So I've got three files I need rsyslog to open in order to forward the entries to another server. SELinux is preventing this with the following error: type=AVC msg=audit(1371186588.768:1324460): avc: denied { open } for pid=3714 comm="rsyslogd" name="named.debug.log" dev=dm-0 ino=1180551 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:named_cache_t:s0 tclass=file type=SYSCALL msg=audit(1371186588.768:1324460): arch=c000003e syscall=2 success=no exit=-13 a0=7fb254001b30 a1=80100 a2=180 a3=2e67756265642e64 items=0 ppid=1 pid=3714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7926 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Running this through audit2allow, I get the following: module rsysloglocal 1.0; require { type named_cache_t; type syslogd_t; class file { read write }; } #============= syslogd_t ============== allow syslogd_t named_cache_t:file { read write }; Unfortunately, this doesn't work. I'm still getting the message above from SELinux. The files I need to watch with rsyslog are in /var/named/data/log/, which is why SELinux is referencing the named_cache_t thing (I think). Any thoughts? Edit: semodule -l output: abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 aide 1.5.0 aisexec 1.0.0 amanda 1.12.0 amavis 1.10.3 amtu 1.2.0 apache 2.1.2 apcupsd 1.6.1 arpwatch 1.8.1 asterisk 1.7.1 audioentropy 1.6.0 automount 1.12.1 avahi 1.11.2 awstats 1.2.0 bind 1.10.2 bitlbee 1.2.1 bluetooth 3.2.2 boinc 1.0.0 bugzilla 1.0 cachefilesd 1.0.17 calamaris 1.5.1 canna 1.10.0 ccs 1.4.1 cdrecord 2.2.1 certmaster 1.0.2 certmonger 1.0.0 certwatch 1.5.0 cfengine 1.0.0 cgroup 1.0.0 chrome 1.0.0 chronyd 1.0.1 cipe 1.5.0 clamav 1.7.1 clogd 1.0.0 cloudform 1.0 cmirrord 1.0.0 cobbler 1.1.0 comsat 1.7.0 condor 1.0.0 consolekit 1.5.1 corosync 1.0.0 courier 1.8.1 cpufreqselector 1.1.0 ctdbd 1.0.0 cups 1.13.0 cvs 1.8.0 cyphesis 1.2.0 cyrus 1.9.1 daemontools 1.2.0 dbskk 1.5.0 dcc 1.8.2 denyhosts 1.0.0 devicekit 1.0.0 dhcp 1.8.1 dictd 1.7.0 dirsrv-admin 1.0.0 dirsrv 1.0.0 dnsmasq 1.8.1 dovecot 1.11.1 drbd 1.0.0 ethereal 2.0.0 execmem 1.0.0 exim 1.4.2 fail2ban 1.3.2 fcoemon 1.0.0 fetchmail 1.9.2 finger 1.9.0 firewallgui 1.0.0 fprintd 1.0.1 ftp 1.11.0 games 2.1.0 git 1.0.3 gitosis 1.0.1 glance 1.0.0 gnome 2.0.0 gnomeclock 1.0.0 gpg 2.2.1 gpm 1.7.1 gpsd 1.0.2 guest 1.0.1 hal 1.12.1 hddtemp 1.0.0 howl 1.8.1 icecast 1.0.0 inn 1.9.0 ipsec 1.10.2 irc 2.1.0 iscsi 1.6.2 jabber 1.8.0 java 2.2.1 kdump 1.0.1 kdumpgui 1.0.0 kerberos 1.10.2 kerneloops 1.3.1 keystone 1.0.0 kismet 1.4.2 ksmtuned 1.0.0 ktalk 1.7.1 ldap 1.10.0 likewise 1.0.0 lircd 1.0.1 livecd 1.0.0 lldpad 1.0.0 lockdev 1.3.0 logadm 1.0.0 lpd 1.12.0 mailman 1.7.2 matahari 1.0.0 mediawiki 1.0.0 memcached 1.1.2 milter 1.1.1 modemmanager 1.0.1 mono 1.6.1 mozilla 2.1.1 mpd 1.0.0 mplayer 2.1.0 mrtg 1.8.0 munin 1.7.0 mysql 1.11.3 nagios 1.8.0 namespace 1.0.0 ncftool 1.0.0 netlabel 1.3.0 nis 1.10.0 nova 1.0.0 nslcd 1.0.1 nsplugin 1.0.0 ntop 1.8.1 ntp 1.9.1 nut 1.0.1 nx 1.4.0 oddjob 1.7.0 openct 1.4.0 openoffice 1.0.0 openvpn 1.9.1 pads 1.0.0 passenger 1.0.0 pcscd 1.5.2 pegasus 1.8.0 permissivedomains 1.0.0 pingd 1.0.0 piranha 1.0.0 plymouthd 1.0.0 podsleuth 1.2.1 policykit 1.1.0 portmap 1.9.0 portreserve 1.1.1 postfix 1.11.0 postgresql 1.12.1 postgrey 1.7.0 ppp 1.11.2 prelude 1.1.2 privoxy 1.9.1 procmail 1.11.0 psad 1.0.0 ptchown 1.0.1 publicfile 1.1.0 pulseaudio 1.1.2 puppet 1.0.0 pyzor 2.1.0 qemu 1.3.2 qmail 1.5.0 qpidd 1.0.0 quantum 1.0.0 radius 1.11.0 radvd 1.11.2 razor 2.1.0 rdisc 1.7.1 remotelogin 1.7.0 rgmanager 1.0.0 rhcs 1.1.0 rhev 1.0 rhgb 1.9.0 rhsmcertd 1.0.0 ricci 1.6.0 rlogin 1.9.0 roundup 1.7.0 rpcbind 1.4.1 rshd 1.7.0 rssh 2.0.0 rsync 1.9.1 rsysloglocal 1.0 rtkit 1.0.1 rwho 1.6.0 samba 1.12.0 sambagui 1.0.0 sandbox 1.0.0 sanlock 1.0.0 sasl 1.12.1 sblim 1.0.0 screen 2.2.2 sectoolm 1.0.0 seunshare 1.1.0 sge 1.0.0 shutdown 1.0.0 slocate 1.9.0 smartmon 1.9.1 smokeping 1.0.0 smoltclient 1.0.0 snmp 1.10.2 snort 1.8.1 sosreport 1.0.0 soundserver 1.8.0 spamassassin 2.2.0 squid 1.9.0 sssd 1.0.2 staff 2.0.1 stunnel 1.9.0 sysadm_secadm 1.0.0 sysstat 1.5.1 tcpd 1.4.0 telepathy 1.0.0 telnet 1.9.1 tftp 1.12.0 tgtd 1.0.1 tmpreaper 1.4.0 tor 1.6.1 tuned 1.0.1 tvtime 2.0.0 ulogd 1.1.0 uml 2.1.0 unconfined 3.1.1 unconfineduser 1.0.0 unlabelednet 1.0 unprivuser 2.0.1 usbmodules 1.2.0 usbmuxd 1.0.0 userhelper 1.5.0 usernetctl 1.5.0 uucp 1.10.2 uuidd 1.0.0 varnishd 1.1.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.0 vmware 2.2.0 vpn 1.12.0 w3c 1.0.0 wdmd 1.0.0 webadm 1.1.0 webalizer 1.10.0 wine 1.6.1 xen 1.9.2 xfs 1.6.0 xguest 1.0.1 zabbix 1.2.0 zarafa 1.0.0 zebra 1.10.1 zosremote 1.1.0 Edit 2: I've also tried this using only read permissions (allow syslogd_t named_cache_t:file read;) rather than read / write. No dice.

