This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 229599 - syslogd_disable_trans=1 labels /dev/log as device_t
syslogd_disable_trans=1 labels /dev/log as device_t
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-21 18:07 EST by Steve Friedman
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-22 12:27:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Friedman 2007-02-21 18:07:47 EST
Description of problem:
It appeared as if bug 222195 was abandoned by the syslog-ng maintainer (since it
was an selinux problem) and not picked up by the selinux maintainer.  Thus, I'm
creating a new bug (and 222195 should be closed).

Running syslog-ng and selinux-policy-targeted with syslogd_disable_trans=1
causes /dev/log to be labeled as device_t and not devlog_t.

Version-Release number of selected component (if applicable):
This is a fresh updated install, so the versions as of today are:
syslog-ng-1.6.12-1.fc6
selinux-policy-targeted-2.4.6-48.fc6


How reproducible:
Every time.

Steps to Reproduce:
1. Install syslog-ng and selinux-policy-targeted
2. /sbin/setsebool syslogd_disable_trans on
3. Reboot machine
  
Actual results:
ls -lZ /dev/log returns:
  system_u:object_r:device_t


Expected results:
Running /sbin/restorecon /dev/log, then ls -lZ /dev/log returns:
  system_u:object_r:devlog_t
Likewise, if syslogd_disable_trans=0, ls -lZ /dev/log returns
  system_u:object_r:devlog_t

Additional info:
Comment 1 Daniel Walsh 2007-02-22 12:27:24 EST
Yes this is one of the risks of disable_trans.  In the future we want to remove
disable_trans and add a run_unconfined boolean.  Disableing trans on syslog will
cause most of the other confined domains to blow up since the /dev/log will be
mislabeled.  If there are missing rules required to get syslog to run in
enforcing mode, you can use audit2allow to generate custom policy.

Note You need to log in before you can comment on or make changes to this bug.