Bug 689435 (systemdsyslog)
Summary: | SELinux is preventing /usr/libexec/postfix/pickup from 'sendto' accesses on the unix_dgram_socket /dev/log. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 15 | CC: | acc-bugz-redhat, dwalsh, eblake, giles, jfrieben, jlayton, johannbg, loganjerry, lpoetter, marcet, mathieu-acct, mcepl, metherid, mgrepl, mschmidt, notting, pebolle, plautrba, robatino, samuel-rhbugs, theinric, vonbrand |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:153f24497827274e3d07ac81fa83143365443ed94834e267ada5832aee057f89 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-05-17 15:54:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2011-03-21 14:19:43 UTC
If systemd is impersonating syslog, it has to label the socket appropriately. *** Bug 689410 has been marked as a duplicate of this bug. *** *** Bug 689098 has been marked as a duplicate of this bug. *** *** Bug 689097 has been marked as a duplicate of this bug. *** *** Bug 689089 has been marked as a duplicate of this bug. *** *** Bug 689255 has been marked as a duplicate of this bug. *** *** Bug 689723 has been marked as a duplicate of this bug. *** I am now seeing during using F15 #============= vpnc_t ============== allow vpnc_t init_t:unix_dgram_socket sendto; #============= staff_dbusd_t ============== allow staff_dbusd_t init_t:unix_dgram_socket sendto; #============= staff_sudo_t ============== allow staff_sudo_t init_t:unix_dgram_socket sendto; We have in init_daemon_domain() interface tunable_policy(`init_systemd',` allow $1 init_t:unix_dgram_socket sendto; ') Dan, looks like it is needed for all domains. *** Bug 689720 has been marked as a duplicate of this bug. *** No systemd needs to set the socket label on the /dev/log socket to syslogd_t. It is not executing the correct impersonation code. I added a patch to systemd, that allowed it to figure out the label to associated with a socket and then execute setsockcreatecon(CONTEXT) before binding to a socket. For some reason systemd is not calling this code on the /dev/log socket. I meant as 'broken_symptoms' for now. You could add this to logging_send_syslog_msg for now, But I really want to make sure systemd is working correctly and syslogd is working correctly. This should be a blocker. We should not have to allow every domain to communicate with the init system in order to allow this bug to remain. We could try to label /lib/systemd/systemd-kmsg-syslogd as syslogd_exec_t *** Bug 689946 has been marked as a duplicate of this bug. *** *** Bug 690250 has been marked as a duplicate of this bug. *** So, the proiblem is probably like this: systemd at early boot creates /dev/log, and eventually spawns /lib/systemd/systemd-kmsg-syslogd for it during early boot. That is a tiny bridge that connects /dev/log to kmsg, so that we have proper logging for the first time during early boot. Later on, when rsyslog is about to get started that bridge is terminated and the very same /dev/log is passed on to rsyslog. The effect of this is that both rsyslogd and systemd-kmsg-syslogd get the same /dev/log socket passed, which is labelled according to the policy for systemd-kmsg-syslogd since that is what we start first. Most likely the policy should just be updated to label rsyslogd and systemd-kmsg-syslogd the same way. Reassigning to selinux. Fixed in selinux-policy-3.9.16-6.fc15 |