Page 1 of 2
disable SELinux
Posted: Thu Oct 30, 2014 10:21 am
by kostask
Can you please verify if this is the rule... i.e. that in order for rsyslog to work and start sending messages from a Linux server to NLS we have to disable SELinux?
I am asking this because I've encountered such a case from a Red Hat Linux Server to NLS.
Re: disable SELinux
Posted: Thu Oct 30, 2014 10:30 am
by lgroschen
kostask,
The Nagios Log Server installer does disable SElinux on RHEL systems.
/Luke
Re: disable SELinux
Posted: Fri Oct 31, 2014 2:46 am
by kostask
r we sure that disables SELinux or it just checks and warns in case SELinux for example is in enforcing mode? What I've encountered was that when I first run the "setup_linux.sh" script in the client (i.e. host to be added) the output was [OK]... But no logs were FWding to NLS. Then after several hours of troubleshooting still nothing so I restarted the server. Still nothing! Then I had the idea to rerun the setup_linux.sh script and I've got the output about the SELinux enforcing... I've manually disabled SELinux (setenforce 0) and imitatively the logs started to flow towards NLS! Then I altered the SELinux config file so to permanently disable SELinux in case of restarts.
Re: disable SELinux
Posted: Fri Oct 31, 2014 8:37 am
by slansing
Hmm, curious, we'll have to check that out on our end, thank you for the information!
Re: disable SELinux
Posted: Fri Oct 31, 2014 8:40 am
by eloyd
I never had this problem running setup-linux multiple times on CentOS hosts.
Re: disable SELinux
Posted: Fri Oct 31, 2014 8:45 am
by slansing
Thanks for the input eloyd, I was about to say, this is the first I've heard of it reported. Are you sure you don't have a rogue-security_happy-sysadmin running around?
Re: disable SELinux
Posted: Fri Oct 31, 2014 2:23 pm
by lgroschen
Here is that function inside the script:
Code: Select all
# Check if SELinux might cause problems, and notify the user if so.
check_for_selinux() {
if ! which getenforce &> /dev/null; then
echo "getenforce command not found, assuming SELinux is disabled."
return
fi
SELinux_MODE=$(getenforce 2>/dev/null)
if [ $SELinux_MODE = "Disabled" ]; then
echo "SELinux is disabled."
elif [ $SELinux_MODE = "Permissive." ]; then
echo "SELinux is permissive."
elif [ $SELinux_MODE = "Enforcing" ]; then
cat <<-EOF
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding.
EOF
fi
}
The Dev who wrote it wanted to ensure that it wouldn't just turn off SELinux in case someone has a current configuration already set. Then it will tell the user after the script run that this part was skipped and you need to edit the file. This could potentially cause problems so we didn't want to force it.
Re: disable SELinux
Posted: Fri Oct 31, 2014 5:24 pm
by Box293
lgroschen wrote:Then it will tell the user after the script run that this part was skipped and you need to edit the file.
I think that the message should be make very obvious. Perhaps something like:
######################################
######################################
the message here
######################################
######################################
Re: disable SELinux
Posted: Mon Nov 03, 2014 2:53 pm
by lgroschen
Troy,
Good call mate. How's this look?:
Code: Select all
==============================! WARNING !====================================
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding.
=============================================================================
Re: disable SELinux
Posted: Mon Nov 03, 2014 2:57 pm
by eloyd
I think it should be changed to:
Code: Select all
==============================! CRIKEY !====================================
SELinux is enforcing. This may prevent $SYSLOG_TYPE from forwarding messages.
If log messages do not reach Log Server from this host, ensure SELInux is
configured to allow $SYSLOG_TYPE forwarding. Then she'll be right!
=============================================================================