Bug 391901 - Selinux access denial while executing external program
Selinux access denial while executing external program
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: rsyslog (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 05:49 EST by Michel Samia
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-21 08:18:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michel Samia 2007-11-20 05:49:14 EST
Description of problem:
Selinux doesn't allow rsyslog to run external application while using a shell
execute action (for info about this type of rule see rsyslog.conf(5) manpage).

Version-Release number of selected component (if applicable):
rsyslog-1.19.6-3.fc8

How reproducible:
add rule containing program execution to rsyslog.conf, restart rsyslogd and log
something which matches the rule


Steps to Reproduce:
0. $ su -
1. # echo '$template bla_logged,"%timegenerated% the b_l_a was
logged"'>>/etc/rsyslog.conf
2. # echo ':msg, contains, "bla"    ^logger;bla_logged' >> /etc/rsyslog.conf
3. # service rsyslog restart
4. # logger blanket
5. # tail /var/log/messages
  
Actual results:
Selinux Troubleshooter appears. If enforcing mode is off, the last rows in the
messages file are
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged
Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012    SELinux is preventing
rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012     For complete SELinux
messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3

If enforcing mode is on, last messages are
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012    SELinux is preventing
rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012     For complete SELinux
messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3

Expected results:
no selinux troubleshooter appearing and /var/log/messages containing
Nov 20 11:39:50 dhcp-lab-131 msamia: blanket
Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged

Additional info:
Summary
    SELinux is preventing rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).

Detailed Description
    SELinux denied access requested by rsyslogd. It is not expected that this
    access is required by rsyslogd and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     dhcp-lab-131.englab.brq.redhat.com
Platform                      Linux dhcp-lab-131.englab.brq.redhat.com
                              2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007
                              x86_64 x86_64
Alert Count                   6
First Seen                    Tue 20 Nov 2007 10:16:41 AM CET
Last Seen                     Tue 20 Nov 2007 11:39:50 AM CET
Local ID                      1c97093d-e18d-409e-b930-d33b5ac0a5c3
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=rsyslogd dev=dm-0 name=sbin pid=22379
scontext=system_u:system_r:syslogd_t:s0 tclass=dir
tcontext=system_u:object_r:bin_t:s0
Comment 1 Daniel Walsh 2007-11-20 06:35:07 EST
In order to make this work with SELinux you really need to write policy for the
script.  Otherwise we just need to remove SELinux protection for syslog, since
there is no way to know what the script is going to do.


Note You need to log in before you can comment on or make changes to this bug.