I took the Fedora-8 SRPM for rsyslog 2.0.2 and rebuilt it for CentOS-5
x86_64. After doing:
# semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd
# semanage fcontext -a -t klogd_exec_t /sbin/rklogd
I can do "service rsyslog start" and it works.
Then, I did the rebuild for rsyslog version 3.11.6. Had to tweak the
spec and conf files a bit, but got it packaged and installed. And made
sure the above contexts were retained (they were).
However, when I go to run it "service rsyslog start" using the same
init script that worked with the 2.0.2 version, I get this:
==
type=SYSCALL msg=audit(03/05/2008 17:43:26.966:224) : arch=x86_64
syscall=bind success=yes exit=0 a0=1 a1=51b2ae0 a2=10 a3=7fffa9e3f63c
items=0 ppid=29717 pid=29718 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
comm=rsyslogd exe=/sbin/rsyslogd subj=root:system_r:syslogd_t:s0
key=(null)
type=AVC msg=audit(03/05/2008 17:43:26.966:224) : avc: denied {
node_bind } for pid=29718 comm=rsyslogd src=61514
scontext=root:system_r:syslogd_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
==
BUT, when I run it directly from the command-line:
/sbin/rsyslogd
I do NOT get those denials.
I know how to create the module to allow the above, but what I'm more
interested in is what allows me to run it from the command-line but
not from the init script.
The line that starts the rsyslogd in the init script is:
daemon rsyslogd $SYSLOGD_OPTIONS
("daemon" being a function sourced from /etc/init.d/functions)
But even if I replace that line with a simple:
/sbin/rsyslogd
it still gives me the denials.
Anyone have ideas why? I don't want to just create the module and
sweep this under the rug.