[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: [syslog-ng]FYI: Fedora Core 3, syslog-ng, and SELinux
From: "Jose Pedro Oliveira" <jpo () di ! uminho ! pt>
Date: 2005-04-23 21:29:09
Message-ID: 1545.213.13.86.79.1114291749.squirrel () webmail ! lsd ! di ! uminho ! pt
[Download RAW message or body]
FYI: Fedora Core 3, syslog-ng, and SELinux
------------------------------------------------------------
It is now possible to run syslog-ng in a Fedora Core 3 with
SELinux in ENFORCING mode. The only installation requirements
that should be met are the following:
1) upgrade selinux-policy-targeted to 1.17.30-2.96
2) enable the selinux use_syslogng boolean
setsebool -P use_syslogng 1
3) build and install the syslog-ng RPM
libol RPMS are available in Fedora Extras mirrors
syslog-ng SRPM is available for download here
https://bugzilla.fedora.us/show_bug.cgi?id=1332
Note:
This boolean exists at least since selinux-policy-targeted
1.17.30-2.90, but it is only from release 2.96 that all the
syslog_ng rules for a standard RedHat/Fedora syslog/syslog-ng
configuration are in place.
References:
* /etc/selinux/targeted/src/policy/domains/program/syslogd.te
(from selinux-policy-targeted-sources-1.17.30-2.96)
----------
...
bool use_syslogng false;
if (use_syslogng) {
# Allow access to /proc/kmsg for syslog-ng
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read };
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
allow syslogd_t self:capability { sys_admin chown fsetid };
allow syslogd_t var_log_t:dir { create setattr };
}
----------
* selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064
* selinux-policy-targeted and syslog-ng (take 2)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185
--
José Pedro Oliveira
* mailto: jpo@di.uminho.pt * http://gsd.di.uminho.pt/~jpo *
* gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic