Bug 1823669
| Summary: | rsyslog "imfile" module cannot read parent directories of the file to process | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.1 | CC: | lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.5 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-69.el8 | Doc Type: | Enhancement |
| Doc Text: |
Feature:
A new logging_syslogd_list_non_security_dirs tunable was added to the policy to allow
the rsyslogd service search and list all directories of input files with customized path.
Reason:
When the rsyslogd service is set to use an input file in an arbitrary path, the
permission to list a generic directory, required before opening the file, may not be allowed.
Result:
After turning the logging_syslogd_list_non_security_dirs tunable on,
the rsyslogd service is allowed to list all directories in the path with
SELinux types which are a part of the non_security_file_type attribute
and subsequently is able to use a files in an arbitrary path as an input file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:42:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Jiri, In this bz and in bz#1823672, we have a request, based on a customer case, to support imfile/omfile in a custom path including those non-conforming to FHS. Could you share your expert opinion if this is considered a good practice and supported solution for rsyslog? The non_security_file_type attribute contains about 3000 domains, so from selinux point of view allowing this kind of access is very questionable. (In reply to Zdenek Pytela from comment #1) > Jiri, > > In this bz and in bz#1823672, we have a request, based on a customer case, > to support imfile/omfile in a custom path including those non-conforming to > FHS. > > Could you share your expert opinion if this is considered a good practice > and supported solution for rsyslog? > > The non_security_file_type attribute contains about 3000 domains, so from > selinux point of view allowing this kind of access is very questionable. It is definitely supported solution,as for being a good practice is debatable, and I would say up to each customer/user. From design POV both imfile and omfile modules have no restrictions and can operate on whole file-system tree. However they expect that if you configure them so you also take care about corresponding permissions. I would like to increase Priority/Severity because it may lead to rsyslogd dumping core and not being able to start.
Typical scenario is if "top directory" of imfile files is a symlink to a directory labeled with var_t:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /var/my/place
# ln -s /var/my/place /var/log/myplace_symlink
# ls -Zd /var/my/place /var/log/myplace_symlink
lrwxrwxrwx. root root unconfined_u:object_r:var_log_t:s0 /var/log/myplace_symlink -> /var/my/place
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0 /var/my/place
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
rsyslog imfile configuration (/etc/rsyslog.d/imfile.conf):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module(load="imfile" PollingInterval="10")
input(type="imfile"
file="/var/log/myplace_symlink/file.log"
tag="myplace_file"
severity="info"
facility="local5"
)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Start rsyslog:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl restart rsyslog
# systemctl status rsyslog
[...]
Process: 5725 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=killed, signal=SEGV)
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Of course I'll file a BZ against rsyslog for hardening this.
See also rsyslog BZ #1843994 (RHEL 8) This bug has not been fully acknowledged by the subsystem to be resolved during the RHEL 8.4 development and testing phase, so it will be evaluated for inclusion into the next minor product update. If you still want to pursue this issue further, please attach information regarding severity of the bugzilla. Renaud, Is this request still valid? Given: - both the support cases were closed - they were open on RHEL 7 - rsyslog does not segfault any longer - the imfile module is reportedly still functional - the #c2 indicates valid configuration change, but permissions need to be taken care of SELinux permissions belong there too, they are a subject of user change. The biggest concern is that with the universal solution using the non_security_file_type attribute, rsyslog would be given access to 3000 types, which is quite a big number despite this access being concealed behind a boolean, and some of them are surprisingly sensitive. Tailored local policy, on the other hand, can give the access only to types which are required in the particular environment. Hi Zdenek, Yes this is still valid and needs to be addressed somehow. I understand that non_security_file_type attribute has tons of types, but do we have an alternate solution? We definitely cannot let the customer handle this on his own, unless we guide him step by step. Hence if we want to avoid the boolean, I see no other choice than having an official documentation about this (not a KCS). Needs backporting:
commit 3422c911479a75be4189407c4b1397e2443e424d
Author: Zdenek Pytela <zpytela>
Date: Wed May 26 21:46:32 2021 +0200
Introduce logging_syslogd_list_non_security_dirs tunable
In customized configurations with rsyslog using the imfile input
module to read files with a non-standard path, rsyslog since v8.24.0
requests reading all parent directories in the path of the logfile.
To enable reading all directories in the path with SELinux types
which are a part of the non_security_file_type attribute,
the ruleset is allowed conditionally after turning on the
logging_syslogd_list_non_security_dirs tunable which is off by default.
Resolves: rhbz#1823669
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |
Description of problem: The "imfile" functionality of rsyslog is widely used to centralize logs to a single place. When rsyslog is configured to read logs from a file ("imfile" module) and the file's parent directories are non-standard (e.g. /var/www/prod/host/logs/access_log), AVCs related to browsing the parent directories are seen but rsyslog is still functional: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- allow syslogd_t httpd_sys_content_t:dir read; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- See also BZ #1821725 on RHEL 7. Version-Release number of selected component (if applicable): rsyslog-8.37.0-13.el8.x86_64 & selinux-policy-3.14.3-20.el8.noarch How reproducible: ALWAYS Steps to Reproduce: 1. Configure rsyslog to read logs from a file /etc/rsyslog.conf: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- module(load="imfile") input(type="imfile" File="/var/www/product/logs/access.log" Tag="product" Severity="info" Facility="local6") -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. Create the directories -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # mkdir -p /var/www/product/logs # restorecon -Frv /var/www -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 3. Restart rsyslog -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemctl restart rsyslog # ausearch -m avc -ts recent | audit2allow -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #============= syslogd_t ============== allow syslogd_t httpd_sys_content_t:dir read; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: No AVC Additional info: In the example above, rsyslog is reading logs from a place for which the SELinux contexts are already known in the policy database (/var/www/XXX/logs). However in most use cases, non standard hierarchy is also used, hence it is not sufficient to only add a rule for "httpd_sys_content_t:dir" but for any non security file type instead: non_security_file_type:dir