Bug 704690
Summary: | syslog-ng 3.x SELinux violations | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jose Pedro Oliveira <jose.p.oliveira.oss> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 5.6 | CC: | dwalsh, jrieden, mmalik, mrunge | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-2.4.6-313.el5 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 718161 (view as bug list) | Environment: | ||
Last Closed: | 2011-07-21 09:20:23 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 718161 |
Description
Jose Pedro Oliveira
2011-05-14 03:16:10 UTC
Audit log entries with selinux-policy-2.4.6-304.el5 --------------------------------------------------- type=AVC msg=audit(1305371145.760:294): avc: denied { write } for pid=17853 comm="syslog-ng" name="syslog-ng" dev=sda1 ino=1540910 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1305371145.760:294): avc: denied { add_name } for pid=17853 comm="syslog-ng" name="syslog-ng.persist-" scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1305371145.760:294): avc: denied { create } for pid=17853 comm="syslog-ng" name="syslog-ng.persist-" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1305371145.760:294): arch=40000003 syscall=5 success=yes exit=3 a0=9945bd8 a1=8242 a2=180 a3=8242 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305371145.760:295): avc: denied { write } for pid=17853 comm="syslog-ng" path="/usr/com/syslog-ng/syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1305371145.760:295): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfeaf63b a2=1 a3=4000 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305371145.760:296): avc: denied { remove_name } for pid=17853 comm="syslog-ng" name="syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1305371145.760:296): avc: denied { rename } for pid=17853 comm="syslog-ng" name="syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1305371145.760:296): avc: denied { unlink } for pid=17853 comm="syslog-ng" name="syslog-ng.persist" dev=sda1 ino=1540980 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1305371145.760:296): arch=40000003 syscall=38 success=yes exit=0 a0=9945bd8 a1=993ebc8 a2=a7c390 a3=1 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305371145.780:297): avc: denied { getattr } for pid=17853 comm="syslog-ng" path="/usr/com/syslog-ng/syslog-ng.ctl" dev=sda1 ino=1540978 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305371145.780:297): arch=40000003 syscall=195 success=yes exit=0 a0=993d62a a1=bfeaf5d0 a2=3b0ff4 a3=993d62a items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305371145.780:298): avc: denied { unlink } for pid=17853 comm="syslog-ng" name="syslog-ng.ctl" dev=sda1 ino=1540978 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305371145.780:298): arch=40000003 syscall=10 success=yes exit=0 a0=993d62a a1=bfeaf5d0 a2=a7c390 a3=993d62a items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305371145.780:299): avc: denied { create } for pid=17853 comm="syslog-ng" name="syslog-ng.ctl" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305371145.780:299): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfeaf620 a2=a7c390 a3=993d618 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) /usr/com/syslog-ng/syslog-ng.persist- Is not a proper location to store this, It should either be in /var/run, /var/lib or /var/log (In reply to comment #2) > /usr/com/syslog-ng/syslog-ng.persist- > > Is not a proper location to store this, It should either be in /var/run, > /var/lib or /var/log Dan, Thanks for the catch. I tracked the problem down to the expansion of the rpm macro _sharedstatedir in the spcefile: * RHEL5 $ rpm --showrc | grep sharedstatedir ... -14: _sharedstatedir %{_prefix}/com ... * RHEL6 $ rpm --showrc | grep sharedstatedir ... -14: _sharedstatedir /var/lib .... With this problem corrected, the audit.log messages are now reduced to: ---------- type=AVC msg=audit(1305696492.659:190): avc: denied { getattr } for pid=4761 comm="syslog-ng" path="/var/lib/syslog-ng/syslog-ng.ctl" dev=sda1 ino=1867935 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305696492.659:190): arch=40000003 syscall=195 success=yes exit=0 a0=835b62a a1=bfd45f10 a2=3b0ff4 a3=835b62a items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305696492.659:191): avc: denied { unlink } for pid=4761 comm="syslog-ng" name="syslog-ng.ctl" dev=sda1 ino=1867935 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305696492.659:191): arch=40000003 syscall=10 success=yes exit=0 a0=835b62a a1=bfd45f10 a2=b4d390 a3=835b62a items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1305696492.659:192): avc: denied { create } for pid=4761 comm="syslog-ng" name="syslog-ng.ctl" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1305696492.659:192): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfd45f60 a2=b4d390 a3=835b618 items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) ---------- Audit2allow translates these messages to #============= syslogd_t ============== allow syslogd_t syslogd_var_lib_t:sock_file { getattr unlink create }; /jpo Which we fixed in RHEL6 and I will fix it in RHEL5. Fixed in selinux-policy-2.4.6-306.el5 (In reply to comment #6) > Fixed in selinux-policy-2.4.6-306.el5 Miroslav, Are you planning to upload this release to http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ so that I can test it? tia, jpo Restarting syslog-ng no longer produces SELinux violations with * selinux-policy-2.4.6-307.el5 downloaded from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ /jpo I have built my own syslog-ng-3.2.4-1 for RHEL-5.7 and an issue appeared: # service syslog-ng start syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' Starting syslog-ng: syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ OK ] # ausearch -m avc -ts recent ---- time->Fri Jun 17 05:48:27 2011 type=SYSCALL msg=audit(1308304107.710:993): arch=40000003 syscall=185 success=no exit=-13 a0=9b5de1c a1=9b5de24 a2=a29208 a3=9b5de1c items=0 ppid=13481 pid=13482 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=133 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1308304107.710:993): avc: denied { setcap } for pid=13482 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=process ---- # rpm -qa selinux-policy\* selinux-policy-strict-2.4.6-312.el5 selinux-policy-targeted-2.4.6-312.el5 selinux-policy-mls-2.4.6-312.el5 selinux-policy-devel-2.4.6-312.el5 selinux-policy-2.4.6-312.el5 selinux-policy-minimum-2.4.6-312.el5 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # Did someone add drop_capability support to syslog-ng? (In reply to comment #11) > Did someone add drop_capability support to syslog-ng? AFAIK we haven't been shipping syslog-ng for Fedora and for EPEL with linux capabilities suppport enabled [1] (but it's in my todo list). Regards, jpo [1] - configure --enable-linux-caps Added fix for F16/F15 bug I guess we have to add this to all distros. For the record -------------- The future syslog-ng 3.2.4 package for EPEL5 will be based on the one listed in ticket 714409: * Bug 714409 - EPEL5: Update syslog-ng to version 3.2.4 https://bugzilla.redhat.com/show_bug.cgi?id=714409 /jpo (In reply to comment #13) > Added fix for F16/F15 bug I guess we have to add this to all distros. Good to hear. I'd like to ship an caps-enabled build for f15; I just submitted it into testing. Does your build selinux-policy-3.9.16-31.fc15 include this fix here: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/logging.te;h=41ee99764bf36806308e29a11a18af6286703be0;hp=70623cd60a63286a6bfe49263e2552785eb07013;hb=1321e624b6b4bdb7f9c09728c28ea2ceec68e0ab;hpb=302d59a6ab7dfcbefe59ef55d9d59f2a63584508 ? (In reply to comment #18) > Does your build selinux-policy-3.9.16-31.fc15 include this fix here: > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/logging.te;h=41ee99764bf36806308e29a11a18af6286703be0;hp=70623cd60a63286a6bfe49263e2552785eb07013;hb=1321e624b6b4bdb7f9c09728c28ea2ceec68e0ab;hpb=302d59a6ab7dfcbefe59ef55d9d59f2a63584508 > > ? Will fix in the next f15 release. OK, thank you. I'll delay submitting syslog-ng until you pushed a newer f15 release. How long will this take? An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |