Bug 152185 - selinux-policy-targeted and syslog-ng (take 2)
selinux-policy-targeted and syslog-ng (take 2)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-25 14:14 EST by Jose Pedro Oliveira
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-13 16:27:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2005-03-25 14:14:10 EST
Correction and request for additions
------------------------------------------------------------
SELinux RPM: selinux-policy-targeted-sources-1.17.30-2.90
Related bugzilla entry: #141064 (status: closed)

Daniel Walsh,

For the past years have have been maintaining SRPMs of
syslog-ng and more recently have been trying to push
syslog-ng into Fedora.Extras (and fedora.us) mirrors
(https://bugzilla.fedora.us/show_bug.cgi?id=1332).

The syslog-ng SRPM that is available in the fedora.us
bugzilla has a configuration file that mimics the one
used by sysklogd/klogd used by RedHat in its distributions.
The configuration files being used in that SRPM are
now available in the contrib directory of the latest
syslog-ng snapshots.

The problems that I have discovered are described below
(after the patch). The itens 1 and 2 are critical. Item
3 is optional for the minimal configuration file
(the one that mimics the redhat syslog.conf file) but
is required for log servers (role in which syslog-ng is
very good, allowing a different file for logging host,
regex filtering, automatic log rotation, ...).


Patch
------------------------------------------------------------
--- syslogd.te.orig.1.17.30-2.90        2005-03-17 20:57:17.000000000 +0000
+++ syslogd.te.new      2005-03-25 18:36:30.474888208 +0000
@@ -111,6 +111,8 @@
 bool use_syslogng false;

  if (use_syslogng) {
  -allow syslogd_t proc_kmsg_t:file write;
  -allow syslogd_t self:capability { sys_admin chown };
  +allow syslogd_t proc_kmsg_t:file read;
  +allow syslogd_t self:capability { sys_admin chown fsetid };
  +allow syslogd_t device_t:sock_file getattr;
  +allow syslogd_t var_log_t:dir { create setattr };
   }
------------------------------------------------------------


Explanation
------------------------------------------------------------

1) the /proc/kmsg rule

   We only need to allow read access to /proc/kmsg.

   The rule
       allow syslogd_t proc_kmsg_t:file write;
   should be changed to
       allow syslogd_t proc_kmsg_t:file read;

   I think the person who asked for this rule in the related
   (previous) buzilla entry had a common bug in the syslog-ng
   configuration file: /proc/kmsg was being opened as pipe.
   The configuration file examples have all been corrected
   upstream (latest syslog-ng version and snapshots).
   See: https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006963.html


2) /dev/log problem

   I am also having this error:
   ----
   Feb 17 21:38:10 localhost kernel: audit(1108676290.032:0):
      avc: denied { getattr } for  pid=6406  exe=/sbin/syslog-ng
      path=/dev/log dev=tmpfs ino=16443
      scontext=root:system_r:syslogd_t
      tcontext=root:object_r:device_t
      tclass=sock_file
   ----

   Which can be solved by ading the following rule:

        allow syslogd_t device_t:sock_file getattr;


   syslog-ng.conf : standard message sources
   ----
   ...
   source s_sys {
       file ("/proc/kmsg" log_prefix("kernel: "));
       unix-stream ("/dev/log");
       internal();
       udp(ip(0.0.0.0) port(514));
   };
   ...
   ----


3) syslog-ng can create file and directories

   One of the advantages of syslog-ng is the ability of
   creating files and directories based on macros
   (eg: for automatic log rotation).

   syslog-ng.conf: example of a destination
   ----
   ...
   destination d_servers {
       file("/tmp/log/servers/$YEAR$MONTH/$HOST"
            owner(root) group(apache) perm(0640)
            create_dirs(yes)
            dir_owner(root) dir_group(nobody) dir_perm(0755)
       );
   };
   ...
   ----

   The above configuration generates the following errors:

