AVCs "denied { read }" seen when rsyslog is configured to read logs from files using "imfile" plugin

Solution Verified - Updated -

Issue

  • When rsyslog is configured to process logs using the imfile module, AVCs are displayed

    type=SYSCALL msg=audit(TIMESTAMP:NN): [...] syscall=254 success=no exit=-13 [...] comm="in:imfile" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(TIMESTAMP:NN): avc:  denied  { read } for  pid=RSYSLOG comm="in:imfile" name="www" [...] scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0

  • imfile processing is still functional

Environment

  • Red Hat Enterprise Linux (RHEL) 7 and later
    • rsyslog
    • imfile

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content