I am setting up a Linux home server and several guides recommend using psad to detect intrusion attempts. These guides explain in detail how to set up psad and receive alert emails when port scans are detected. However, they do not explain how to react to these alert emails. When a scan happens, what should I do? If there is something I should do manually, shouldn't it be automated? After all, the security of my server shouldn't depend on my ability to pay immediate attention to it. If that's the case, what's the point of alert emails?

I've got several computers with Debian Buster (Gnome) installed. Thanks to psad tool I realized that all of them frequently (at least several times a day) scan udp ports 8610-8612 in the local network. I wonder what is the purpose of this? What package or service does that? DuckDuckGoing didn't help and I have no idea how to get into this. I blocked outgoing connections on those ports on some of the computers using firewall and didn't notice any malfunction of any part of the system. Below you can see a part of psad-alert e-mail:

Danger level:  (out of 5)

    Scanned UDP ports: [8610-8612: 4 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW BLOCK]"), 4 packets

There is something that may (or may not) be relevant - psad alerts show ipv6 of the source and target, while we generally use only ipv4 in the LAN.

The psad monitoring tool keeps on sending lots of mail to my localhost admin account. I use my ubuntu server as a NAT router, and psad warned me to enable logging in iptables. After I did so, it sarted filling my mailbox with loads of messages. Within few days the size of mail box has grown to 3.4 GB. How can I completely turn off mailing on psad?

My system logs show that [psad](http://cipherdyne.org/psad/) detects scans like this every minute. psad: scan detected: 192.168.1.10 -> 192.168.1.1 udp: udp pkts: 2 DL: 2 If the first address is mine, and the second address is my router, then this would be a scan coming from my computer, correct? Is this anything to worry about?

I want to block intruders via psad, but HTTP and HTTPS should not be blocked. For example, if someone is scanning my dedicated server via nmap, psad should block him for 2 hours, but he should still see the contents from my domain. I set AUTO_BLOCK_TIMEOUT to a value of 7200, so everyone scanning me is completely blocked for 2 hours. Woefully the attacker is also blocked from seeing my webpage, which is not my intention. Is there any possibility to set up a partial blockage via psad?