Bug 430425
Summary: | syslog-ng being blocked from write to var_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Karsten Wade <kwade> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | silfreed |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-09-04 22:49:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karsten Wade
2008-01-27 22:56:54 UTC
Are you sure you do not have a configuration problem. This AVC indicates that syslog-ng is trying to create a file/directory under /var. As opposed to under /var/log. (In reply to comment #1) > Are you sure you do not have a configuration problem. This did occur to me, and I looked at the syslog-ng configuration for clues. I didn't tweak anything from the default package, although I did have to disable (and remove) the previous syslog mechanism when I did the upgrade. It is possible there is something odd there. The config file (/etc/syslog-ng/syslog-ng.conf) only refers to /var/log/$FOO paths. > This AVC indicates that > syslog-ng is trying to create a file/directory under /var. As opposed to under > /var/log. Agreed, it does seem to be doing that and for no reason I can discern. Is this actually a potential bug with syslog-ng? Or it just might be something that happens on upgrade v. a fresh install? I set enforcing to Permissive and restarted syslog-ng, while running 'watch -d ls -l /var'. I saw that syslog-ng created (successfully this time) this file: -rw------- 1 root root 41 2008-01-28 08:50 syslog-ng.persist With the contents of: SLP1affile_sd_curpos(/proc/kmsg) The file seems to be written on service stop. What is interesting is stopping the service creates an AVC denial, but nothing is logged about the denial because the service is stopped (setroubleshoot issues an alert, though, and captures the same details.) Is this a file that holds persistence information for the logger between restarts? Anyway, not sure if this is an error (config?) for syslog-ng or something the policy should allow. restorecon -R -v /var/log should fix this. restorecon doesn't fix it. I just tried it again, doing a syslog-ng restart then restorecon then another syslog-ng restart; same error both times, except it was trying to write a file this time (see below). Policy version here is selinux-policy-3.0.8-84.fc8. I'll update to the latest (-89) and try it again. If it doesn't fix the behavior, I'll reopen this bug. avc: denied { write } for comm=syslog-ng dev=dm-0 name=syslog-ng.persist pid=2018 scontext=system_u:system_r:syslogd_t:s0 tclass=file tcontext=unconfined_u:object_r:var_t:s0 Ok it am not familiar with syslog-ng.persist, never seen it before. What directory is this in? We probably need a context for this file/directory. It appears at /var/syslog-ng.persist. It's a binary file. Here is what it looked like when it was able to write, i.e., permissive mode: -rw------- root root unconfined_u:object_r:var_t /var/syslog-ng.persist /usr/bin/file /var/syslog-ng.persist /var/syslog-ng.persist: writable, regular file, no read permission The package is owned by 'silfreed' (Douglas Warner), who I just added to the Cc: to this bug. I don't know who knows what syslog-ng is needing to do with syslog-ng.persist, such as why it has to put the file in /var instead of e.g. /var/log. This bug seems to be related/duplicate of bug#374051 for F-7. I was just getting started understanding what was going on here and trying to figure out how to write an selinux policy to fix it, but it seems you've found the real cause - the syslog-ng.persist file shouldn't be under /var. I plan on moving this to /var/state/syslog-ng/syslog-ng.persist. Would the current policies support this or would we still need to add a new context? How about /var/lib/syslog-ng/syslog-ng.persist Then we can label this directory syslog_var_lib_t Okay; it looks like /var/state might be a directory that was used many releases ago and has been deprecated. /var/lib/syslog-ng sounds good to me; I'll update my specs shortly. Will this policy update go into F-7 when it's ready as well? Should I create a duplicate bug for F-7 for selinux-policy (and I would create an F-8 bug for syslog-ng to depend on this)? I dropped the ball on this one. Fixed in selinux-policy-3.0.8-102.fc8 I tested this against 3.0.8, I seem to recall it had one more occurrence, then no more. Looks like that was 09 May, so I must have loaded policy, rebooted, but perhaps a relabel needed to be done. Haven't seen the error since then. Currently running selinux-policy-3.0.8-113.fc8 working fine. Closing as fixed, thanks. |