-a3f8-79e7ec50e2a6 Jun 19 08:00:01 stealth.home: setroubleshoot: dbus avc(node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc: denied { fowner } for pid=462 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability node=stealth.home type=SYSCALL msg=audit(1340107201.216:9899): arch=c000003e syscall=91 success=no exit=-1 a0=e a1=1a0 a2=3e9 a3=1 items=0 ppid=1 pid=462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="syslog-ng" exe="/sbin/syslog-ng" subj=system_u:system_r:syslogd_t:s0 key=(null) Jun 19 08:00:01 stealth.home: setroubleshoot: AuditRecordReceiver.feed() got node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc: denied { fowner } for pid=462 comm="syslog-ng" capability=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
This is neat I thought, so I googled around and found this great article.
http://fedorasolved.org/security-sol...odule-building
I then proceeded to build my policy module and install it. I did all commands as root user.
Code:
cd /root mkdir selinux cd selinux man audit2allow #you always want to look at the man page an understand the options before running any command audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log ls #syslog-ng-modified.pp and syslog-ng-modified.te show up in the directory vim syslog-ng-modified.te semodule -i syslog-ng-modified.pp
Code:
module syslog-ng-modified 1.0; require { type syslogd_t; class capabilityfowner; } #============= syslogd_t ============== allow syslogd_t self:capability fowner;
Code:
updatedb locate syslog-ng-modified.pp
- /etc/selinux/targeted/modules/active/modules/syslog-ng-modified.pp
- /root/selinux/syslog-ng-modified.pp
I further investigated what other modules there were but no need for me to keep ranting about that. Since then, my logs have been relatively quiet except for security concerns and I got SELinux and syslog-ng to play nice together. Pretty cool experience.
SAM
Total Comments 1
Comments
-
Note, setroubleshoot-server continued to be noisy on my server. After some research I found that setroubleshoot-server sends email alerts on AVC denies and other SELinux warnings. However, for a server it's not necessary to have installed.
I removed it to cut down on log noise because I don't care if something gets denied. Let me rephrase that, I don't need to be emailed every time SELinux denies something because I won't change the security to allow certain things.
Removed packages include:- setroubleshoot-server
- setroubleshoot (depends on setroubleshoot-server)
- setroubleshoot-plugins (depends on setroubleshoot-server)
Posted 06-19-2012 at 10:23 AM by sag47
Updated 06-19-2012 at 10:25 AM by sag47