Bug 754455

Summary: SELinux prevents rsyslog-5.8.6 from running
Product: Red Hat Enterprise Linux 6 Reporter: Brett Lentz <blentz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: dwalsh, icon, jrieden, ksrot, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:28:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brett Lentz 2011-11-16 15:11:46 UTC 
Description of problem:

In order to fix issues around using TLS, I needed to upgrade my RHEL6.1 upgrade rsyslog from the version that RHEL6 ships (4.6.2) to version 5.8.6.

However, there's one permission missing that prevents rsyslog v5 from running with the current selinux policy.

Here's the policy module I'm currently using that corrects the problem:

module rsyslog5 1.0;

require {
	type syslogd_t;
	class process { setsched };
}

#============= syslogd_t ==============
allow syslogd_t self:process setsched;
Comment 3 Brett Lentz 2011-11-16 18:50:44 UTC 
rsyslog-5.8.6 is being used by the OpenShift team. We're upgrading beyond what is provided by RHEL 6 for reasons stated above.

However, I'd like to get this one line rule added to the base selinux-policy because it fixes our use case, and appears to be a low-risk addition to the policy.
Comment 4 Milos Malik 2011-11-16 18:59:22 UTC 
----
time->Wed Nov 16 19:57:09 2011
type=SYSCALL msg=audit(1321469829.042:165): arch=40000003 syscall=156 success=no exit=-13 a0=39ac a1=0 a2=b6e51d9c a3=b6e51b70 items=0 ppid=1 pid=14760 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1321469829.042:165): avc:  denied  { setsched } for  pid=14760 comm="rsyslogd" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process
----
Comment 10 errata-xmlrpc 2012-06-20 12:28:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Comment 11 Miroslav Grepl 2012-06-29 07:23:20 UTC 
*** Bug 834316 has been marked as a duplicate of this bug. ***