Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 229599 - syslogd_disable_trans=1 labels /dev/log as device_t
syslogd_disable_trans=1 labels /dev/log as device_t
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-02-21 18:07 EST by Steve Friedman
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-22 12:27:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Friedman 2007-02-21 18:07:47 EST
Description of problem:
It appeared as if bug 222195 was abandoned by the syslog-ng maintainer (since it
was an selinux problem) and not picked up by the selinux maintainer.  Thus, I'm
creating a new bug (and 222195 should be closed).

Running syslog-ng and selinux-policy-targeted with syslogd_disable_trans=1
causes /dev/log to be labeled as device_t and not devlog_t.

Version-Release number of selected component (if applicable):
This is a fresh updated install, so the versions as of today are:

How reproducible:
Every time.

Steps to Reproduce:
1. Install syslog-ng and selinux-policy-targeted
2. /sbin/setsebool syslogd_disable_trans on
3. Reboot machine
Actual results:
ls -lZ /dev/log returns:

Expected results:
Running /sbin/restorecon /dev/log, then ls -lZ /dev/log returns:
Likewise, if syslogd_disable_trans=0, ls -lZ /dev/log returns

Additional info:
Comment 1 Daniel Walsh 2007-02-22 12:27:24 EST
Yes this is one of the risks of disable_trans.  In the future we want to remove
disable_trans and add a run_unconfined boolean.  Disableing trans on syslog will
cause most of the other confined domains to blow up since the /dev/log will be
mislabeled.  If there are missing rules required to get syslog to run in
enforcing mode, you can use audit2allow to generate custom policy.

Note You need to log in before you can comment on or make changes to this bug.