Re: [LUG] No logging since Oct!!!!!!!!

Ronny Thu, 22 Dec 2005 01:57:03 -0800

Sorry for the delay in the reply was out man you are a saint it worked.Let me see what I was missing out ;-)
OUTPUT
-----------
Dec 22 12:46:31 boo gdm(pam_unix)[3202]: session opened for user wakayima by (uid=0)
Dec 22 12:46:36 boo gpm[2627]: *** info [mice.c(1766)]:
Dec 22 12:46:36 boo gpm[2627]: imps2: Auto-detected intellimouse PS/2
Dec 22 12:46:41 boo login(pam_unix)[2747]: session opened for user root by (uid=0)
Dec 22 12:46:41 boo -- root[2747]: ROOT LOGIN ON tty2
Dec 22 12:46:46 boo syslogd 1.4.1: restart.
[EMAIL PROTECTED] wakayima]#

Thanks lots
Ronny

*******************************************************************
PGP Fingerprint: 6695 794A B84E D922 88FB 73CC 6CBD 8036 B3CD 7304
We can't become what we need to be by remaining what we are
*******************************************************************

Kenneth Kabagambe wrote:

you have just upgraded fot FC4? okay, try
touch /.autorelabel and reboot. Let us know if that sorts you out.

Ronny wrote:

Hi seems it's the selinux that is messing up since am running in enforcing mode.Couldn't see that because no logs were being written anyhwere.Good that my sight is still good a debug of syslogd directed me to the /dev/console where I got the mess.Culprit being selinux policies after upgrade!! Googling shows someone had the same prob but havent seen a solution yet ;-)

"As mentioned before, I cant get syslogd to run properly.

It seems that selinux is blocking syslogd.

type=AVC msg=audit(1122120398.858:801833): avc: denied { read } for
pid=4595 comm="syslogd" name="syslog.conf" dev=dm-0 ino=653814
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
type=SYSCALL msg=audit(1122120398.858:801833): arch=40000003 syscall=5
success=no exit=-13 a0=d448c6 a1=0 a2=1b6 a3=9cd1298 items=1 pid=4595
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="syslogd" exe="/sbin/syslogd"

If I understand this correctly selinux is stopping syslogd to read
syslog.conf.

How do I do to get it to work, there is no reference in the selinux
man-pages to syslogd.
With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem"

Temporary will soften the security till am in the moods of taking coffee :-) .
Niceday
Ronny

*******************************************************************
PGP Fingerprint: 6695 794A B84E D922 88FB 73CC 6CBD 8036 B3CD 7304
We can't become what we need to be by remaining what we are
*******************************************************************

Kenneth Kabagambe wrote:

You should check why access to the log file is denied and then grab your cup of coffee.

Ronny wrote:

Kenneth Kabagambe wrote:

You can start syslogd in the foreground to verify that it is actually logging. The messages will show you which file it is logging to

