On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares <raubvogel at gmail.com> wrote: > On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris <lists at spuddy.org> wrote: >> On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote: >>> I really have nobody else but rsyslog.conf here: >>> >>> [root at scan log]# ls -ld /etc/rsyslog.* >> >> Don't use the "d" flag to "ls"; that'll stop it looking inside >> directories. >> > Sorry; I meant ls -lh > >> The debug output showed it reading a file from >> /etc/rsyslog.d/remote-hosts.conf >> >> 1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' >> 1968.100012146:7f2b4eda1700: requested to include config file >> '/etc/rsyslog.d/remote-hosts.conf' >> > You are right. To add insult to injury I created that file (to > grab the log files from a few other machines. Still need to make it > nicer, but good enough to test): > > [root at scan log]# cat /etc/rsyslog.d/remote-hosts.conf > # Log remote messages by date & hostname > $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" > *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs > [root at scan log]# > Resurrecting this old thread of mine, I had time again to play with this. Still clueless but saw this in /var/log/audit/audit.log: 9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10 a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) What is this denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 is trying to tell me? I know that syslog is only currently allowed by selinux to use 514 and 6514, [root at scan ~]# semanage port -l| grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514 [root at scan ~]# But I also thought that there would be a given port after which selinux did not care. Or something. or it would be rally hard to start sessions as a lame user connecting to other machines. ;) Out of desperation, I tried [root at scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514 Killed [root at scan ~]# > >> -- >> >> rgds >> Stephen >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos