Bug 147471 - selinux blocks advanced syslog.conf logging options
selinux blocks advanced syslog.conf logging options
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-08 06:51 EST by Michael Young
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-09 09:06:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Young 2005-02-08 06:51:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5)
Gecko/20041109 Firefox/0.10.1

Description of problem:
I am trying to get syslog to log some messages to a server across the
network ( @hostname format in syslog.conf ), and others to a named
pipe ( |pipefilename in syslog.conf ) which are both perfectly legal
syslog options but the targeted selinux policy stops them working. I
have tried removing syslog from the enforced services ( setsebool
syslogd_disable_trans 1 ) but that causes other daemons to generate
errors, I believe over the permissions on /dev/log. I suspect these
are both bugs, though if they aren't I would appreciate suggestions on
how I might proceed.
Comment 1 Daniel Walsh 2005-02-08 13:17:56 EST
What AVC messages are you seeing in the messages file.
I am not seeing any problems with network (@hostname)

I have never done anything with |pipefilename

Dan
Comment 2 Michael Young 2005-02-09 08:06:22 EST
The errors I get for the @otherhost line are
Feb  9 12:43:01 pon kernel: audit(1107952981.738:0): avc:  denied  {
create } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket
Feb  9 12:43:01 pon kernel: audit(1107952981.738:0): avc:  denied  {
bind } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket
Feb  9 12:43:01 pon kernel: audit(1107952981.738:0): avc:  denied  {
getattr } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket
Feb  9 12:43:01 pon kernel: audit(1107952981.738:0): avc:  denied  {
write } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket
Feb  9 12:43:01 pon kernel: audit(1107952981.739:0): avc:  denied  {
net_admin } for  pid=24204 exe=/sbin/syslogd capability=12
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=capability
Feb  9 12:43:01 pon kernel: audit(1107952981.739:0): avc:  denied  {
nlmsg_read } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket
Feb  9 12:43:01 pon kernel: audit(1107952981.739:0): avc:  denied  {
read } for  pid=24204 exe=/sbin/syslogd
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=netlink_route_socket

this is with enforcing off, only the first error is reported with
enforcing on.With the |pipefilename I also get the lines

Feb  4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: 
denied  { search } for  pid=16095 exe=/sbin/syslogd name=virus dev=md0
ino=835611 scontext=root:system_r:syslogd_t
tcontext=root:object_r:user_home_t tclass=dir
Feb  4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: 
denied  { read write } for  pid=16095 exe=/sbin/syslogd name=fifo
dev=md0 ino=835610 scontext=root:system_r:syslogd_t
tcontext=root:object_r:user_home_t tclass=fifo_file
Feb  4 14:49:02 squirrel2 kernel: audit(1107528542.561:0): avc: 
denied  { ioctl } for  pid=16095 exe=/sbin/syslogd
path=/root/virus/fifo dev=md0 ino=835610
scontext=root:system_r:syslogd_t tcontext=root:object_r:user_home_t
tclass=fifo_file

though maybe some of the problems are down to where I put the fifo file.
Comment 3 Daniel Walsh 2005-02-09 09:37:46 EST
Ok there is a discrepancy between FC3 policy and rawhide that needs to
be fixed.   Adding the following will fix the @host problem.

allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;

The second problem is a bit more difficult.  Putting the pipe in some
directory other than root or a home directory would be more reasonable
from an SELinux sense.  I could add permissions to say /var/run? 
Allow syslog to communicate with var_run

allow syslogd_t var_run_t:fifo_file rw_file_perms;

Dan
Comment 4 Michael Young 2005-02-09 10:53:25 EST
/var/run is a much more sensible place for the fifo (I might have put
it there to start with but I got confused as to whether /var/run is a
real directory - it isn't on Solaris)
I have tried those additions and am now getting the line
Feb  9 15:50:23 squirrel2 kernel: audit(1107964223.491:0): avc: 
denied  { net_admin } for  pid=25878 exe=/sbin/syslogd capability=12
scontext=root:system_r:syslogd_t tcontext=root:system_r:syslogd_t
tclass=capability
Comment 5 Daniel Walsh 2005-02-09 11:06:37 EST
Is it failing with this message?  I have this as a dontaudit up in
rawhide?

Dan
Comment 6 Michael Young 2005-02-09 12:18:25 EST
No I think it is a real error, because network syslog messages don't
arrive when enforcing is on, but do if I turn enforcing off.
Comment 7 Daniel Walsh 2005-02-09 13:02:47 EST
Ok I am adding
allow syslogd_t self:capability net_admin;

selinux-policy-targeted-1.17.30-2.81
selinux-policy-*-1.21.10-1
Comment 8 Tim Powers 2005-06-09 09:06:22 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.