Hi, I moved my syslog to a different location '/tmp/server.log' This was working all fine until I moved to selinux in enforcing mode.
I have the file context as system_u:object_r:syslogd_runtime_t:s0 now, the file is empty Strangely ... lsof shows rsyslog is using this file rsyslogd 25561 root 4r CHR 1,9 0t0 18 /dev/urandom rsyslogd 25561 root 5r REG 0,44 0 4026532059 /proc/kmsg rsyslogd 25561 root 6u unix 0x00000000c5984619 0t0 136109 type=DGRAM (CONNECTED) rsyslogd 25561 root 7w REG 0,35 8952 4873 /tmp/server.log rsyslogd 25561 root 8w REG 0,35 8952 4873 /tmp/server.log rsyslogd 25561 root 9w REG 0,35 8952 4873 /tmp/server.log But, the file says it is not being used by rsyslog $ sudo lsof /tmp/server.log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tail 24848 bcv 3r REG 0,35 39 37 /tmp/server.log There are also no messages in the kernel which I can use to audit any access/deny issues for selinux. I have tried putting selinux in permissive state and that too did not help Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...
