Bug 238752 - SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to eventpoll:[28163] (initrc_t).
Summary: SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to eventp...
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: i386 Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-02 19:48 UTC by Scott Bambrough
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-29 15:55:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Scott Bambrough 2007-05-02 19:48:42 UTC
    SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to
    eventpoll:[28163] (initrc_t).

Detailed Description
    SELinux denied access requested by /sbin/syslogd. It is not expected that
    this access is required by /sbin/syslogd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for eventpoll:[28163], restorecon -v
    eventpoll:[28163]. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "syslogd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P syslogd_disable_trans=1."

    The following command will allow this access:
    setsebool -P syslogd_disable_trans=1

Additional Information        

Source Context                root:system_r:syslogd_t
Target Context                root:system_r:initrc_t
Target Objects                eventpoll:[28163] [ unix_stream_socket ]
Affected RPM Packages         sysklogd-1.4.1-39.2 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.el5 #1 SMP
                              Fri Jan 26 14:15:21 EST 2007 i686 athlon
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="syslogd" dev=sockfs egid=0 euid=0
exe="/sbin/syslogd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[28166]"
path="eventpoll:[28163]" pid=5888 scontext=root:system_r:syslogd_t:s0 sgid=0
subj=root:system_r:syslogd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0

I get this error installing Xandro Bridgeways on RHEL5 (no updates) in a VMware

Comment 1 Daniel Walsh 2007-05-03 13:38:10 UTC
i have no idea what this is?  Does syslog need access to a named pipe started
from init?  eventpoll?

Comment 2 RHEL Product and Program Management 2007-05-15 15:03:56 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 3 Daniel Walsh 2007-05-15 15:16:12 UTC
Does this cause any problems,  IE does the syslog work in enforcing mode? 

You might need to use audit2allow -a -M mysyslog to build a loadable policy
module to allow this.

Comment 5 Scott Bambrough 2007-05-28 17:04:54 UTC
SELinux is preventing /sbin/syslogd (syslogd_t) "read write" access to
eventpoll:[28163] (initrc_t).

This error was generated during the install of our product.  I suspect this
event is generated by one of our apps which obtains a file descriptor from

The application modifies the syslog configuration and restarts the syslog
daemon.  The file descriptor is leaked when the daemon is restarted.

I haven't verified this yet but it seems to fit:

1) I only see this during installation.
2) It explains the initrc_t context if we use /etc/init.d/syslog
3) It explains the odd descriptor name.
4) syslog works fine after installation

Does this seem to be a reasonable scenario?  I'm rather new to SELinux.

Comment 6 Daniel Walsh 2007-05-29 15:55:50 UTC
Yes that is exactly the foot print of this error.

Note You need to log in before you can comment on or make changes to this bug.