On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew <MatthewWilkinson@xxxxxxxxxxxxxxxxx> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to /var/log/audit/audit.log? I have a situation that is being denied by SELinux and logging avc denials to /var/log/messages, however I can't determine a way to fix it because I get nothing for this denial logged to /var/log/audit/audit.log. This prevents me from generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running bind-chroot and I'd like for rsyslog to collect and send the named.log and query.log to our centralized rsyslog server. With SELinux in enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and writing other events (like intentionally triggered ones) to the audit.log?
Subsequent question, how the AVC's look like? Creating a policy module might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead
Customer Engagement and Experience, Red Hat Czech
E-mail: zpytela@xxxxxxxxxx, IRC: zpytela
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx