selinux not showing avc denied

asked 2018-10-17 19:40:59 -0500

bradi gravatar image

I am using syslog-ng on Fedora 28. I was receiving errors after installation regarding {exec-mem} access being denied so created the following policy module:

module syslog-ng_1 1.0;

require {
    type syslogd_t;
    class process execmem;

#============= syslogd_t ==============
allow syslogd_t self:process execmem;

this stopped the AVC messages for syslog-ng and I configured it to replace rsyslog for internal logging to /var/log. This is working fine.

However I am now trying to use syslog-ng as a syslog target for my local network devices and logging to a different location /data/logs. I have set permissions and relabeled the directory(ies) I am using with "system_u:object_r:var_log_t:s0" and this is working fine if SELinux is set to permissive.

Once I change back to enforcing I receive the following errors in /var/log/messages

syslog-ng[8274]: Error opening file for writing; filename='/data/logs/rtr-1/internet-rtr.home-2018_10_18.log', error='Permission denied (13)'

but nothing in /var/audit/audit.log or in journald... this is obviously a problem with SELinux somewhere, but without any AVC messages I have no clue how to fix it. Reverting back to permissive resolves the problem.

As a side note I have other logs being written to /data/logs just fine with SELinux enforcing, just not through syslog-ng (httpd, named, proftpd are a few that are working fine).

Can anyone suggest what I might do to troubleshoot further?

edit retag flag offensive close merge delete


Further information: changing the file system location that syslog-ng logs my remote syslog clients to


works fine with SELinux enabled and the directories and log files are created with the correct label "system_u:object_r:var_log_t:s0" and permissions... there is something about syslog-ng's SELinux configuration I am missing as other system services are able to write fine to /data/logs/... as my httpd vhosts are writing correctly to /data/logs/httpd/... and are also correctly labeled as "system_u:object_r:httpd_log_t:s0".

bradi gravatar imagebradi ( 2018-10-24 17:49:15 -0500 )edit