Syslog-ng and pipes

SLES10 SP4
I try to setup syslog-ng-1.6.8-20.23.1 for sending messages through a pipe:
destination mail-alert { pipe("/var/tmp/mailpipe" group(root)
perm(0600)); };
This is supposed to be used for email alerts. The pipe is like:

ls -l /var/tmp/mailpipe

prw-rw-rw- 1 root root 0 2012-06-20 17:51 /var/tmp/mailpipe
But still I get the message:
Jun 20 18:23:04 test syslog-ng[31178]: Cannot open file
/var/tmp/mailpipe for writing (Permission denied)

As far as I understand syslog-ng it runs with UID 0. It also writes
happily to /dev/tty10 and /dev/xconsole which are set up in the SUSE
standard configuration for syslog. So what is the problem here?

Günther

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anything interesting in /var/log/audit/* when this happens? Maybe
AppArmor is protecting your system from the evil service’s attempts to
access your pipe (that is AppArmor’s job, after all). Can you, as root,
write to the pipe? Are you doing something on the far side of that pipe
to pull data out as they are entered in? I’d expect something other
than permission denied if not (my testing indicates the same… a hung
process instead), but still may be worth testing for fun.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP4f9iAAoJEF+XTK08PnB5G+MP/RmUtOa6KS0r+BCKLXowU/p4
KmpSqY69mRUEGtjVh3s/+wzL6gV/vjKlKreGktaHWb0zCgk7Wvp/KfyOubDyBA77
1a2ZkyqpASYTtan0YZ2hzYAwWeUPOR7qtU+kaPwUOMwvcuOoj/XpoOWnYtCF4SKa
hNBvbbPcYz82UDajBp9puu7PmlUUchDqsKWFFl3T4jt7xx5xPTC7QHvDqfUyMGDT
ZaS6TWIrAZwgk/ivCicaQvALo+mIoA06+TQWIzozYv68JV1C55tJkD4rq804BdvL
69v+pfRhSEGcfn8UQYIZdxs/Tc8NrG072OJV+s+Pmwt9wJ6lSFtHtmxsHGtlUjGQ
C8kxjicxgBDiv1yrUZNRff1oYuU4Eccf/Gz38LvO3XaFG/YzC7WsCRFLO98p/7NG
Lbr5kKUWAajcAhHBPIBL772HItsMmi2RHGgrvyIaxVXdQYb88EDKzoR8jI6W4Fmf
KT9ovIv2hHV2KgcdJ3+5ZGqlUtzegk+5buKWTc13nR3terxpNNT8f58TQY+mLx6W
lgJMzRuQ+XFlleHprEdFn88zNlnphwjaUGb1VKNll7xkUaO0CnDk89UrK+pPNhXp
nwBRe3DYmVqqOK8m26Wq+UBwFaxi3OzAjcgEKcFm23moyCy6osq0x56BLeK1mbsj
xXxlR7InfjkqhZBbu8Jl
=u6rG
-----END PGP SIGNATURE-----

ab wrote:
[color=blue]

Anything interesting in /var/log/audit/* when this happens? Maybe
AppArmor is protecting your system from the evil service’s attempts to
access your pipe (that is AppArmor’s job, after all).[/color]

Thanks for the hint to nanny software AppArmor. From the audit.log:

type=APPARMOR_DENIED msg=audit(1340209713.612:696): type=1503
operation=“setattr” requested_mask=“w” denied_mask=“w”
attribute=“uid,gid,ctime,” na
me="/var/tmp/mailpipe" pid=4357 profile="/sbin/syslog-ng"

With an additional entry “/var/tmp/mailpipe rw,” in
/etc/apparmor.d/sbin.syslog-ng it actually works after a restart of
apparmor. I did not have this on my personal list for debugging stuff as
AppArmor is configured for very processes only on a SUSE standard
installation. I should learn a bit more about it, though.

Günther

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank-you for posting back your results. That was great information you
provided to help others with similar problems.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP4w6dAAoJEF+XTK08PnB5Pq0QAKq/8sMalH6mXATW/2wdt+Vt
OROkmMcI2nbTDqx3oiIw5AWjSOaZrY6mUkII/v731hnZhpL6U+jYVDziUPhq33OR
Zf5yT9HN/+hPe4KRaZTjY5bpOlIi0+dpgTDmhh73wLUS1IaOr0TwLGBDzkdQrQDI
2TitCGId6xE9eri2VNsj9qgE4nPY2V/3oLV6KdILNRyXnrSngFba/NiaOPg1tyM8
ONhG/uOWU+OLT1gEh91WIkprtvO72nk577e66jMchwhHRJFVOd9SAMomBfWiIAzZ
MYc2lyyTNFQ6f/Psfb3aZ0erSztJXo2dHry9jP8j3mTn6KRKnwHeMVGAMZIyRTLr
l/x7ifPp6Xqf4MGjuOojBLLghwyav4t8ubh2Bwfim2+eOV9Nn/g1UvuGO9gjupIR
qeaNrYgXSf0ILka6bhTqcl8q9bFTBrm0p7gTdwZK2tDg3Gw1D10z0TbTyfmYAk+p
fu8RBP3jXl52xgoUbKkNkAPcQQNof/gOmR9hJuze6Q/Rf2p+trrSBFka/jrfKU6A
TQ+i2QYdH/pCD66B2oDhbXCK0rkxr9UB7fW/CkrQqgyEAtBqlaeJIOVv7olcePYv
jy2TPbxkyQ/fZu95ZzF/5jbnJFWAg2CN1ep9ii854Jba0cS7ahk9ac4L+SG5kjhY
QBC3pE4DrRDFpjZJrE+n
=46Ht
-----END PGP SIGNATURE-----