Looking in the "/var/logs/audit/audit.log"
I'll find the following entry:
type=AVC msg=audit(1122113324.490:351515): avc: denied { read } for
pid=2866 comm="syslogd" name="syslog.conf" dev=dm-0 ino=653814
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
type=SYSCALL msg=audit(1122113324.490:351515): arch=40000003 syscall=5
success=no exit=-13 a0=2998c6 a1=0 a2=1b6 a3=98f1298 items=1 pid=2866
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="syslogd" exe="/sbin/syslogd"
It seems that syslogd is denied to do its job.
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
> -----Original Message-----
> From: fedora-list-bounces@xxxxxxxxxx
> [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Larsson
> Sent: Saturday, July 23, 2005 1:12 PM
> To: 'For users of Fedora Core releases'
> Subject: RE: FC4 and No logs
>
>
> > -----Original Message-----
> > From: fedora-list-bounces@xxxxxxxxxx
> > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Larsson
> > Sent: Saturday, July 23, 2005 9:09 AM
> > To: 'For users of Fedora Core releases'
> > Subject: RE: FC4 and No logs
> >
> >
> > > -----Original Message-----
> > > From: fedora-list-bounces@xxxxxxxxxx
> > > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of
> Thomas Cameron
> > > Sent: Saturday, July 23, 2005 1:33 AM
> > > To: For users of Fedora Core releases
> > > Subject: Re: FC4 and No logs
> > >
> > >
> > > On Fri, 2005-07-22 at 21:29 +0200, Tomas Larsson wrote:
> > > > By some strange reason, the logging seems to have
> stopped, boot,
> > > > messages, secure etc hasn't logged anything since yesterday.
> > > >
> > > > Anyone got any clues?
> > > >
> > > >
> > > > With best regards
> > > >
> > > > Tomas Larsson
> > > > Sweden
> > > >
> > > > Verus Amicus Est Tamquam Alter Idem
> > >
> > > That sounds like a potentially bad thing - some cracks involve
> > > killing off logging so that the sysadmin can't see what
> the bad guy
> > > is doing. Are you sure your system isn't
> > compromised?
> > > --
> > > Thomas Cameron, RHCE, CNE, MCSE, MCT
> > > 512-241-0774 (office)
> > > 512-924-8592 (cell)
> > >
> > > --
> > > fedora-list mailing list
> > > fedora-list@xxxxxxxxxx
> > > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> > >
> >
> >
> > Cant think that it's being compromised (you never know, do
> > you), got it
> > upp and running same day.
> > If it is compromised, then there is a serious flaw within FEDORA.
> >
> > My thinking is that I've done something else. Syslogd is
> > running, so it
> > must be something else, question is what though.
> >
> >
> > With best regards
> >
> > Tomas Larsson
> > Sweden
> >
> > Verus Amicus Est Tamquam Alter Idem
> >
>
> When I do a "service syslog status", I'm getting the
> following response Translated to English,
>
> Syslogd is dead, but PID exists
> Klogd (pid 1512) is running
>
> On the console I'm getting "syslogd:0 /dev/console: permission denied"
>
> I'm starting to think that it might be selinux that has
> screwed something up.
>
> With best regards
>
> Tomas Larsson
> Sweden
>
> Verus Amicus Est Tamquam Alter Idem
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
