2030633 – httpd_rotatelogs_t cannot browse standard symlink /etc/httpd/logs

Bug 2030633 - httpd_rotatelogs_t cannot browse standard symlink /etc/httpd/logs

Summary: httpd_rotatelogs_t cannot browse standard symlink /etc/httpd/logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	8.8
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-09 11:02 UTC by Renaud Métrich
Modified:	2023-08-11 17:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.14.3-110.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 09:03:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1445	None	Merged	Allow rotatelogs read httpd_log_t symlinks	2022-10-20 17:47:26 UTC
Red Hat Issue Tracker	RHELPLAN-105239	None	None	None	2021-12-09 11:07:47 UTC
Red Hat Product Errata	RHBA-2023:2965	None	None	None	2023-05-16 09:04:03 UTC

Description Renaud Métrich 2021-12-09 11:02:44 UTC

Description of problem:

A customer is using rotatelogs (httpd_rotatelogs_t) to process the HTTP logs, which is the standard tool shipped within the httpd package.
For convenience, he instructed rotatelogs to process files accessed through using /etc/httpd/logs path which is a symlink to "../../var/log/httpd".

For some unclear reason, there is no rule to allow this:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ls -Z /etc/httpd/logs
lrwxrwxrwx. root root system_u:object_r:httpd_log_t:s0 /etc/httpd/logs -> ../../var/log/httpd
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow httpd_rotatelogs_t httpd_log_t : lnk_file { ioctl read getattr lock } ;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Browsing the rawhide policy, in ancient times there was the rule in the policy:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This was introduced by the following commit:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
commit 3e3d1c7188c45831a36e2add27c54ab74a8ed338
Author: Dominick Grift <dominick.grift>
Date:   Mon Sep 17 23:58:11 2012 +0200
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

It was there until commit 7054491bc92b356a5e2e14207a4dcdd02539fb51:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ git show 7054491bc:apache.te | grep -A1 "manage_files_pattern(httpd_rotatelogs_t"
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

But it disappeared when the tree having the above commit was merged (2b369a4fd48155ca5de5e0373b11287116ed95f9)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ git show 2b369a4fd:apache.te | grep -A1 "manage_files_pattern(httpd_rotatelogs_t"
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


I consider this is a bug, I do not see any reason httpd_rotatelogs_t wouldn't be able to access a symlink labeled properly and living in the httpd package tree.
I consider that having rotatelogs use the /etc/httpd/logs path is the proper way to access the logs, in order to be distribution vendor agnostic.


Version-Release number of selected component (if applicable):

RHEL7 and RHEL8 policies


How reproducible:

Always


Steps to Reproduce:
1. Setup rotatelogs to access files through the /etc/httpd/logs symlink

Actual results:

AVC

Expected results:

No AVC

Comment 1 Renaud Métrich 2021-12-13 12:52:55 UTC

We need an additional rule:

allow httpd_rotatelogs_t httpd_config_t:dir search;

This to allow rotatelogs to create the file correctly, because rotatelogs internally uses openat(AT_FDCWD, ...) syscall with current directory /etc/httpd, hence needs to search the directory.


REPRODUCER:

1. Create `/etc/httpd/conf.d/example.conf` configuration file

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  <VirtualHost *:80>
  ServerName www.example.com
  DocumentRoot /var/www/html
  CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www-access.example.com 3600" combined
  ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www-error.example.com 3600"
  </VirtualHost>
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Start httpd service

Comment 2 Renaud Métrich 2021-12-13 12:55:09 UTC

3. Trigger a request (to populate the log)

  $ curl http://localhost

Comment 17 errata-xmlrpc 2023-05-16 09:03:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965

Note You need to log in before you can comment on or make changes to this bug.