disable SELinux

[kostask]

Can you please verify if this is the rule... i.e. that in order for rsyslog to work and start sending messages from a Linux server to NLS we have to disable SELinux?
I am asking this because I've encountered such a case from a Red Hat Linux Server to NLS.

[lgroschen]

kostask,

The Nagios Log Server installer does disable SElinux on RHEL systems.


/Luke

[kostask]

r we sure that disables SELinux or it just checks and warns in case SELinux for example is in enforcing mode? What I've encountered was that when I first run the "setup_linux.sh" script in the client (i.e. host to be added) the output was [OK]... But no logs were FWding to NLS. Then after several hours of troubleshooting still nothing so I restarted the server. Still nothing! Then I had the idea to rerun the setup_linux.sh script and I've got the output about the SELinux enforcing... I've manually disabled SELinux (setenforce 0) and imitatively the logs started to flow towards NLS! Then I altered the SELinux config file so to permanently disable SELinux in case of restarts.

[slansing]

Hmm, curious, we'll have to check that out on our end, thank you for the information!

[eloyd]

I never had this problem running setup-linux multiple times on CentOS hosts.

[slansing]

Thanks for the input eloyd, I was about to say, this is the first I've heard of it reported. Are you sure you don't have a rogue-security_happy-sysadmin running around?

[lgroschen]

Here is that function inside the script:

Code: Select all

# Check if SELinux might cause problems, and notify the user if so.
check_for_selinux() {
	if ! which getenforce &> /dev/null; then
		echo "getenforce command not found, assuming SELinux is disabled."
		return
	fi
	SELinux_MODE=$(getenforce 2>/dev/null)

	if [ $SELinux_MODE = "Disabled" ]; then
		echo "SELinux is disabled."
	elif [ $SELinux_MODE = "Permissive." ]; then
		echo "SELinux is permissive."
	elif [ $SELinux_MODE = "Enforcing" ]; then
		cat <<-EOF
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding.
		EOF
	fi
}

The Dev who wrote it wanted to ensure that it wouldn't just turn off SELinux in case someone has a current configuration already set. Then it will tell the user after the script run that this part was skipped and you need to edit the file. This could potentially cause problems so we didn't want to force it.

[Box293]

Then it will tell the user after the script run that this part was skipped and you need to edit the file.

I think that the message should be make very obvious. Perhaps something like:

######################################
######################################
the message here
######################################
######################################

[lgroschen]

Troy,

Good call mate. How's this look?:

Code: Select all

==============================! WARNING !====================================
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding.
=============================================================================

[eloyd]

I think it should be changed to:

Code: Select all

==============================! CRIKEY !====================================
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding.  Then she'll be right!
=============================================================================