On 09/24/2010 06:41 PM, Erinn Looney-Triggs wrote: > I am trying to get Rsyslog queues working on RHEL 5.5. Queues, sort of > as the name implies, will queue messages, in my case they will queue > messages if the central log server goes down (if you want the details > take a look here: > http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html). Now for > the most part this queue remains in memory, but it can be written to > disk. That of course is the rub with SELinux, it will deny access to > arbitrary locations that I want to put files into. I don't really want > to use a custom policy as that just creates overhead, so I searched for > allow rules for syslogd_t and came up with the following options that > looked promising: > > allow syslogd_t syslogd_var_lib_t : file { ioctl read write create > getattr setattr lock append unlink link rename }; > allow syslogd_t syslogd_var_lib_t : dir { ioctl read write getattr > lock add_name remove_name search }; > allow syslogd_t syslogd_var_run_t : file { ioctl read write create > getattr setattr lock append unlink link rename }; > allow syslogd_t syslogd_var_run_t : dir { ioctl read write getattr > lock add_name remove_name search }; > > Excellent, so if I have a location labelled with either of those types I > ought to be good (well I think so, I am kind of new to this). But again > in the interest of not maintaining local changes across many systems I > wanted the files labels to come from the default contexts, so after a > little digging through /etc/selinux/targeted/contexts/files: > > /var/lib/syslog-ng(/.*)? system_u:object_r:syslogd_var_lib_t:s0 > > Bingo, sort of. What is a syslog-ng setup doing in a distribution that > doesn't even ship with syslog-ng? Is this for third party installs of > syslog-ng? I guess it doesn't really matter. Here are the questions > after that long winded introduction: Is this the right way to go about > setting this up? If we can have a syslog-ng specific file context is > there any reason we can't have a rsyslog specific one given that rsyslog > is actually shipping with RHEL? I know it is just names but it bothers > my OCD ;). I guess tell rsyslog to store its queues in /var/lib/syslog-ng and provided that it only needs to manage a file object, you should be good to go. > Thanks for the help, > -Erinn > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