   ---
   Mar 25 14:35:38 localhost kernel: audit(1111761297.410:0):
      avc: denied { create } for pid=6214 exe=/sbin/syslog-ng
      name=servers scontext=root:system_r:syslogd_t
      tcontext=root:object_r:var_log_t tclass=dir
   ---
   Mar 25 14:39:33 localhost kernel: audit(1111761573.068:0):
      avc: denied { setattr } for  pid=6329 exe=/sbin/syslog-ng
      name=200503 dev=hda9 ino=665276 scontext=root:system_r:syslogd_t
      tcontext=root:object_r:var_log_t tclass=dir
   ---
   Mar 25 14:43:58 localhost kernel: audit(1111761838.840:0):
      avc: denied { chown } for  pid=6496 exe=/sbin/syslog-ng
      capability=0 scontext=root:system_r:syslogd_t
      tcontext=root:system_r:syslogd_t tclass=capability
   ---
   Mar 25 14:45:39 localhost kernel: audit(1111761939.612:0):
      avc: denied { fsetid } for  pid=6569 exe=/sbin/syslog-ng
      capability=4 scontext=root:system_r:syslogd_t
      tcontext=root:system_r:syslogd_t tclass=capability
   ---

   The above errors can be avoided by adding the following rules:

      allow syslogd_t self:capability { sys_admin chown fsetid };
      allow syslogd_t var_log_t:dir { create setattr };


Thanks in advance,
jpo

PS - Thanks also for the syslog-ng bool created a couple of days
ago (#141064).
Comment 1 Jose Pedro Oliveira 2005-03-25 15:38:44 EST
There is a mistake in the syslog-ng configuration file example used
in the second item (I copied the wrong file location).
It should have been 
   file("/var/log/servers/$YEAR$MONTH/$HOST"
instead of
   file("/tmp/log/servers/$YEAR$MONTH/$HOST"
.

/jpo
Comment 2 Jose Pedro Oliveira 2005-04-13 15:50:35 EDT
Daniel Walsh,

Thanks for the updates to syslogd.te in selinux-policy-targeted-sources 
1.17.30-2.96.  Syslog-ng is now working without problems.

/jpo
Comment 3 Jose Pedro Oliveira 2005-04-13 16:00:30 EDT
Just a note about the differences between the syslogd.te file from the
selinux-policy-targeted packages from FC-3 updates against the current rawhide
version:

 * the rawhide policy restricts network acess to UDP
 * this may/will cause problems with syslog-ng as it can also use
    TCP sockets


Differences
----------
diff -ruN selinux-policy-targeted-1.17.30-2.96/syslogd.te
selinux-policy-targeted-1.23.10-5/syslogd.te
--- selinux-policy-targeted-1.17.30-2.96/syslogd.te     2005-04-07
20:36:53.000000000 +0100
+++ selinux-policy-targeted-1.23.10-5/syslogd.te        2005-04-12
14:43:59.000000000 +0100
@@ -20,7 +20,7 @@
 ')

 # can_network is for the UDP socket
-can_network(syslogd_t)
+can_network_udp(syslogd_t)
 can_ypbind(syslogd_t)

 r_dir_file(syslogd_t, sysfs_t)

----------

/jpo
Comment 4 Daniel Walsh 2005-04-13 17:17:46 EDT
Ok I added the following patches.  it is using port 514 correct?

 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te
policy-1.23.10/domains/program/syslogd.te
< --- nsapolicy/domains/program/syslogd.te      2005-04-04 10:21:10.000000000 -0400
< +++ policy-1.23.10/domains/program/syslogd.te 2005-04-13 17:09:09.000000000 -0400
< @@ -20,7 +20,7 @@
<  ')
<
<  # can_network is for the UDP socket
< -can_network_udp(syslogd_t)
< +can_network(syslogd_t)
<  can_ypbind(syslogd_t)
<
<  r_dir_file(syslogd_t, sysfs_t)
< @@ -89,7 +89,8 @@
<
<  # Allow name_bind for remote logging
<  type syslogd_port_t, port_type, reserved_port_type;
< -allow syslogd_t syslogd_port_t:udp_socket name_bind;
< +allow syslogd_t syslogd_port_t:{ tcp_socket udp_socket } name_bind;
< +allow syslogd_t syslogd_port_t:tcp_socket name_connect;
<  #
<  # /initrd is not umounted before minilog starts
<  #
363c310

< +++ policy-1.23.10/net_contexts       2005-04-13 17:09:28.000000000 -0400
---
> +++ policy-1.23.10/net_contexts       2005-04-13 14:11:21.000000000 -0400
1250,1258c1183
< @@ -101,6 +99,7 @@
<  ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
<  ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
<  ifdef(`syslogd.te', `
< +portcon tcp 514 system_u:object_r:syslogd_port_t
<  portcon udp 514 system_u:object_r:syslogd_port_t
<  ')
<  ifdef(`ktalkd.te', `
< @@ -121,6 +120,13 @@
---

Note You need to log in before you can comment on or make changes to this bug.