[rsyslog] rsyslog v3 and selinux

Johnny Tan linuxweb at gmail.com
Tue Mar 11 19:08:06 CET 2008

I took Fedora 8's rsyslog v2.0.2 SRPM and rebuilt it for v3.12.1

I'm using the same init script. When I used that init script 
(i.e., "/etc/init.d/rsyslog start") on v2.0.2, the only 
SELinux problem I had was the domain transition, as 
documented here:

However, when I rebuilt the RPM for v3.12.1, and used the 
same init script to run it, I get many SELinux errors. 
Eventually, I worked out all the things I had to allow for 
rsyslog v3.12.1 to run properly. It's enclosed below as a 
semanage module.

Just curious if there was some change to rsyslog between 
versions 2 and 3 which would make rsyslog, even when running 
properly in domain syslogd_exec_t, to cause so many SELinux 
denials, including not being able to do TCP bind??

Thanks for any clues,

p.s. Here's the module that finally worked. Will document on 
wiki when all is done.

module rsyslog 1.0;

require {
         class dir search;
         class file { getattr read write };
         class filesystem remount;
         class tcp_socket { create accept read setopt bind 
name_bind node_bind listen };
         type boot_t;
         type auditd_log_t;
         type var_log_t;
         type syslogd_t;
         type syslogd_port_t;
         type port_t;
         type mount_t;
         type system_map_t;
         type inaddr_any_node_t;
         type unspec_node_t;
         role system_r;

allow syslogd_t boot_t:dir search;
allow syslogd_t auditd_log_t:dir search;
allow syslogd_t auditd_log_t:file { getattr read };
allow syslogd_t self:tcp_socket { create accept read setopt 
bind listen };
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t port_t:tcp_socket name_bind;
allow syslogd_t system_map_t:file { read getattr };
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t unspec_node_t:tcp_socket node_bind;

More information about the rsyslog mailing list