Solved

selinux not writing any log files

Posted on 2013-06-19
12
242 Views
Last Modified: 2014-02-20
We're running redhat and selinux.  We have enforcing turned on. For some strange reason nothing is getting written to any of my http log files and more disconcerting is that nothing is getting written to the /var/log/audit log files so I could figure out what is going on.

Here are the file contexts:
drwxr-x---. root root system_u:object_r:auditd_log_t:s0 /var/log/audit
drwxrwx---. webadmin apache unconfined_u:object_r:httpd_log_t:s0 /webdocs/domain/logs

I've run restorecon on the audit folder and that didn't seem to do anything.

If we setenforce to 0, we still don't get any log files (audit and httpd)  written.  We have about 20 different domains on the go so it's unlikely that we've messed up every single one of them.  Also I know that the individual log file directories are correct because if I delete one of them and then restart the web server it fails  because it can't find the directory.

Not sure where to go next with this
0
Comment
Question by:geekdad1
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:jools
ID: 39261082
So getenforce says it's running but you dont get anything logged?
Are you expecting anything to be logged?
What happens if you tail -f the audit file and then setenforce 0 and then setenforce 1?
0
 
LVL 76

Expert Comment

by:arnold
ID: 39261105
Make sure you have syslog or rsyslog installed and running.
This is the process that writes into those files.
If syslog is running, look at /etc/syslog.conf or /etc/rsyslog.conf.
That you are not voiding the events
See if you have an audit file reference.

Maybe you have a centralized syslog server to which all systems forward their events.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39261118
I feel like I'm on an episode of the twilight zone.  When I came in this morning the audit file was 0 length like it has been for a couple of weeks. I've turned enforcing on and off several times today testing out various things.   Now it has tons of entries and enforcing is turned on.
Even some of the web logs now have entries.  One thing that did happen this morning was a logrotate.  Is there something in syslog or apache that decides when to write the log files out to disk?  I still have several web sites that have empty logs, but it might be caching or something specific to them.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39261272
Logrotate script supposed to issue a reload to syslog so t reattached to the newly created files
I think apache might not need, but sometimes a reload is issued to it so it defaces from the old and attaches to the new logs
0
 
LVL 19

Expert Comment

by:jools
ID: 39261634
It shouldnt have `cached` that much information I think the issue was either a process not running all of a sudden it just had something to log.

How long has the server been up??
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39263296
It's a brand new server, been in service for approx. 4 months.  Server is rebooted about every two weeks.

I've restarted apache, it failed the first time with a log file that it didn't have access to.  I looked at the context info and it appeared to be correct.  I reset the context anyways, started the web server and finally everything seems to be working.  I think that apache might not like having the enforcing turned off and on while it's running.

In any event thanks for your help, but we seem to be up and running.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Accepted Solution

by:
gheist earned 260 total points
ID: 39264522
RHEL5 or RHEL6?

basically
# setenforce 0
# audit2allow -a (it is inside policycoreutils-python in EL6)
Any weird labelling is because you at ssome point ran with selinux (as opposed to enforce) disabled and you need to relabel and make shure restorecond and auditd are running all the time
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39264590
I'm running Redhat release 6.3  I see I'm having a problem with pam_abl and sshd

When I run audit2allow I get the command which I need in order to fix the problem.

allow sshd_t default_t:file read;

So I think I have two choices here.  Either I figure out the file types that sshd can read and set pam_abl.conf to that context, or add this command to the policy.

I think I like the first choice, but reading through the sshd_selinux man page doesn't give me any obvious clues as to what that context it might be.  Is there somewhere I can see what file types sshd is allowed to read?
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39872104
Seems to have been a configuration problem, which has been resolved.  I forgot to close this out, and now I can't remember what was wrong, other than it was likely a mistake on my part.  I appreciate all of the comments, they were helpful.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39872514
I've requested that this question be closed as follows:

Accepted answer: 0 points for geekdad1's comment #a39872104

for the following reason:

The other comments were helpful, but not instructive as a solution.  Mine aren't either but this was the only way to close this question out.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39872515
Usually you accept helpful comments or shed some light on radically opposite solution.
0
 
LVL 1

Author Closing Comment

by:geekdad1
ID: 39874125
Sorry, I understand that awarding points should have been done, but when I read through the comments and most of them were questions trying to help me figure out where the problem might be.  I thought that picking one of those as the solution would have been confusing to anyone looking at the problem thread later on, since it did not lead to a solution.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now