Bug 675032

Summary:	new location for syslog-ng.ctl requires updated file_context
Product:	[Fedora] Fedora	Reporter:	Douglas E. Warner <silfreed>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED WORKSFORME	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	14	CC:	dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-02-04 15:20:49 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Douglas E. Warner 2011-02-03 23:57:22 UTC

Description of problem:
The syslog-ng.ctl file is moving from /var/run/ to /var/lib/syslog-ng/ to be along side the syslog-ng.persist file.  Currently the file cannot be created due to the policy.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. install a recent syslog-ng (like 3.1.1 from here: http://www.silfreed.net/download/repo/packages/syslog-ng/)
2. service syslog-ng start
3. observe error messages in /var/log/messages and audit.log (below)
  
Additional info:
audit.log:
type=AVC msg=audit(1296776969.363:11853): avc:  denied  { setrlimit } for  pid=4780 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process
type=SYSCALL msg=audit(1296776969.363:11853): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fffb40dcfc0 a2=ffffffffffffffa8 a3=7fffb40dcd40 items=0 ppid=4779 pid=4780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

messages:
Feb  3 18:49:29 wash syslog-ng[4782]: Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Permission denied (13)'

Comment 1 Miroslav Grepl 2011-02-04 08:37:34 UTC

What is your release of selinux-policy?

# rpm -q selinux-policy

# matchpathcon /var/lib/syslog-ng/syslog-ng.ctl
/var/lib/syslog-ng/syslog-ng.ctl	system_u:object_r:syslogd_var_lib_t:s0

# # sesearch -A -s syslogd_t -t syslogd_t -c process -p setrlimit
Found 1 semantic av rules:
   allow syslogd_t syslogd_t : process { fork sigchld sigkill sigstop signull signal getsched setpgid setrlimit } ;

Comment 2 Douglas E. Warner 2011-02-04 13:56:47 UTC

Apparently I'm running f13, not f14 (working on fixing that).

Regardless, your matchpathcon shows up for me:

# matchpathcon /var/lib/syslog-ng/syslog-ng.ctl
/var/lib/syslog-ng/syslog-ng.ctl	system_u:object_r:syslogd_var_lib_t:s0

# rpm -q selinux-policy
selinux-policy-3.7.19-76.fc13.noarch

The syslog-ng.ctl file is created at startup time for syslog-ng; could this be a problem w/ /var/lib/syslog-ng?

# matchpathcon /var/lib/syslog-ng/
/var/lib/syslog-ng	system_u:object_r:syslogd_var_lib_t:s0

^ this looks correct to me?

Maybe my syslog-ng daemon is running in the wrong context for some reason?

Comment 3 Daniel Walsh 2011-02-04 14:16:12 UTC

THe problem is /var/lib/syslog-ng was created with the wrong context.  restorecon -R -v /var/lib/syslog-ng will fix the problem.

Is this directory listed in the content of the rpm spec file?  Did you create it by hand?  If the directory does not exist, does the init script create it?

Comment 4 Douglas E. Warner 2011-02-04 15:20:49 UTC

Since upgrading to F14 this problem has gone away.  I don't expect syslog > 3.0 to show up in F13 anyway, so I'll go ahead close this bug.  Thanks for your help w/ learning some new selinux commands!

Comment 5 Douglas E. Warner 2011-02-04 15:22:42 UTC

Daniel,

I forgot to check the context before I ran restorecon (prior to upgrading to F14), but it also didn't change anything (assuming changes get printed when running w/ '-v').

The /var/lib/syslog-ng directory is owned by the syslog-ng package and the syslog-ng.ctl file is created at run-time.