<div><span style="font-family:monospace"><br></span></div><div><font face="arial,sans-serif">There are also no messages in the kernel which I can use to audit any access/deny issues for selinux.<br></font></div><div><span style="font-family:arial,sans-serif">I have tried putting selinux in permissive state and that too did not help <br></span></div><div><font face="arial,sans-serif">Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location,
I moved my syslog to a different location '/tmp/server.log'
This was working all fine until I moved to selinux in enforcing mode.
I have tried putting selinux in permissive state and that too did not help
Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...
On 2023-11-08 08:26 +0000, Bhasker C V wrote:
I moved my syslog to a different location '/tmp/server.log'
A rather strange decision, since /tmp is usually pruned on reboot.
This was working all fine until I moved to selinux in enforcing mode.
I have tried putting selinux in permissive state and that too did nothelp
Most likely your problem has nothing to do with selinux, but is rather
due to the hardening features implemented in rsyslog 8.2310.0-1. Among
other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
in rsyslog.service) which is not shared with other processes.
Please could someone help ? Or if there is a procedure to move syslogfile
/var/log/syslog to a different location, I am happy to follow ...
If you insist on moving it to /tmp, one possibility is to use a bind
mount for /tmp/server.log. Run "systemctl edit rsyslog.service" and put
the following two lines in the file:
[Service]
BindPaths=-/tmp/server.log
You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
reboot if it does not exist.
Good luck,
Sven
The service file you posted is not a good idea. Please remove it again.
If moving the log file out of /tmp is not an option, please run
systemctl edit rsyslog.service
and disable PrivateTmp via
[Service]
PrivateTmp=no
Am 13.11.23 um 10:13 schrieb Bhasker C V:
I forgot to answer the question on why I am doing this
I am experimenting on a no-log system where there is no writes
what-so-ever to /var/log (except for mails) or systemd journal
(currently kept volatile)
/tmp/ is tmpfs mounted
Attached is the rsyslog config as-it-is being used now.
With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log
to /run/server.log correctly (verified locally).
I can only assume you didn't follow my instructions properly.
Please make sure after following my instruction that you have afterwards
# systemctl show -P PrivateTmp rsyslog.service
no
Btw, for your use case, a subdirectory in /run would be more suitable,
like say /run/syslog/.
Also, you currently have
*.* -/tmp/server.log
*and*
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,audit,news.none -/tmp/server.log
This doesn't make any sense.
This will basically duplicate the log messages in /tmp/server.log and interleave them.
Either you split up the logs facilities and log them to separate files
or you only keep a single log rule like
*.* -/tmp/server.log
which simply logs everything to /tmp/server.log
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 365 |
Nodes: | 16 (3 / 13) |
Uptime: | 24:27:47 |
Calls: | 7,748 |
Calls today: | 2 |
Files: | 12,888 |
Messages: | 5,740,025 |
Posted today: | 1 |