On 03/28/2014 03:19 PM, Mauricio Tavares wrote: > On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares <raubvogel at gmail.com> wrote: >> On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris <lists at spuddy.org> wrote: >>> On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote: >>>> I really have nobody else but rsyslog.conf here: >>>> >>>> [root at scan log]# ls -ld /etc/rsyslog.* >>> Don't use the "d" flag to "ls"; that'll stop it looking inside >>> directories. >>> >> Sorry; I meant ls -lh >> >>> The debug output showed it reading a file from >>> /etc/rsyslog.d/remote-hosts.conf >>> >>> 1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' >>> 1968.100012146:7f2b4eda1700: requested to include config file >>> '/etc/rsyslog.d/remote-hosts.conf' >>> >> You are right. To add insult to injury I created that file (to >> grab the log files from a few other machines. Still need to make it >> nicer, but good enough to test): >> >> [root at scan log]# cat /etc/rsyslog.d/remote-hosts.conf >> # Log remote messages by date & hostname >> $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" >> *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs >> [root at scan log]# >> > Resurrecting this old thread of mine, I had time again to play > with this. Still clueless but saw this in /var/log/audit/audit.log: > > 9069 comm="rsyslogd" src=20514 > scontext=unconfined_u:system_r:syslogd_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e > syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10 > a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 > comm="rsyslogd" exe="/sbin/rsyslogd" > subj=unconfined_u:system_r:syslogd_t:s0 key=(null) > type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind } > for pid=9069 comm="rsyslogd" src=20514 > scontext=unconfined_u:system_r:syslogd_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e > syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c > a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 > comm="rsyslogd" exe="/sbin/rsyslogd" > subj=unconfined_u:system_r:syslogd_t:s0 key=(null) > > What is this > > denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 > > is trying to tell me? I know that syslog is only currently allowed by > selinux to use 514 and 6514, > > [root at scan ~]# semanage port -l| grep syslog > syslogd_port_t tcp 6514 > syslogd_port_t udp 514, 6514 > [root at scan ~]# > > But I also thought that there would be a given port after which > selinux did not care. Or something. or it would be rally hard to start > sessions as a lame user connecting to other machines. ;) > > Out of desperation, I tried > > [root at scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514 > Killed > [root at scan ~]# That was the correct thing to do. Not sure why it got killed? >>> -- >>> >>> rgds >>> Stephen >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos