Bug 700235
| Summary: | syslog-ng 3.1.x SElinux violations | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jose Pedro Oliveira <jose.p.oliveira.oss> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | dwalsh, jrieden, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-13 12:28:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jose Pedro Oliveira
2011-04-27 20:44:50 UTC
Koji build: * syslog-ng-3.1.4-2.el6 http://koji.fedoraproject.org/koji/buildinfo?buildID=240607 Steps to reproduce the problem: 1) yum install --enablerepo=epel-testing syslog-ng 2) chkconfig rsyslog off; chkconfig syslog-ng on 3) service rsyslog stop; service syslog-ng start Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. allow syslogd_t self:process setrlimit; issue is fixed in the latest RHEL6.1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ but we are missing manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) Miroslav, (In reply to comment #4) > allow syslogd_t self:process setrlimit; > > issue is fixed in the latest RHEL6.1 policy which is available on > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ * [RHEL6 #689431] selinux-policy >= 3.7.19-80.el6 * [RHEL5 #674452] selinux-policy >= 2.4.6-301.el5 > but we are missing > > manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) In order to avoid this (or these) SELinux violation(s) should we start shipping and installing a SELinux module? Or can we expect for the above rule to be added to the main selinux policies (RHEL5 and RHEL6 selinux-policy packages)? tia, jpo They should be added to the Main Policies. Miroslav can you back port the changes to RHEL5. Jose, could you try to test it with the latest RHEL6.1 policy. http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Miroslav, (In reply to comment #11) > Jose, > could you try to test it with the latest RHEL6.1 policy. > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ No more SELinux violations with selinux-policy-3.7.19-93.el6. 1) Upgraded to the SELinux policy 3.7.19-93 RPMS (02-May-2011) * selinux-policy-3.7.19-93.el6.noarch * selinux-policy-targeted-3.7.19-93.el6.noarch 2) Restarted syslog-ng No new messages in the audit.log 3) Upgraded to syslog-ng-3.1.4-3.el6 (from epel-testing) No new messages in the audit.log 4) Also upgraded to syslog-ng 3.2.3 (local build RPMS) Also no new messages in the audit.log. Thanks for the policy update, jpo Great. Miroslav, Regarding the backport to RHEL5, should I open a new ticket against the RHEL5/selinux-policy component? /jpo (In reply to comment #14) > Miroslav, > > Regarding the backport to RHEL5, should I open a new ticket against the > RHEL5/selinux-policy component? > > /jpo Yes, please. Thank you. (In reply to comment #15) > (In reply to comment #14) > > Miroslav, > > > > Regarding the backport to RHEL5, should I open a new ticket against the > > RHEL5/selinux-policy component? > > > > /jpo > > Yes, please. Thank you. Miroslav, Done. RHEL 5 backport request in bug #704690. /jpo |