I am trying to get Rsyslog queues working on RHEL 5.5. Queues, sort of as the name implies, will queue messages, in my case they will queue messages if the central log server goes down (if you want the details take a look here: http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html). Now for the most part this queue remains in memory, but it can be written to disk. That of course is the rub with SELinux, it will deny access to arbitrary locations that I want to put files into. I don't really want to use a custom policy as that just creates overhead, so I searched for allow rules for syslogd_t and came up with the following options that looked promising: allow syslogd_t syslogd_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename }; allow syslogd_t syslogd_var_lib_t : dir { ioctl read write getattr lock add_name remove_name search }; allow syslogd_t syslogd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename }; allow syslogd_t syslogd_var_run_t : dir { ioctl read write getattr lock add_name remove_name search }; Excellent, so if I have a location labelled with either of those types I ought to be good (well I think so, I am kind of new to this). But again in the interest of not maintaining local changes across many systems I wanted the files labels to come from the default contexts, so after a little digging through /etc/selinux/targeted/contexts/files: /var/lib/syslog-ng(/.*)? system_u:object_r:syslogd_var_lib_t:s0 Bingo, sort of. What is a syslog-ng setup doing in a distribution that doesn't even ship with syslog-ng? Is this for third party installs of syslog-ng? I guess it doesn't really matter. Here are the questions after that long winded introduction: Is this the right way to go about setting this up? If we can have a syslog-ng specific file context is there any reason we can't have a rsyslog specific one given that rsyslog is actually shipping with RHEL? I know it is just names but it bothers my OCD ;). Thanks for the help, -Erinn -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
