Bug 1823672

Summary: rsyslog "omfile" cannot append to custom file locations
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 8.1CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.4Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: A new logging_syslogd_append_public_content tunable was added to the policy to allow to search the parent directories of logfiles with customized path and to append to files labeled public_content_rw_t when logs are exported using http or ftp. Reason: When the rsyslogd service is set to use a logfile in an arbitrary path, the permission to search the logfile parent directories may not be allowed. To enable exporting of logs labeled public_content_rw_t using http or ftp, also the append permission to files with the public_content_rw_t type is needed. Result: After turning the logging_syslogd_append_public_content tunable on, the rsyslogd service is able to work with logfiles in an arbitrary path.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:57:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894575    

Description Renaud Métrich 2020-04-14 08:32:50 UTC 
Description of problem:

When rsyslog is configured to write logs to a file in a non-standard place (e.g. /my/custom/log directory labeled "public_content_rw_t"), AVCs related to browsing the parent directories are seen *and* rsyslog is not functional:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow syslogd_t public_content_rw_t:dir search;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

In the logs we can see a lot of Permission denies:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
error during config processing: omfile: creating parent directories for file  '/my/custom/log/file' failed: Permission denied [v8.37.0-13.el8 try http://www.rsyslog.com/e/2207 ]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

See also BZ #1821725 on RHEL 7.


Version-Release number of selected component (if applicable):

rsyslog-8.37.0-13.el8.x86_64 & selinux-policy-3.14.3-20.el8.noarch


How reproducible:

ALWAYS

Steps to Reproduce:
1. Create a custom directory containing log files

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /my/custom/log
# semanage fcontext -a -t public_content_rw_t "/my/custom(/.*)?"
# restorecon -Frv /my
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Configure rsyslog to write logs to this location

/etc/rsyslog.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
*.info;mail.none;authpriv.none;cron.none                /my/custom/log/file
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Restart rsyslog

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl restart rsyslog

# ausearch -m avc -ts recent
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#============= syslogd_t ==============
allow syslogd_t public_content_rw_t:dir search;
allow syslogd_t public_content_rw_t:file { append getattr ioctl open };
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

Only AVC related to appending to the log file since rsyslog cannot append to public_content_rw_t file by default:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow syslogd_t public_content_rw_t:file { append getattr ioctl open };
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Additional info:

The example above was taken from a real customer case where the customer wants to export logs through http/ftp.
Of course, appending to the log file would require a dedicated rule, which is not covered here.

The failure happens due to rsyslog not being able to browse the parent directories up to the log file.
In most use cases, it is not sufficient to only add a rule for "public_content_rw_t:dir" but for any non security file type instead:

non_security_file_type:dir
Comment 3 Zdenek Pytela 2020-11-10 18:21:19 UTC 
Renaud,

This is the solution as agreed in our team:

There will be a boolean allowing syslogd_t append permissions to public_content_rw_t:file and search permissions to non_security_file_type:dir. This boolean will be off by default.

Is this acceptable?

I am also curious if alternative solutions were considered, e. g. using bind mounts were considered for this use case.
Comment 4 Renaud Métrich 2020-11-11 12:26:50 UTC 
Hi Zdenek,

I'm ok with the boolean to write to http public content.
For "searching non_security_file_type dirs", I think this should be available by default.

Using bind mounts is an alternative but it's too complicated / error prone:
indeed rsyslog doesn't depend on the network, so if we tell customers to bind mounts for that, we surely will have ordering cycles created, e.g. when bind mounting NFS file systems.
Comment 5 Zdenek Pytela 2020-11-11 16:28:16 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/477

The search rule is conditionally allowed, too: syslogd_t is allowed to search on all base file types which can appear at the top directory level.
Comment 21 errata-xmlrpc 2021-05-18 14:57:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639