Bug 275031 - Syslogd ignores additional socket file, only references /dev/log
Syslogd ignores additional socket file, only references /dev/log
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sysklogd (Show other bugs)
4.5
All All
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
Brian Brock
:
Depends On:
Blocks: 275041
  Show dependency treegraph
 
Reported: 2007-09-03 05:20 EDT by Jose Plans
Modified: 2010-10-22 14:19 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0162
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-09 12:15:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
sysklogd-syslogd_unixaf.patch (992 bytes, patch)
2007-09-03 05:20 EDT, Jose Plans
no flags Details | Diff

  None (edit)
Description Jose Plans 2007-09-03 05:20:54 EDT
Description of problem:
Syslogd ignores additional socket files as this one gets overwriten in :
--
                for (i = 0; i < nfunix; i++) {
                    if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) {
                        memset(line, '\0', sizeof(line));
--->                    i = recv(fd, line, MAXLINE - 2, 0);
--
i gets overwriten and therefore corrupts the counter not allowing the next UNIX
sockets to be audited.

How reproducible:
Always

Steps to Reproduce:

1.Configure /etc/sysconfig/syslog to add new sockets,

 SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"

2.Restart syslog daemon.

3.Write data to var/log/newsock socket file.

Actual results:
Use only default socket file (/dev/log), ignores additional new socket file.

Expected results:
Use additional and default socket file.

Additional info:
Patch provided and tested by the customer.

Enviroment:
RHEL4U3
syslogd-1.4.1-26.EL
Comment 1 Jose Plans 2007-09-03 05:20:54 EDT
Created attachment 185161 [details]
sysklogd-syslogd_unixaf.patch
Comment 4 Eduard Benes 2008-01-11 08:03:59 EST
While testing bug #275041 found out that the actual problem with not being able 
to use non-default socket file (/dev/log) is in selinux policy, that does not 
allow to work with sockets in /var/log/ (var_log_t:sock_file).

The log below shows that using the described steps to reproduce works when in 
Permissive mode but does not in Enforcing mode. Anyway, I agree that the 
mentioned code should be fixed ... but I think it's not the real reason why it 
is not possible to use additional socket files. Or, am I missing here something?

Some better example to trigger the bug that's actually being fixed by the patch 
would be welcomed. Thanks.

== SELinux in permissive ==
# getenforce
Permissive
# vim /etc/sysconfig/syslog 
# grep /etc/sysconfig/syslog -e newsock
SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
# rpm -q sysklogd
sysklogd-1.4.1-26_EL.ia64
# grep /var/log/messages -e something
Jan 11 07:31:53 ia64-4as root: something

== SELinux enforcing targeted ==
# setenforce 1
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
connect: Connection refused.

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.149.noarch

== AVCs ==
# /etc/init.d/syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# getenforce 
Enforcing
# ausearch  -sv no -ts 07:43
----
time->Fri Jan 11 07:43:27 2008
type=PATH msg=audit(1200055407.304:46):  flags=10  inode=2593753 dev=08:02 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=SOCKADDR msg=audit(1200055407.304:46): 
saddr=01002F7661722F6C6F672F6E6577736F636B
type=SYSCALL msg=audit(1200055407.304:46): arch=c0000032 syscall=1191 
success=no exit=-13 a0=a a1=60000fffffffade0 a2=12 a3=0 items=1 pid=883 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="syslogd" exe="/sbin/syslogd"
type=AVC msg=audit(1200055407.304:46): avc:  denied  { create } for  pid=883 
comm="syslogd" name="newsock" scontext=root:system_r:syslogd_t 
tcontext=root:object_r:var_log_t tclass=sock_file
# ausearch  -sv no -ts 07:43 | audit2allow
allow syslogd_t var_log_t:sock_file create;
Comment 9 errata-xmlrpc 2008-04-09 12:15:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0162.html

Note You need to log in before you can comment on or make changes to this bug.