I was configuring a Centos6 box to receive syslog from remote hosts. I wanted that log to be written to a non-standard path: /data/syslog
On my first attempt, this failed with the following log in /var/log/messages:
Nov 26 11:26:24 localhost rsyslogd-3000: Could not open dynamic file '/data/syslog/10.10.1.252/2014-11/26/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ]
I then set the context of /data/syslog to match /var/log with:
semanage fcontext -a -t var_log_t "/data/syslog(/.*)?"
restorecon -v /data/syslog
Unfortunately this didn't fix the issue. To make matters worse, Selinux wasn't telling me why - there were no denial message in /var/log/audit/audit.log. It turns out some of the audit log is turned off by default on Centos. I had to enable this with semodule --disable_dontaudit --build (thanks to this post)
Now I was seeing the following error in /var/log/audit/audit.log:
type=AVC msg=audit(1416967109.550:474): avc: denied { search } for pid=2027 comm=72733A6D61696E20513A526567 name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Well that message is not terribly useful and sealert, which is supposed to provide a helpful translation, wouldn't run (due to dbus errors!), so I was left in the dark.
Thanks to this post I was tipped of that /data itself also needed it's context updated, like so:
semanage fcontext -a -t var_t "/data"
restorecon -R -v /data
Once that was done, rsyslogd could happily write files into /data/syslog.
SELinux has some serious usability issues. People simply turn it off which is bad, but I don't blame them when they have this kind of experience.