Bug 996135

Summary: targeted policy prevents the use of a program destination for syslog-ng
Product: [Fedora] Fedora Reporter: Bill Pemberton <wfp5p>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-71.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-22 00:55:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Pemberton 2013-08-12 13:35:26 UTC 
Description of problem:

It appears that the targeted policy doesn't provide a way to use a program target with syslog-ng. The policy won't allow syslogd_t to run /bin/bash so it doesn't matter how the destination program is actually labeled.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.12.1-69
syslog-ng-3.4.1-1

How reproducible:
every time

Steps to Reproduce:
1. install syslog-ng and change the configuation file to use a program destination, for example in syslog-ng.conf:

destination d_auth {  program("/usr/local/bin/foo.pl");};

At this point, the target program can be pretty much anything, because we're going to get denied no matter what.

2.  start syslog-ng


Actual results:

A denial such as
type=AVC msg=audit(1376057129.316:180564): avc:  denied  { execute } for  pid=19455 comm="syslog-ng" name="bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

 

Expected results:

The program should be run, or at least there should be some sort of correct label for the program to make it run, but it appears the targeted policy is denying it before it can even get that far.
Comment 1 Daniel Walsh 2013-08-13 22:34:57 UTC 
If you run this in permissive mode what other AVC's do you get?
Comment 2 Bill Pemberton 2013-08-14 13:07:34 UTC 
With permissive, I get:

type=AVC msg=audit(1376485299.850:97310): avc:  denied  { execute } for  pid=522 comm="syslog-ng" name="bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.850:97310): avc:  denied  { execute_no_trans } for  pid=522 comm="syslog-ng" path="/usr/bin/bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute } for  pid=522 comm="sh" name="foo.pl" dev="dm-0" ino=671398 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute_no_trans } for  pid=522 comm="sh" path="/usr/local/bin/foo.pl" dev="dm-0" ino=671398 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute } for  pid=522 comm="sh" name="perl" dev="dm-0" ino=662275 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 3 Daniel Walsh 2013-08-14 14:54:59 UTC 
d30eb6c37953c7543d3878256a285e735862866e fixes this in git, you can add a custom policy module for now.
Comment 4 Fedora Update System 2013-08-20 08:28:31 UTC 
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 5 Fedora Update System 2013-08-21 00:17:21 UTC 
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-08-22 00:55:13 UTC 
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.