2149633 – SELinux prevents the rsyslogd from dropping capabilities (syscall=prctl)

Bug 2149633 - SELinux prevents the rsyslogd from dropping capabilities (syscall=prctl)

Summary: SELinux prevents the rsyslogd from dropping capabilities (syscall=prctl)

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2151841
TreeView+	depends on / blocked

Reported:	2022-11-30 13:21 UTC by Bruno Goncalves
Modified:	2023-01-16 10:55 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Clones:	2151841 (view as bug list)
Environment:
Last Closed:	2023-01-16 10:55:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1499	0	None	Merged	Allow syslog the setpcap capability	2023-01-16 10:55:18 UTC

Description Bruno Goncalves 2022-11-30 13:21:23 UTC

Description of problem:

The following avc denial seems to happen during boot:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1-1.fc38.noarch
----
time->Wed Nov 30 04:19:25 2022
type=AVC msg=audit(1669778365.950:146): avc:  denied  { setpcap } for  pid=654 comm="rsyslogd" capability=8  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-38.1-1.fc38.noarch

How reproducible:
Not sure yet

Comment 2 Bruno Goncalves 2022-11-30 13:52:31 UTC

it seems easily reproducible by rebooting the system after installing rsyslog (rsyslog-8.2210.0-1.fc38)

time->Wed Nov 30 08:47:36 2022
type=PROCTITLE msg=audit(1669816056.379:137): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
type=SYSCALL msg=audit(1669816056.379:137): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=0 a3=0 items=0 ppid=1 pid=507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1669816056.379:137): avc:  denied  { setpcap } for  pid=507 comm="rsyslogd" capability=8  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1

Comment 4 Milos Malik 2022-11-30 15:34:12 UTC

# rpm -qa selinux\* rsyslog\* | sort
rsyslog-8.2210.0-1.fc38.x86_64
rsyslog-logrotate-8.2210.0-1.fc38.x86_64
selinux-policy-38.1-1.fc38.noarch
selinux-policy-targeted-38.1-1.fc38.noarch
#

Easy to reproduce:

# service rsyslog start
----
type=PROCTITLE msg=audit(11/30/2022 10:30:21.280:571) : proctitle=/usr/sbin/rsyslogd -n 
type=SYSCALL msg=audit(11/30/2022 10:30:21.280:571) : arch=x86_64 syscall=prctl success=no exit=EPERM(Operation not permitted) a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=1 pid=1866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rsyslogd exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 10:30:21.280:571) : avc:  denied  { setpcap } for  pid=1866 comm=rsyslogd capability=setpcap  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0 
----

# journalctl -l -u rsyslog
Nov 30 10:30:21 removed systemd[1]: Starting rsyslog.service - System Logging Service...
Nov 30 10:30:21 removed rsyslogd[1866]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply
Nov 30 10:30:21 removed systemd[1]: Started rsyslog.service - System Logging Service.
Nov 30 10:30:21 removed rsyslogd[1866]: [origin software="rsyslogd" swVersion="8.2210.0-1.fc38" x-pid="1866" x-info="https://www.rsyslog.com"] start
Nov 30 10:30:21 removed rsyslogd[1866]: imjournal: No statefile exists, /var/lib/rsyslog/imjournal.state will be created (ignore if this is first run): No such file or directory [v8.2210.0-1.fc38 try https://www.rsyslog.com/e/2040 ]
Nov 30 10:30:21 removed rsyslogd[1866]: imjournal: journal files changed, reloading...  [v8.2210.0-1.fc38 try https://www.rsyslog.com/e/0 ]
#

Comment 5 Milos Malik 2022-11-30 15:35:23 UTC

The only SELinux denial triggered in permissive mode:
----
type=PROCTITLE msg=audit(11/30/2022 10:34:32.797:579) : proctitle=/usr/sbin/rsyslogd -n 
type=SYSCALL msg=audit(11/30/2022 10:34:32.797:579) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=1 pid=1917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rsyslogd exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 10:34:32.797:579) : avc:  denied  { setpcap } for  pid=1917 comm=rsyslogd capability=setpcap  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1 
----

Comment 7 Zdenek Pytela 2022-11-30 16:00:29 UTC

Not reproducible in F37

f37# rpm -q rsyslog
rsyslog-8.2204.0-3.fc37.x86_64
 
rawhide# rpm -q rsyslog
rsyslog-8.2210.0-1.fc38.x86_64
rawhide# rpm -q rsyslog --changelog |more
* Wed Nov 09 2022 Attila Lakatos <alakatos> - 8.2210.0-1
- rebase to 8.2210.0
  resolves: rhbz#2097173
- Drop capabilities to the necessary set via libcap-ng
  resolves: rhbz#2127403

Note You need to log in before you can comment on or make changes to this bug.