Bug 653473

Summary: AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-16 09:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ruben Kerkhof 2010-11-15 15:15:04 UTC
I use spool files to queue rsyslog messages when my syslog server is unreachable:

$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName buffer # unique name prefix for spool files

Rsyslog tries to search /var/spool/rsyslog

type=AVC msg=audit(1289833491.152:21549): avc:  denied  { search } for  pid=9429 comm="rsyslogd" name="spool" dev=dm-4 ino=404 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1289833491.152:21549): arch=c000003e syscall=4 success=no exit=-2 a0=7fffa9cc0990 a1=7fffa9cc0900 a2=7fffa9cc0900 a3=fffffffa items=1 ppid=9428 pid=9429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1679 comm="rsysl
ogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1289833491.152:21549):  cwd="/"
type=PATH msg=audit(1289833491.152:21549): item=0 name="/var/spool/rsyslog/buffer.qi"

Comment 1 Daniel Walsh 2010-11-15 15:48:02 UTC
This is local customization, you need to add a custom policy

# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mysyslog
# semodule -i mysyslog.pp

Comment 2 Ruben Kerkhof 2010-11-15 16:43:00 UTC
Hi Dan,

I'm just using documented configuration settings, in a default location from the rsyslog examples.
/var/spool/rsyslog is already labeled as var_log_t, so rsyslog has permissions to create the queues and everything, that's all working fine.

It's the { search } of /var/spool that's generating the AVC.
I'm not sure what the { search } permission does, and how much harm there is in allowing it? I guess it's something rsyslog shouldn't be doing.

Comment 3 Daniel Walsh 2010-11-15 17:03:41 UTC
Your right,  my mistake.

Miroslav can you add


Comment 4 Miroslav Grepl 2010-11-16 09:56:53 UTC
Fixed in selinux-policy-3.9.9-1.fc15.noarch.