Help answer threads with 0 replies.
Go Back > Blogs > sag47
User Name


Rate this Entry

SELinux, syslog-ng, and the like

Posted 06-19-2012 at 10:12 AM by sag47
Updated 08-05-2012 at 12:58 AM by sag47

So recently in my home setup I installed a scheme for centralized logging. I use rsyslog or syslog on the client servers and syslog-ng on the central server. This is nothing new and has been done before.

rsyslog + syslog-ng = gold.

I have a script which parses the syslog-ng logs across all the servers, filters them, and then sends and email with a summary and unusual logs. Each time I got an email I would get, on average, ~200-500 log messages of SELinux errors and alerts.

The errors looked something like this.

Jun 19 08:00:01 stealth: setroubleshoot: SELinux is preventing /sbin/syslog-ng from using the fowner capability. For complete SELinux messages. run sealert -l 3e6b6041-071a-483d-a3f8-79e7ec50e2a6
Jun 19 08:00:01 stealth.home: setroubleshoot: dbus avc(node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc:  denied  { fowner } for  pid=462 comm="syslog-ng" capability=3  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability node=stealth.home type=SYSCALL msg=audit(1340107201.216:9899): arch=c000003e syscall=91 success=no exit=-1 a0=e a1=1a0 a2=3e9 a3=1 items=0 ppid=1 pid=462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="syslog-ng" exe="/sbin/syslog-ng" subj=system_u:system_r:syslogd_t:s0 key=(null)
Jun 19 08:00:01 stealth.home: setroubleshoot: AuditRecordReceiver.feed() got node=stealth.home type=AVC msg=audit(1340107201.216:9899): avc:  denied  { fowner } for  pid=462 comm="syslog-ng" capability=3  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability
And those messages repeated on. After googling around I found that certain policy stuff was out of date and that it needed to be modified for the current syslog-ng. I was looking up modifying the policy and started looking in the package repository (yum on Fedora 16) for the policy sources. I talked to a buddy who is better at SELinux than I and he said it's all about policy modules now. You no longer have to modify policy source code and rebuild the sources.

This is neat I thought, so I googled around and found this great article.

I then proceeded to build my policy module and install it. I did all commands as root user.

cd /root
mkdir selinux
cd selinux
man audit2allow
#you always want to look at the man page an understand the options before running any command
audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log
#syslog-ng-modified.pp and syslog-ng-modified.te show up in the directory
vim syslog-ng-modified.te
semodule -i syslog-ng-modified.pp
Here is the source of syslog-ng-modified.te.
module syslog-ng-modified 1.0;

require {
        type syslogd_t;
        class capabilityfowner;

#============= syslogd_t ==============
allow syslogd_t self:capability fowner;
After running semodule -i the policy was installed. I was curious where it was installed so I looked it up.
locate syslog-ng-modified.pp
I found it at the following locattions.
  • /etc/selinux/targeted/modules/active/modules/syslog-ng-modified.pp
  • /root/selinux/syslog-ng-modified.pp

I further investigated what other modules there were but no need for me to keep ranting about that. Since then, my logs have been relatively quiet except for security concerns and I got SELinux and syslog-ng to play nice together. Pretty cool experience.

Views 9448 Comments 1
« Prev     Main     Next »
Total Comments 1


  1. Old Comment
    Note, setroubleshoot-server continued to be noisy on my server. After some research I found that setroubleshoot-server sends email alerts on AVC denies and other SELinux warnings. However, for a server it's not necessary to have installed.

    I removed it to cut down on log noise because I don't care if something gets denied. Let me rephrase that, I don't need to be emailed every time SELinux denies something because I won't change the security to allow certain things.

    Removed packages include:
    • setroubleshoot-server
    • setroubleshoot (depends on setroubleshoot-server)
    • setroubleshoot-plugins (depends on setroubleshoot-server)
    Posted 06-19-2012 at 10:23 AM by sag47 sag47 is offline
    Updated 06-19-2012 at 10:25 AM by sag47


All times are GMT -5. The time now is 09:38 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration