This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 141064 - selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-28 20:11 EST by Mike Tremaine
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-30 13:37:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mike Tremaine 2004-11-28 20:11:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040922

Description of problem:
I know syslog-ng is not supported but the targeted policy contains
lines  in syslogd.te that seems to permit this.

Basically if you try to replce syslog with syslog-ng under Fedcore
Core 3 with targeted policy syslog-ng will not be able to use /proc/kmsg

You get an error

<3>audit(1100920170.134:0): avc:  denied  { write } for  pid=2527
exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446
scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file

ASo use audit2allow and the policy source I was able to fix this with
these 2 lines..

cd /etc/selinux/targeted/src/policy/domains/misc/
echo "allow syslogd_t proc_kmsg_t:file write;" >> local.te
echo "allow syslogd_t self:capability sys_admin;" >> local.te

Once the policy is reloaded syslog-ng can start and get /proc/kmsg.

I'm sure there is a better fix but my selinux knowledge is very small
at this point.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.34 syslog-ng-1.6.5-6

How reproducible:
Always

Steps to Reproduce:
1.install Fedora Core 3 with selinux targeted policy
2.Install syslog-ng 
3.stop syslog start syslog-ng
    

Actual Results:  <3>audit(1100920170.134:0): avc:  denied  { write }
for  pid=2527 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446
scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file

Expected Results:  syslog-ng starting

Additional info:
Comment 1 Daniel Walsh 2004-11-29 10:06:04 EST
If you change
allow syslogd_t self:capability sys_admin
to
dontaudit syslogd_t self:capability sys_admin

does syslog-ng still work?

Comment 2 Mike Tremaine 2004-11-29 11:48:12 EST
No...
Changed my line allow syslogd_t self:capability sys_admin in
/etc/selinux/src/policy/domains/misc/local.te
to dontaudit syslogd_t self:capability sys_admin

Issued "make reload" in policy. Then restarted syslog-ng

[root@supernova policy]# /etc/init.d/syslog-ng restart
Shutting down system logger:                               [  OK  ]
Starting system logger: Error opening file /proc/kmsg for reading
(Operation not permitted)
Error initializing configuration, exiting.
                                                           [FAILED]

Comment 3 Daniel Walsh 2004-11-30 13:37:56 EST
Ok since, this is not part of the distibution, you will need to keep
the later.te, file.  Giving an app sys_admin is considered dangerous
so I don't want to allow normal syslog that priv.

Dan
Comment 4 Peter Bieringer 2005-03-16 10:50:32 EST
According to

https://lists.balabit.hu/pipermail/syslog-ng/2005-March/007149.html

syslog-ng needs:

#To allow for /proc/kmsg
allow syslogd_t proc_kmsg_t:file write;
allow syslogd_t self:capability sys_admin;
allow syslogd_t self:capability chown;

I can understand the comment from Daniel, but where is the problem really 
located? Need syslog-ng a modification?
Comment 5 Daniel Walsh 2005-03-17 11:27:28 EST
OK I will add the rules but put them under a boolean.  use_syslogng?

It will default to false.

Dan
Comment 6 Peter Bieringer 2005-03-17 11:33:55 EST
That would be great. Please update the selinux-policy of RHEL4 also, because
this is my real target system (but found the bug here for FC3).
Comment 7 Daniel Walsh 2005-03-17 11:44:16 EST
Ok, but you will need to wait til U2.  Sorry.
(It will match the Fedora Core 3 Policy though.)

Dan
Comment 8 Peter Bieringer 2005-10-06 08:10:03 EDT
I can confirm the boolean use_syslogng works on RHEL4U2.
Comment 9 Peter Bieringer 2006-04-03 08:54:21 EDT
Can one please dig into, why it is not working on a RHEL4U3 system with a clean
policy?

