Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 275031

Summary: Syslogd ignores additional socket file, only references /dev/log
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: sysklogdAssignee: Peter Vrabec <pvrabec>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHBA-2008-0162 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-09 16:15:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 275041    
Attachments:
Description Flags
sysklogd-syslogd_unixaf.patch none

Description Jose Plans 2007-09-03 09:20:54 UTC 
Description of problem:
Syslogd ignores additional socket files as this one gets overwriten in :
--
                for (i = 0; i < nfunix; i++) {
                    if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) {
                        memset(line, '\0', sizeof(line));
--->                    i = recv(fd, line, MAXLINE - 2, 0);
--
i gets overwriten and therefore corrupts the counter not allowing the next UNIX
sockets to be audited.

How reproducible:
Always

Steps to Reproduce:

1.Configure /etc/sysconfig/syslog to add new sockets,

 SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"

2.Restart syslog daemon.

3.Write data to var/log/newsock socket file.

Actual results:
Use only default socket file (/dev/log), ignores additional new socket file.

Expected results:
Use additional and default socket file.

Additional info:
Patch provided and tested by the customer.

Enviroment:
RHEL4U3
syslogd-1.4.1-26.EL
Comment 1 Jose Plans 2007-09-03 09:20:54 UTC 
Created attachment 185161 [details]
sysklogd-syslogd_unixaf.patch
Comment 4 Eduard Benes 2008-01-11 13:03:59 UTC 
While testing bug #275041 found out that the actual problem with not being able 
to use non-default socket file (/dev/log) is in selinux policy, that does not 
allow to work with sockets in /var/log/ (var_log_t:sock_file).

The log below shows that using the described steps to reproduce works when in 
Permissive mode but does not in Enforcing mode. Anyway, I agree that the 
mentioned code should be fixed ... but I think it's not the real reason why it 
is not possible to use additional socket files. Or, am I missing here something?

Some better example to trigger the bug that's actually being fixed by the patch 
would be welcomed. Thanks.

== SELinux in permissive ==
# getenforce
Permissive
# vim /etc/sysconfig/syslog 
# grep /etc/sysconfig/syslog -e newsock
SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
# rpm -q sysklogd
sysklogd-1.4.1-26_EL.ia64
# grep /var/log/messages -e something
Jan 11 07:31:53 ia64-4as root: something

== SELinux enforcing targeted ==
# setenforce 1
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
connect: Connection refused.

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.149.noarch

== AVCs ==
# /etc/init.d/syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# getenforce 
Enforcing
# ausearch  -sv no -ts 07:43
----
time->Fri Jan 11 07:43:27 2008
type=PATH msg=audit(1200055407.304:46):  flags=10  inode=2593753 dev=08:02 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=SOCKADDR msg=audit(1200055407.304:46): 
saddr=01002F7661722F6C6F672F6E6577736F636B
type=SYSCALL msg=audit(1200055407.304:46): arch=c0000032 syscall=1191 
success=no exit=-13 a0=a a1=60000fffffffade0 a2=12 a3=0 items=1 pid=883 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="syslogd" exe="/sbin/syslogd"
type=AVC msg=audit(1200055407.304:46): avc:  denied  { create } for  pid=883 
comm="syslogd" name="newsock" scontext=root:system_r:syslogd_t 
tcontext=root:object_r:var_log_t tclass=sock_file
# ausearch  -sv no -ts 07:43 | audit2allow
allow syslogd_t var_log_t:sock_file create;
Comment 9 errata-xmlrpc 2008-04-09 16:15:12 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0162.html