>From this can see some access problems.Do you think after some yum update I did caused this or so :-\
Thanks
[EMAIL PROTECTED] log]# /sbin/syslogd -d
Allocated parts table for 1024 file descriptors.
Starting.
Called init.
Called allocate_log, nlogs = -1.
cfline(*.info;mail.none;authpriv.none;cron.none         /var/log/messages)
symbolic name: info ==> 6
symbolic name: none ==> 16
symbolic name: mail ==> 16
symbolic name: none ==> 16
symbolic name: authpriv ==> 80
symbolic name: none ==> 16
symbolic name: cron ==> 72
leading char in action: /
filename: /var/log/messages
Error opening log file: /var/log/messages
Called logerr, msg: /var/log/messages
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/messages: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Called allocate_log, nlogs = 0.
cfline(authpriv.*                                               /var/log/secure)
symbolic name: * ==> 255
symbolic name: authpriv ==> 80
leading char in action: /
filename: /var/log/secure
Error opening log file: /var/log/secure
Called logerr, msg: /var/log/secure
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/secure: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Called allocate_log, nlogs = 1.
cfline(mail.*                                                   /var/log/maillog)
symbolic name: * ==> 255
symbolic name: mail ==> 16
leading char in action: /
filename: /var/log/maillog
Error opening log file: /var/log/maillog
Called logerr, msg: /var/log/maillog
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/maillog: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Called allocate_log, nlogs = 2.
cfline(cron.*                                                   /var/log/cron)
symbolic name: * ==> 255
symbolic name: cron ==> 72
leading char in action: /
filename: /var/log/cron
Error opening log file: /var/log/cron
Called logerr, msg: /var/log/cron
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/cron: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Called allocate_log, nlogs = 3.
cfline(*.emerg                                                  *)
symbolic name: emerg ==> 0
leading char in action: *
write-all
Called allocate_log, nlogs = 4.
cfline(uucp,news.crit                                           /var/log/spooler)
symbolic name: crit ==> 2
symbolic name: uucp ==> 64
symbolic name: news ==> 56
leading char in action: /
filename: /var/log/spooler
Error opening log file: /var/log/spooler
Called logerr, msg: /var/log/spooler
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/spooler: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Called allocate_log, nlogs = 5.
cfline(local7.*                                         /var/log/boot.log)
symbolic name: * ==> 255
symbolic name: local7 ==> 184
leading char in action: /
filename: /var/log/boot.log
Error opening log file: /var/log/boot.log
Called logerr, msg: /var/log/boot.log
logmsg: syslog.err<43>, flags 4, from boo, msg syslogd: /var/log/boot.log: Permission denied
Called fprintlog, logging to CONSOLE /dev/console
Opened UNIX socket `/dev/log'.
0: 7F 7F X 7F 7F 7F 7F 7F 7F X X 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F FILE: /var/log/messages (unused)
1: X X X X X X X X X X FF X X X X X X X X X X X X X X FILE: /var/log/secure (unused)
2: X X FF X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog (unused)
3: X X X X X X X X X FF X X X X X X X X X X X X X X X FILE: /var/log/cron (unused)
4: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 WALL:
5: X X X X X X X 7 7 X X X X X X X X X X X X X X X X FILE: /var/log/spooler (unused)
6: X X X X X X X X X X X X X X X X X X X X X X X FF X FILE: /var/log/boot.log (unused)
logmsg: syslog.info<46>, flags 4, from boo, msg syslogd 1.4.1: restart.
Called fprintlog, logging to FILE /var/log/messages
syslogd: restarted.
Debugging disabled, SIGUSR1 to turn on debugging.


Ronny wrote:

Hello buddies hope you are still in the moods of helping :-) .
Was wondering what on earth can stop syslogd from working.I recall 2 months back was messing around my 'test' machine that happens to be my desktop too.But of recent I nolonger see new logs :-( .
Hope I wasn't *rooted * ;-)
See output below

[EMAIL PROTECTED] etc]# cat syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  /var/log/maillog

# Log cron stuff
cron.*                                        /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
[EMAIL PROTECTED] etc]# [EMAIL PROTECTED] log]# cat secure
Oct 10 08:34:25 pixmail userhelper[2819]: running '/sbin/reboot' with root privileges on behalfof 'root'
Oct 10 08:35:01 pixmail sshd[1927]: Received signal 15; terminating.
[EMAIL PROTECTED] log]#     Interesting! what was terminating what :-)   and who gave authority to that program (userhelper) to reboot on behalf of root!!.Can someone advise what might have happened to syslog?

Strange but true ------->[EMAIL PROTECTED] log]# /sbin/syslogd
                                    syslogd: Already running.

And nothing much from selinux side
<cough> it's dirsty!!
[EMAIL PROTECTED] log]# /usr/sbin/sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file: enforcing
Policy version:         19
Policy from config file:targeted

Policy booleans:
allow_execmem           active
allow_execmod           active
allow_execstack         active
allow_kerberos          inactive
allow_ypbind            inactive
dhcpd_disable_trans     inactive
httpd_builtin_scripting active
httpd_can_network_connectinactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
read_default_t          active
snmpd_disable_trans     inactive
squid_connect_any       inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive
[EMAIL PROTECTED] log]#                       Thanks for ya time but please need my box surveillance system up during the holiday.And sorry for coloring it's festive season :-)
Merry-xmas
Ronny                                                                                                                -- *******************************************************************
PGP Fingerprint: 6695 794A B84E D922 88FB 73CC 6CBD 8036 B3CD 7304
We can't become what we need to be by remaining what we are
*******************************************************************

------------------------------------------------------------------------

_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/

The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------

_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/

The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------

_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/

The above comments and data are owned by whoever posted them (including 
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------

Re: [LUG] No logging since Oct!!!!!!!!

Reply via email to