On 03/28/2014 03:19 PM, Mauricio Tavares wrote:
On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares raubvogel@gmail.com wrote:
On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris lists@spuddy.org wrote:
On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:[root@scan log]# ls -ld /etc/rsyslog.*
Don't use the "d" flag to "ls"; that'll stop it looking inside directories.
Sorry; I meant ls -lhThe debug output showed it reading a file from /etc/rsyslog.d/remote-hosts.conf
1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf'
You are right. To add insult to injury I created that file (tograb the log files from a few other machines. Still need to make it nicer, but good enough to test):
[root@scan log]# cat /etc/rsyslog.d/remote-hosts.conf # Log remote messages by date & hostname $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs [root@scan log]#
Resurrecting this old thread of mine, I had time again to playwith this. Still clueless but saw this in /var/log/audit/audit.log:
9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10 a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
What is this
denied { name_bind } for pid=9069 comm="rsyslogd" src=20514
is trying to tell me? I know that syslog is only currently allowed by selinux to use 514 and 6514,
[root@scan ~]# semanage port -l| grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514 [root@scan ~]#
But I also thought that there would be a given port after which selinux did not care. Or something. or it would be rally hard to start sessions as a lame user connecting to other machines. ;)
Out of desperation, I tried
[root@scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514 Killed [root@scan ~]#
That was the correct thing to do. Not sure why it got killed?
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos