Red Hat Bugzilla – Bug 229599
syslogd_disable_trans=1 labels /dev/log as device_t
Last modified: 2007-11-30 17:11:57 EST
Description of problem:
It appeared as if bug 222195 was abandoned by the syslog-ng maintainer (since it
was an selinux problem) and not picked up by the selinux maintainer. Thus, I'm
creating a new bug (and 222195 should be closed).
Running syslog-ng and selinux-policy-targeted with syslogd_disable_trans=1
causes /dev/log to be labeled as device_t and not devlog_t.
Version-Release number of selected component (if applicable):
This is a fresh updated install, so the versions as of today are:
Steps to Reproduce:
1. Install syslog-ng and selinux-policy-targeted
2. /sbin/setsebool syslogd_disable_trans on
3. Reboot machine
ls -lZ /dev/log returns:
Running /sbin/restorecon /dev/log, then ls -lZ /dev/log returns:
Likewise, if syslogd_disable_trans=0, ls -lZ /dev/log returns
Yes this is one of the risks of disable_trans. In the future we want to remove
disable_trans and add a run_unconfined boolean. Disableing trans on syslog will
cause most of the other confined domains to blow up since the /dev/log will be
mislabeled. If there are missing rules required to get syslog to run in
enforcing mode, you can use audit2allow to generate custom policy.