From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922 Description of problem: I know syslog-ng is not supported but the targeted policy contains lines in syslogd.te that seems to permit this. Basically if you try to replce syslog with syslog-ng under Fedcore Core 3 with targeted policy syslog-ng will not be able to use /proc/kmsg You get an error <3>audit(1100920170.134:0): avc: denied { write } for pid=2527 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file ASo use audit2allow and the policy source I was able to fix this with these 2 lines.. cd /etc/selinux/targeted/src/policy/domains/misc/ echo "allow syslogd_t proc_kmsg_t:file write;" >> local.te echo "allow syslogd_t self:capability sys_admin;" >> local.te Once the policy is reloaded syslog-ng can start and get /proc/kmsg. I'm sure there is a better fix but my selinux knowledge is very small at this point. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.34 syslog-ng-1.6.5-6 How reproducible: Always Steps to Reproduce: 1.install Fedora Core 3 with selinux targeted policy 2.Install syslog-ng 3.stop syslog start syslog-ng Actual Results: <3>audit(1100920170.134:0): avc: denied { write } for pid=2527 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file Expected Results: syslog-ng starting Additional info:
If you change allow syslogd_t self:capability sys_admin to dontaudit syslogd_t self:capability sys_admin does syslog-ng still work?
No... Changed my line allow syslogd_t self:capability sys_admin in /etc/selinux/src/policy/domains/misc/local.te to dontaudit syslogd_t self:capability sys_admin Issued "make reload" in policy. Then restarted syslog-ng [root@supernova policy]# /etc/init.d/syslog-ng restart Shutting down system logger: [ OK ] Starting system logger: Error opening file /proc/kmsg for reading (Operation not permitted) Error initializing configuration, exiting. [FAILED]
Ok since, this is not part of the distibution, you will need to keep the later.te, file. Giving an app sys_admin is considered dangerous so I don't want to allow normal syslog that priv. Dan
According to https://lists.balabit.hu/pipermail/syslog-ng/2005-March/007149.html syslog-ng needs: #To allow for /proc/kmsg allow syslogd_t proc_kmsg_t:file write; allow syslogd_t self:capability sys_admin; allow syslogd_t self:capability chown; I can understand the comment from Daniel, but where is the problem really located? Need syslog-ng a modification?
OK I will add the rules but put them under a boolean. use_syslogng? It will default to false. Dan
That would be great. Please update the selinux-policy of RHEL4 also, because this is my real target system (but found the bug here for FC3).
Ok, but you will need to wait til U2. Sorry. (It will match the Fedora Core 3 Policy though.) Dan
I can confirm the boolean use_syslogng works on RHEL4U2.
Can one please dig into, why it is not working on a RHEL4U3 system with a clean policy? System: RHEL4U3, using syslog-ng from today now, fresh installed from silfreed repository selinux-policy-targeted-1.17.30-2.126 In case of "use_syslogng=1" I get (like shown above): audit(1144067990.205:2): avc: denied { write } for pid=3559 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file In case of "use_syslogng=0" I get: audit(1144068268.821:7): avc: denied { sys_admin } for pid=3667 comm="syslog-ng" capability=21 scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t tclass=capability audit(1144068268.822:8): avc: denied { syslog_mod } for pid=3667 comm="syslog-ng" scontext=root:system_r:syslogd_t tcontext=user_u:system_r:unconfined_t tclass=system audit(1144068268.822:9): avc: denied { read } for pid=3667 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file audit(1144068279.222:10): avc: denied { write } for pid=3753 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file # ls -Z `which syslog-ng` -rwxr-xr-x root root system_u:object_r:syslogd_exec_t /sbin/syslog-ng That's very strange because on two other RHEL4U3 systems (running syslog-ng longer, this problem didn't occur after policy update and remove of syslog-ng related entries from local.te). I don't remember what I have changed in addition... BTW: Relabling after reboot doesn't help either.
Did you try turning on the use_syslogng boolean? setsebool -P use_syslogng=1
Yes, for sure, and I set it once again and restarted syslog-ng (in permissive mode), same message.
In policy 126 the following lines exist. if (use_syslogng) { # Allow access to /proc/kmsg for syslog-ng allow syslogd_t proc_t:dir search; allow syslogd_t proc_kmsg_t:file { getattr read }; allow syslogd_t kernel_t:system { syslog_mod syslog_console }; allow syslogd_t self:capability { sys_admin chown fsetid }; allow syslogd_t var_log_t:dir { create setattr }; } So you should not be getting any denials with the boolean turned on except the proc_kmsg write.
Yes like written in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064#c9 I get this message: avc: denied { write } for pid=3559 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file which prevents syslog-ng from starting: # setenforce enforcing # service syslog-ng restart Shutting down system logger: [ OK ] Starting system logger: Error opening file /proc/kmsg for reading (Permission denied) Error initializing configuration, exiting. # setenforce permissive # service syslog-ng restart Shutting down system logger: [FAILED] Starting system logger: [ OK ] [FAILED] SELinux logs: audit(1144077107.614:11): avc: granted { setenforce } for pid=12641 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security audit(1144077112.299:12): avc: denied { write } for pid=12657 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file audit(1144077136.460:13): avc: granted { setenforce } for pid=12661 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security audit(1144077141.169:14): avc: denied { write } for pid=12675 comm="syslog-ng" name="kmsg" dev=proc ino=-268435446 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file Hmm, why is syslog-ng telling me "Error opening file /proc/kmsg for reading (Permission denied)" but actually want to open it for writing? Trusting your information I digged further around: 1) starting syslog-ng in debug mode will work 2) cp /etc/rc.d/init.d/syslog-ng . ./syslog-ng restart Shutting down system logger: [FAILED] Starting system logger: [ OK ] # /etc/rc.d/init.d/syslog-ng restart Shutting down system logger: [ OK ] Starting system logger: Error opening file /proc/kmsg for reading (Permission denied) Error initializing configuration, exiting. [FAILED] Ooops. # ls -Z /etc/rc.d/init.d/syslog* -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/rc.d/init.d/syslog -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/rc.d/init.d/syslog-ng # ls -Z ./syslog-ng -rwxr-xr-x root root root:object_r:user_home_t ./syslog-ng Hmm. Strace tells me: open("/proc/kmsg", O_RDWR|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 4 Must be something wrong with initrc_exec_t?
I finally found the reason for the problem during comparing 2 hosts step-by-step. well working host reads /proc/kmesg via file("/proc/kmsg"); [like described in doc) not well working host reads /proc/kmesg via: pipe ("/proc/kmsg" log_prefix("kernel: ")) Docs and examples (but not FAQ) of syslog-ng tells, that "file" is a proper way for reading /proc/kmsg. I changed the config on the non working host and all works fine now.