Bug 391901

Description of problem:
Selinux doesn't allow rsyslog to run external application while using a shell
execute action (for info about this type of rule see rsyslog.conf(5) manpage).

Version-Release number of selected component (if applicable):
rsyslog-1.19.6-3.fc8

How reproducible:
add rule containing program execution to rsyslog.conf, restart rsyslogd and log
something which matches the rule


Steps to Reproduce:
0. $ su -
1. # echo '$template bla_logged,"%timegenerated% the b_l_a was
logged"'>>/etc/rsyslog.conf
2. # echo ':msg, contains, "bla"    ^logger;bla_logged' >> /etc/rsyslog.conf
3. # service rsyslog restart
4. # logger blanket
5. # tail /var/log/messages
  
Actual results:
Selinux Troubleshooter appears. If enforcing mode is off, the last rows in the
messages file are
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged
Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012    SELinux is preventing
rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012     For complete SELinux
messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3

If enforcing mode is on, last messages are
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012    SELinux is preventing
rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012     For complete SELinux
messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3

Expected results:
no selinux troubleshooter appearing and /var/log/messages containing
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged

Additional info:
Summary
    SELinux is preventing rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).

Detailed Description
    SELinux denied access requested by rsyslogd. It is not expected that this
    access is required by rsyslogd and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     dhcp-lab-131.englab.brq.redhat.com
Platform                      Linux dhcp-lab-131.englab.brq.redhat.com
                              2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007
                              x86_64 x86_64
Alert Count                   6
First Seen                    Tue 20 Nov 2007 10:16:41 AM CET
Last Seen                     Tue 20 Nov 2007 11:39:50 AM CET
Local ID                      1c97093d-e18d-409e-b930-d33b5ac0a5c3
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=rsyslogd dev=dm-0 name=sbin pid=22379
scontext=system_u:system_r:syslogd_t:s0 tclass=dir
tcontext=system_u:object_r:bin_t:s0