PDA

View Full Version : Syslog-ng and pipes



GŁnther Schwarz
20-Jun-2012, 17:34
SLES10 SP4
I try to setup syslog-ng-1.6.8-20.23.1 for sending messages through a pipe:
destination mail-alert { pipe("/var/tmp/mailpipe" group(root)
perm(0600)); };
This is supposed to be used for email alerts. The pipe is like:
# ls -l /var/tmp/mailpipe
prw-rw-rw- 1 root root 0 2012-06-20 17:51 /var/tmp/mailpipe
But still I get the message:
Jun 20 18:23:04 test syslog-ng[31178]: Cannot open file
/var/tmp/mailpipe for writing (Permission denied)

As far as I understand syslog-ng it runs with UID 0. It also writes
happily to /dev/tty10 and /dev/xconsole which are set up in the SUSE
standard configuration for syslog. So what is the problem here?

GŁnther

ab
20-Jun-2012, 17:50
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anything interesting in /var/log/audit/* when this happens? Maybe
AppArmor is protecting your system from the evil service's attempts to
access your pipe (that is AppArmor's job, after all). Can you, as root,
write to the pipe? Are you doing something on the far side of that pipe
to pull data out as they are entered in? I'd expect something other
than permission denied if not (my testing indicates the same... a hung
process instead), but still may be worth testing for fun.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP4f9iAAoJEF+XTK08PnB5G+MP/RmUtOa6KS0r+BCKLXowU/p4
KmpSqY69mRUEGtjVh3s/+wzL6gV/vjKlKreGktaHWb0zCgk7Wvp/KfyOubDyBA77
1a2ZkyqpASYTtan0YZ2hzYAwWeUPOR7qtU+kaPwUOMwvcuOoj/XpoOWnYtCF4SKa
hNBvbbPcYz82UDajBp9puu7PmlUUchDqsKWFFl3T4jt7xx5xPT C7QHvDqfUyMGDT
ZaS6TWIrAZwgk/ivCicaQvALo+mIoA06+TQWIzozYv68JV1C55tJkD4rq804BdvL
69v+pfRhSEGcfn8UQYIZdxs/Tc8NrG072OJV+s+Pmwt9wJ6lSFtHtmxsHGtlUjGQ
C8kxjicxgBDiv1yrUZNRff1oYuU4Eccf/Gz38LvO3XaFG/YzC7WsCRFLO98p/7NG
Lbr5kKUWAajcAhHBPIBL772HItsMmi2RHGgrvyIaxVXdQYb88E DKzoR8jI6W4Fmf
KT9ovIv2hHV2KgcdJ3+5ZGqlUtzegk+5buKWTc13nR3terxpNN T8f58TQY+mLx6W
lgJMzRuQ+XFlleHprEdFn88zNlnphwjaUGb1VKNll7xkUaO0Cn Dk89UrK+pPNhXp
nwBRe3DYmVqqOK8m26Wq+UBwFaxi3OzAjcgEKcFm23moyCy6os q0x56BLeK1mbsj
xXxlR7InfjkqhZBbu8Jl
=u6rG
-----END PGP SIGNATURE-----

GŁnther Schwarz
21-Jun-2012, 08:44
ab wrote:

> Anything interesting in /var/log/audit/* when this happens? Maybe
> AppArmor is protecting your system from the evil service's attempts to
> access your pipe (that is AppArmor's job, after all).

Thanks for the hint to nanny software AppArmor. From the audit.log:

type=APPARMOR_DENIED msg=audit(1340209713.612:696): type=1503
operation="setattr" requested_mask="w" denied_mask="w"
attribute="uid,gid,ctime," na
me="/var/tmp/mailpipe" pid=4357 profile="/sbin/syslog-ng"

With an additional entry "/var/tmp/mailpipe rw," in
/etc/apparmor.d/sbin.syslog-ng it actually works after a restart of
apparmor. I did not have this on my personal list for debugging stuff as
AppArmor is configured for very processes only on a SUSE standard
installation. I should learn a bit more about it, though.

GŁnther

ab
21-Jun-2012, 13:07
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank-you for posting back your results. That was great information you
provided to help others with similar problems.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP4w6dAAoJEF+XTK08PnB5Pq0QAKq/8sMalH6mXATW/2wdt+Vt
OROkmMcI2nbTDqx3oiIw5AWjSOaZrY6mUkII/v731hnZhpL6U+jYVDziUPhq33OR
Zf5yT9HN/+hPe4KRaZTjY5bpOlIi0+dpgTDmhh73wLUS1IaOr0TwLGBDzkd QrQDI
2TitCGId6xE9eri2VNsj9qgE4nPY2V/3oLV6KdILNRyXnrSngFba/NiaOPg1tyM8
ONhG/uOWU+OLT1gEh91WIkprtvO72nk577e66jMchwhHRJFVOd9SAMo mBfWiIAzZ
MYc2lyyTNFQ6f/Psfb3aZ0erSztJXo2dHry9jP8j3mTn6KRKnwHeMVGAMZIyRTLr
l/x7ifPp6Xqf4MGjuOojBLLghwyav4t8ubh2Bwfim2+eOV9Nn/g1UvuGO9gjupIR
qeaNrYgXSf0ILka6bhTqcl8q9bFTBrm0p7gTdwZK2tDg3Gw1D1 0z0TbTyfmYAk+p
fu8RBP3jXl52xgoUbKkNkAPcQQNof/gOmR9hJuze6Q/Rf2p+trrSBFka/jrfKU6A
TQ+i2QYdH/pCD66B2oDhbXCK0rkxr9UB7fW/CkrQqgyEAtBqlaeJIOVv7olcePYv
jy2TPbxkyQ/fZu95ZzF/5jbnJFWAg2CN1ep9ii854Jba0cS7ahk9ac4L+SG5kjhY
QBC3pE4DrRDFpjZJrE+n
=46Ht
-----END PGP SIGNATURE-----