On Tue, 2013-03-19 at 11:05 -0400, Daniel Neuberger wrote: > I think this is because the syslog-ng daemon is running in the wrong > domain. It never transitions from the initrc_t domain: > > [root@foo log]$ ps -efZ | grep syslog > system_u:system_r:initrc_t:s0 root 4912 1 0 16:20 ? > 00:00:00 supervising syslog-ng > system_u:system_r:initrc_t:s0 root 4913 4912 0 16:20 ? > 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps > > The problem - I think - is that we're using a syslog-ng rpm from the > vendor's website that installs to /opt rather than /usr as the > targeted policy seems to expect meaning the daemon and everything has > the wrong file contexts. I tried fixing this by updating the contexts > based off the settings in the logging.fc file from the policy src.rpm, > but that didn't help: > > [root@foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/* > [root@foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/* > [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0 > /opt/syslog-ng/var/syslog-ng.persist > [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0 > /opt/syslog-ng/var/run/* > [root@foo ~]$ run_init /etc/init.d/syslog-ng restart > Authenticating foobar. > Password: > Restarting syslog-ng: Stopping syslog-ng: [ OK ] > Starting syslog-ng: [ OK ] > [root@foo ~]$ ls -Z /dev/log > srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log > [root@foo ~]$ ps -efZ | grep syslog > user_u:system_r:initrc_t:s0 root 6594 1 0 14:35 ? > 00:00:00 supervising syslog-ng > user_u:system_r:initrc_t:s0 root 6595 6594 0 14:35 ? > 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps Domain type transitions happen on execve. So you need to make sure that both the init script as well as the syslog executable file are labeled properly. its like this: init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t You seem to be hanging at initrc_t so i suspect that your syslog executable file is mislabeled. Verify the syslogd init script file and see what it runs when it starts syslog, then see if that file has a proper label. > Thanks. > > - Daniel > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux