Document toolboxDocument toolbox

SELinux configuration conflicts

SELinux is a security module that facilitates the implementation of access control security policies in Linux systems. In some distributions, like Fedora and RHEL, SELinux is enabled in Enforcing mode by default.

By default, SELinux applies the following limitations to the rsyslog process. For example:

  • SELinux prevents rsyslog from sending to a port other than 514/UDP (standard syslog port).

  • rsyslog has limited access to other files and directories outside its initial configuration. 

This article describes how to add the necessary exceptions to SELinux to enable sending data to Devo over TCP when using rsyslog. The procedure is identical when using syslog-ng. The exceptions will enable:

  • rsyslog to communicate with the Devo relay through the different ports

  • rsyslog to access the files and directories needed (for example, the user certificate)

Disable SELinux

SELinux can have one of three status:

  • Enforcing - SELinux is enabled and will block all actions that are not permitted by the security policy.

  • Permissive - SELinux is enabled. However, it will allow actions that are not permitted by the security policy, and log an event when the action is carried out. 

  • Disable - SELinux is disabled.

If SELinux is running in Enforcing mode, it could be interfering with the communications between rsyslog and the Devo relay. 

Run the following command to find out what status SElinux is currently in:

getenforce

The easiest way to diagnose if you have a configuration problem due to SELinux is to disable it temporarily and see if that solves the problem.

  • If SELinux is in Enforcing mode, use the following commands switch to SELinux to Permissive mode, then restart the rsyslog service:

    sudo setenforce 0 sudo service rsyslog restart
  • Check if the log sending is working. To re-enable SELinux, run:

    sudo setenforce 1 sudo service rsyslog restart

These commands only make temporary changes to the SELinux status. If you restart the machine, the status will automatically be set to the status level defined in the /etc/selinux/config file.

From a security point of view it is not advisable, but if you want to permanently set the status you can edit the /etc/selinux/config file: 

  • SELinux records all actions in /var/log/audit/audit.log

  • A change in the general configuration requires a restart of the machine.

Adding exceptions to SELinux

The SELinux commands that involve the recompiling of policies may take a while to run.

  • If you do not have the semanage command, install the policycoreutils package:

  • Now, check which ports syslog can send to.

  • Enable a new port in the security policy. For example, if we want to be able to send cleartext data to port 12345/TCP, the command would be as follows:

  • To add a port that is already being used for another purpose, we have to register the port. In this example port 443/TCP is used for secure sending and also for the web server policy.

  • Depending on the distribution, you need to authorize the /var/spool/rsyslog directory: 

  • It might also be necessary to authorize /etc/rsyslog.d/* so that rsyslog can read the user SSL certificate:

  • Now restart rsyslog: