Bug 674452

Summary: selinux blocks rsyslogd from opening more file descriptors
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Bastian <jbastian>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-301.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 689431 (view as bug list) Environment:
Last Closed: 2011-07-21 09:19:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 689431    

Description Jeff Bastian 2011-02-01 22:56:57 UTC 
Description of problem:
If you configure rsyslogd to open more than the default number of file descriptors, the SELinux policy blocks it from calling setrlimit.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-300.el5
rsyslog-3.22.1-3.el5_5.1

How reproducible:
every time

Steps to Reproduce:
1. Edit /etc/rsyslog.conf and add the directive near the top
       $MaxOpenFiles 2100
2. service rsyslog start
3. tail /var/log/messages
  
Actual results:
Feb  1 16:55:29 scorpion setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "setrlimit" to <Unknown> (syslogd_t). For complete SELinux messages. run sealert -l 77fe5060-0357-470b-ace6-4c30f7c589ca

Expected results:
SELinux doesn't block rsyslogd from increasing the open file limit

Additional info:
Summary:

SELinux is preventing rsyslogd (syslogd_t) "setrlimit" to <Unknown> (syslogd_t).

Detailed Description:

SELinux denied access requested by rsyslogd. It is not expected that this access
is required by rsyslogd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:syslogd_t
Target Context                user_u:system_r:syslogd_t
Target Objects                None [ process ]
Source                        rsyslogd
Source Path                   /sbin/rsyslogd
Port                          <Unknown>
Host                          scorpion.localdomain
Source RPM Packages           rsyslog-3.22.1-3.el5_5.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     scorpion.localdomain
Platform                      Linux scorpion.localdomain 2.6.18-238.1.1.el5 #1
                              SMP Tue Jan 4 13:32:19 EST 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Tue Feb  1 16:07:52 2011
Last Seen                     Tue Feb  1 16:55:29 2011
Local ID                      77fe5060-0357-470b-ace6-4c30f7c589ca
Line Numbers                  

Raw Audit Messages            

host=scorpion.localdomain type=AVC msg=audit(1296600929.907:363): avc:  denied  { setrlimit } for  pid=8643 comm="rsyslogd" scontext=user_u:system_r:syslogd_t:s0 tcontext=user_u:system_r:syslogd_t:s0 tclass=process

host=scorpion.localdomain type=SYSCALL msg=audit(1296600929.907:363): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7ffffe700590 a2=30 a3=0 items=0 ppid=8642 pid=8643 auid=12257 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="rsyslogd" exe="/sbin/rsyslogd" subj=user_u:system_r:syslogd_t:s0 key=(null)
Comment 1 Jeff Bastian 2011-02-01 22:59:19 UTC 
This SELinux policy bug was hit while working on bug 674450
Comment 2 Miroslav Grepl 2011-02-02 08:35:59 UTC 
I will add it. You can allow it for now using

# grep syslogd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Thanks.
Comment 4 Miroslav Grepl 2011-03-01 17:08:33 UTC 
Fixed in selinux-policy-2.4.6-301.el5
Comment 7 errata-xmlrpc 2011-07-21 09:19:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 8 errata-xmlrpc 2011-07-21 11:51:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html