[CentOS] rsyslog not loading relp

Sun Mar 30 22:04:21 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 03/28/2014 03:19 PM, Mauricio Tavares wrote:
> On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares <raubvogel at gmail.com> wrote:
>> On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris <lists at spuddy.org> wrote:
>>> On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
>>>>       I really have nobody else but rsyslog.conf here:
>>>>
>>>> [root at scan log]# ls -ld /etc/rsyslog.*
>>> Don't use the "d" flag to "ls"; that'll stop it looking inside
>>> directories.
>>>
>>       Sorry; I meant ls -lh
>>
>>> The debug output showed it reading a file from
>>>    /etc/rsyslog.d/remote-hosts.conf
>>>
>>> 1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf'
>>> 1968.100012146:7f2b4eda1700: requested to include config file
>>> '/etc/rsyslog.d/remote-hosts.conf'
>>>
>>       You are right. To add insult to injury I created that file (to
>> grab the log files from a few other machines. Still need to make it
>> nicer, but good enough to test):
>>
>> [root at scan log]# cat /etc/rsyslog.d/remote-hosts.conf
>> # Log remote messages by date & hostname
>> $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log"
>> *.info;mail.none;authpriv.none;cron.none                -?DailyPerHostLogs
>> [root at scan log]#
>>
>       Resurrecting this old thread of mine, I had time again to play
> with this. Still clueless but saw this in /var/log/audit/audit.log:
>
> 9069 comm="rsyslogd" src=20514
> scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e
> syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10
> a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706
> comm="rsyslogd" exe="/sbin/rsyslogd"
> subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
> type=AVC msg=audit(1396031288.687:157484): avc:  denied  { name_bind }
> for  pid=9069 comm="rsyslogd" src=20514
> scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e
> syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c
> a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706
> comm="rsyslogd" exe="/sbin/rsyslogd"
> subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
>
> What is this
>
>  denied  { name_bind } for  pid=9069 comm="rsyslogd" src=20514
>
> is trying to tell me? I know that syslog is only currently allowed by
> selinux to use 514 and 6514,
>
> [root at scan ~]# semanage port -l| grep syslog
> syslogd_port_t                 tcp      6514
> syslogd_port_t                 udp      514, 6514
> [root at scan ~]#
>
> But I also thought that there would be a given port after which
> selinux did not care. Or something. or it would be rally hard to start
> sessions as a lame user connecting to other machines. ;)
>
> Out of desperation, I tried
>
> [root at scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514
> Killed
> [root at scan ~]#
That was the correct thing to do.  Not sure why it got killed?
>>> --
>>>
>>> rgds
>>> Stephen
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos