RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1823669 - rsyslog "imfile" module cannot read parent directories of the file to process
Summary: rsyslog "imfile" module cannot read parent directories of the file to process
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-14 08:19 UTC by Renaud Métrich
Modified: 2023-10-06 19:38 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.14.3-69.el8
Doc Type: Enhancement
Doc Text:
Feature: A new logging_syslogd_list_non_security_dirs tunable was added to the policy to allow the rsyslogd service search and list all directories of input files with customized path. Reason: When the rsyslogd service is set to use an input file in an arbitrary path, the permission to list a generic directory, required before opening the file, may not be allowed. Result: After turning the logging_syslogd_list_non_security_dirs tunable on, the rsyslogd service is allowed to list all directories in the path with SELinux types which are a part of the non_security_file_type attribute and subsequently is able to use a files in an arbitrary path as an input file.
Clone Of:
Environment:
Last Closed: 2021-11-09 19:42:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4998201 0 None None None 2020-04-20 09:23:54 UTC
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:42:56 UTC

Description Renaud Métrich 2020-04-14 08:19:25 UTC 
Description of problem:

The "imfile" functionality of rsyslog is widely used to centralize logs to a single place.

When rsyslog is configured to read logs from a file ("imfile" module) and the file's parent directories are non-standard (e.g. /var/www/prod/host/logs/access_log), AVCs related to browsing the parent directories are seen but rsyslog is still functional:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow syslogd_t httpd_sys_content_t:dir read;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

See also BZ #1821725 on RHEL 7.


Version-Release number of selected component (if applicable):

rsyslog-8.37.0-13.el8.x86_64 & selinux-policy-3.14.3-20.el8.noarch

How reproducible:

ALWAYS


Steps to Reproduce:
1. Configure rsyslog to read logs from a file

/etc/rsyslog.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module(load="imfile")

input(type="imfile"
        File="/var/www/product/logs/access.log"
        Tag="product"
        Severity="info"
        Facility="local6")
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Create the directories

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /var/www/product/logs
# restorecon -Frv /var/www
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Restart rsyslog

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl restart rsyslog

# ausearch -m avc -ts recent | audit2allow
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Actual results:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#============= syslogd_t ==============
allow syslogd_t httpd_sys_content_t:dir read;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

No AVC


Additional info:

In the example above, rsyslog is reading logs from a place for which the SELinux contexts are already known in the policy database (/var/www/XXX/logs). However in most use cases, non standard hierarchy is also used, hence it is not sufficient to only add a rule for "httpd_sys_content_t:dir" but for any non security file type instead:

non_security_file_type:dir
Comment 1 Zdenek Pytela 2020-05-07 17:06:59 UTC 
Jiri,

In this bz and in bz#1823672, we have a request, based on a customer case, to support imfile/omfile in a custom path including those non-conforming to FHS.

Could you share your expert opinion if this is considered a good practice and supported solution for rsyslog?

The non_security_file_type attribute contains about 3000 domains, so from selinux point of view allowing this kind of access is very questionable.
Comment 2 Jiří Vymazal 2020-05-11 08:12:55 UTC 
(In reply to Zdenek Pytela from comment #1)
> Jiri,
> 
> In this bz and in bz#1823672, we have a request, based on a customer case,
> to support imfile/omfile in a custom path including those non-conforming to
> FHS.
> 
> Could you share your expert opinion if this is considered a good practice
> and supported solution for rsyslog?
> 
> The non_security_file_type attribute contains about 3000 domains, so from
> selinux point of view allowing this kind of access is very questionable.

It is definitely supported solution,as for being a good practice is debatable, and I would say up to each customer/user. From design POV both imfile and omfile modules have no restrictions and can operate on whole file-system tree. However they expect that if you configure them so you also take care about corresponding permissions.
Comment 3 Renaud Métrich 2020-06-04 14:25:01 UTC 
I would like to increase Priority/Severity because it may lead to rsyslogd dumping core and not being able to start.

Typical scenario is if "top directory" of imfile files is a symlink to a directory labeled with var_t:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /var/my/place
# ln -s /var/my/place /var/log/myplace_symlink

# ls -Zd /var/my/place /var/log/myplace_symlink
lrwxrwxrwx. root root unconfined_u:object_r:var_log_t:s0 /var/log/myplace_symlink -> /var/my/place
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   /var/my/place
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

rsyslog imfile configuration (/etc/rsyslog.d/imfile.conf):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module(load="imfile" PollingInterval="10")

input(type="imfile"
      file="/var/log/myplace_symlink/file.log"
      tag="myplace_file"
      severity="info"
      facility="local5"
)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Start rsyslog:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl restart rsyslog

# systemctl status rsyslog
[...]
  Process: 5725 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=killed, signal=SEGV)
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Of course I'll file a BZ against rsyslog for hardening this.
Comment 4 Renaud Métrich 2020-06-04 14:36:13 UTC 
See also rsyslog BZ #1843994 (RHEL 8)
Comment 7 Zdenek Pytela 2021-02-10 15:38:22 UTC 
This bug has not been fully acknowledged by the subsystem to be resolved during the RHEL 8.4 development and testing phase, so it will be evaluated for inclusion into the next minor product update.

If you still want to pursue this issue further, please attach information regarding severity of the bugzilla.
Comment 8 Zdenek Pytela 2021-05-24 20:31:22 UTC 
Renaud,

Is this request still valid? Given:
- both the support cases were closed
- they were open on RHEL 7
- rsyslog does not segfault any longer
- the imfile module is reportedly still functional
- the #c2 indicates valid configuration change, but permissions need to be taken care of

SELinux permissions belong there too, they are a subject of user change.

The biggest concern is that with the universal solution using the non_security_file_type attribute, rsyslog would be given access to 3000 types, which is quite a big number despite this access being concealed behind a boolean, and some of them are surprisingly sensitive.

Tailored local policy, on the other hand, can give the access only to types which are required in the particular environment.
Comment 9 Renaud Métrich 2021-05-25 05:45:31 UTC 
Hi Zdenek,

Yes this is still valid and needs to be addressed somehow.
I understand that non_security_file_type attribute has tons of types, but do we have an alternate solution?
We definitely cannot let the customer handle this on his own, unless we guide him step by step.

Hence if we want to avoid the boolean, I see no other choice than having an official documentation about this (not a KCS).
Comment 13 Zdenek Pytela 2021-06-02 10:28:59 UTC 
Needs backporting:
commit 3422c911479a75be4189407c4b1397e2443e424d
Author: Zdenek Pytela <zpytela>
Date:   Wed May 26 21:46:32 2021 +0200

    Introduce logging_syslogd_list_non_security_dirs tunable

    In customized configurations with rsyslog using the imfile input
    module to read files with a non-standard path, rsyslog since v8.24.0
    requests reading all parent directories in the path of the logfile.

    To enable reading all directories in the path with SELinux types
    which are a part of the non_security_file_type attribute,
    the ruleset is allowed conditionally after turning on the
    logging_syslogd_list_non_security_dirs tunable which is off by default.

    Resolves: rhbz#1823669
Comment 24 errata-xmlrpc 2021-11-09 19:42:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Note You need to log in before you can comment on or make changes to this bug.