Hi,
I moved my syslog to a different location '/tmp/server.log'
This was working all fine until I moved to selinux in enforcing mode.
I have the file context as system_u:object_r:syslogd_runtime_t:s0
now, the file is empty
Strangely ...
lsof shows rsyslog is using this file
rsyslogd 25561 root 4r CHR 1,9 0t0 18 /dev/urandom
rsyslogd 25561 root 5r REG 0,44 0 4026532059 /proc/kmsg
rsyslogd 25561 root 6u unix 0x00000000c5984619 0t0 136109 type=DGRAM (CONNECTED)
rsyslogd 25561 root 7w REG 0,35 8952 4873 /tmp/server.log
rsyslogd 25561 root 8w REG 0,35 8952 4873 /tmp/server.log
rsyslogd 25561 root 9w REG 0,35 8952 4873 /tmp/server.log
But, the file says it is not being used by rsyslog
$ sudo lsof /tmp/server.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tail 24848 bcv 3r REG 0,35 39 37 /tmp/server.log
There are also no messages in the kernel which I can use to audit any access/deny issues for selinux.
I have tried putting selinux in permissive state and that too did not help
Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...