syslog-ng does not have the right to call setcap/getcap but it should. Initial error: ''' root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart Authenticating feandil. Password: * Stopping syslog-ng ... [ ok ] * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ] * Starting syslog-ng ... syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ] ''' [1960492.378440] type=1400 audit(1382271725.961:442895): avc: denied { setcap } for pid=20165 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process After giving it the setcap rights: ''' root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart Authenticating feandil. Password: * Stopping syslog-ng ... [ ok ] * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ] * Starting syslog-ng ... Error managing capability set, cap_set_proc returned an error; Error managing capability set, cap_set_proc returned an error; Error managing capability set, cap_set_proc returned an error; Error managing capability set, cap_set_proc returned an error; [ ok ] ''' The following avc appears 8 times: [1960667.928447] type=1400 audit(1382271901.375:442901): avc: denied { getcap } for pid=20260 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process Adding getcap fixes the issue: 'allow syslogd_t self:process { setcap getcap };' ''' root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart Authenticating feandil. Password: * Stopping syslog-ng ... [ ok ] * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ] * Starting syslog-ng ... [ ok ] '''
Thanks, great report. Committed to repo, will be in rev4
r4 is in the tree
r4 is now stable in the tree