System: RHEL4U3, using syslog-ng from today now, fresh installed from silfreed
repository

selinux-policy-targeted-1.17.30-2.126

In case of "use_syslogng=1" I get (like shown above):
audit(1144067990.205:2): avc:  denied  { write } for  pid=3559 comm="syslog-ng"
name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file


In case of "use_syslogng=0" I get:
audit(1144068268.821:7): avc:  denied  { sys_admin } for  pid=3667
comm="syslog-ng" capability=21 scontext=root:system_r:syslogd_t
tcontext=root:system_r:syslogd_t tclass=capability
audit(1144068268.822:8): avc:  denied  { syslog_mod } for  pid=3667
comm="syslog-ng" scontext=root:system_r:syslogd_t
tcontext=user_u:system_r:unconfined_t tclass=system
audit(1144068268.822:9): avc:  denied  { read } for  pid=3667 comm="syslog-ng"
name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file
audit(1144068279.222:10): avc:  denied  { write } for  pid=3753 comm="syslog-ng"
name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file


# ls -Z `which syslog-ng`
-rwxr-xr-x  root     root     system_u:object_r:syslogd_exec_t /sbin/syslog-ng

That's very strange because on two other RHEL4U3 systems (running syslog-ng
longer, this problem didn't occur after policy update and remove of syslog-ng
related entries from local.te). I don't remember what I have changed in addition...

BTW: Relabling after reboot doesn't help either.





Comment 10 Daniel Walsh 2006-04-03 09:45:37 EDT
Did you try turning on the use_syslogng boolean?

setsebool -P use_syslogng=1
Comment 11 Peter Bieringer 2006-04-03 09:50:28 EDT
Yes, for sure, and I set it once again and restarted syslog-ng (in permissive
mode), same message.
Comment 12 Daniel Walsh 2006-04-03 11:02:00 EDT
In policy 126 the following lines exist.

if (use_syslogng) {
# Allow access to /proc/kmsg for syslog-ng
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read };
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
allow syslogd_t self:capability { sys_admin chown fsetid };
allow syslogd_t var_log_t:dir { create setattr };
}

So you should not be getting any denials with the boolean turned on except the
proc_kmsg write.
Comment 13 Peter Bieringer 2006-04-03 11:18:28 EDT
Yes like written in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064#c9
I get this message:

avc:  denied  { write } for  pid=3559 comm="syslog-ng"
name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:proc_kmsg_t tclass=file

which prevents syslog-ng from starting:

# setenforce enforcing
# service syslog-ng restart
Shutting down system logger:                               [  OK  ]
Starting system logger: Error opening file /proc/kmsg for reading (Permission
denied)
Error initializing configuration, exiting.

# setenforce permissive
# service syslog-ng restart
Shutting down system logger:                               [FAILED]
Starting system logger:                                    [  OK  ]

                                                           [FAILED]

SELinux logs:

audit(1144077107.614:11): avc:  granted  { setenforce } for  pid=12641
comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
audit(1144077112.299:12): avc:  denied  { write } for  pid=12657
comm="syslog-ng" name="kmsg" dev=proc ino=-268435446
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file

audit(1144077136.460:13): avc:  granted  { setenforce } for  pid=12661
comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
audit(1144077141.169:14): avc:  denied  { write } for  pid=12675
comm="syslog-ng" name="kmsg" dev=proc ino=-268435446
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file


Hmm, why is syslog-ng telling me "Error opening file /proc/kmsg for reading
(Permission denied)" but actually want to open it for writing?

Trusting your information I digged further around:

1) starting syslog-ng in debug mode will work

2) cp /etc/rc.d/init.d/syslog-ng .

./syslog-ng restart
Shutting down system logger:                               [FAILED]
Starting system logger:                                    [  OK  ]

# /etc/rc.d/init.d/syslog-ng restart
Shutting down system logger:                               [  OK  ]
Starting system logger: Error opening file /proc/kmsg for reading (Permission
denied)
Error initializing configuration, exiting.
                                                           [FAILED]
Ooops.

# ls -Z /etc/rc.d/init.d/syslog*
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t 
/etc/rc.d/init.d/syslog
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t 
/etc/rc.d/init.d/syslog-ng

# ls -Z ./syslog-ng
-rwxr-xr-x  root     root     root:object_r:user_home_t        ./syslog-ng


Hmm.

Strace tells me:

open("/proc/kmsg", O_RDWR|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 4

Must be something wrong with initrc_exec_t?

Comment 14 Peter Bieringer 2006-04-06 05:33:09 EDT
I finally found the reason for the problem during comparing 2 hosts step-by-step.

well working host reads /proc/kmesg via
 file("/proc/kmsg");
[like described in doc)

not well working host reads /proc/kmesg via:
 pipe ("/proc/kmsg" log_prefix("kernel: "))


Docs and examples (but not FAQ) of syslog-ng tells, that "file" is a proper way
for reading /proc/kmsg.

I changed the config on the non working host and all works fine now.


Note You need to log in before you can comment on or make changes to this bug.