On 09/20/2017 08:09 AM, Zdenek Pytela wrote:
On Mon, Sep 18, 2017 at 6:55 PM, Wilkinson, Matthew
<MatthewWilkinson@xxxxxxxxxxxxxxxxx
<mailto:MatthewWilkinson@xxxxxxxxxxxxxxxxx>> wrote:
Has anyone seen SELinux log to /var/log/messages but *not* to
/var/log/audit/audit.log? I have a situation that is being denied by
SELinux and logging avc denials to /var/log/messages, however I
can't determine a way to fix it because I get nothing for this
denial logged to /var/log/audit/audit.log. This prevents me from
generating a policy using audit2allow or sealert.
Situation: I have a RHEL 7-based server which is running bind-chroot
and I'd like for rsyslog to collect and send the named.log and
query.log to our centralized rsyslog server. With SELinux in
enforcing mode, rsyslog cannot read the named logs.
Do I need to write my own custom SELinux policy?
Hi Matthew,
I am afraid a new policy would not help you. Is auditd running and
writing other events (like intentionally triggered ones) to the audit.log?
Good question, is auditd running and writing other events? Also, it will
be very helpful if you attach your AVC. There can be situation when
auditd is not running yet during boot, so AVCs are logged into
journal/syslog.
Please attach AVC and we can move forward.
Lukas.
Subsequent question, how the AVC's look like? Creating a policy module
might not be the best solution to your problem.
--
Zdenek Pytela, Technical support engineer and team lead
Customer Engagement and Experience, Red Hat Czech
E-mail: zpytela@xxxxxxxxxx <mailto:zpytela@xxxxxxxxxx>, IRC: zpytela
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
