Bug 2160380
| Summary: | new libcap-ng functionality in rsyslog can't be turned off, is totally undocumented, breaks stuff | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jonathan Kamens <h1k6zn2m> |
| Component: | rsyslog | Assignee: | Attila Lakatos <alakatos> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, dapospis, jwboyer, pascal.tempier, rsroka |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-01 12:45:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jonathan Kamens
2023-01-12 08:09:50 UTC
This was a security enhancement, so that's why there is no way to turn it off. I gave a second thought to the list of enabled capabilities and modified it. Could you try out the latest scratch-build and let me know if that helps your use case? Scratch-build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1782475 >This was a security enhancement, so that's why there is no way to turn it off. SELinux is a security enhancement, and yet it can be disabled. Access permissions on my web server are a security enhancement, and yet I can turn them on or off as desired. File access permissions are a security enhancement, and yet if I want I can make all of my files and directories mode 0777. Maybe this is something that should be enabled by default—though not if the default configuration is going to break things!—but sysadmins should have the option of configuring more permissive behavior if they need it and understand the risks. That's true unless the permissions you're dropping are absolutely positively never going to be needed by rsyslog for anything, which clearly is not the case here. Perhaps you've fixed that with the changes you just made, but I can't know that for certain, since as I mentioned you haven't documented this change anywhere. >Could you try out the latest scratch-build and let me know if that helps your use case? >Scratch-build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1782475 That is presumably a Red Hat internal Koji server and not accessible to me, at least not at that host name: $ host kojihub.stream.rdu.redhat.com Host kojihub.stream.rdu.redhat.com not found: 3(NXDOMAIN) Some progress on this is required. As noted above, I cannot test the test build you asked me to test because you sent a link to an internal Red Hat server. @alakatos Please see the issue i did open here : https://bugzilla.redhat.com/show_bug.cgi?id=2127404 This is actually a security regression as rsyslog somehow now needs more capabilities than before to work. I was dropping capabilities via docker in the previous version. Now in the last version, i need to first provide more capabilities so that rsyslog can then drop them, else it won't work. At least i hope it drops them, i didn't checked the new source code. My issue appears to have been fixed via the change committed to address Bug 2158659. Pity no one from Red Hat could be bothered to post a comment to that effect here. The problem has been fixed via https://bugzilla.redhat.com/show_bug.cgi?id=2158659. Closing it. |