Description of problem: Selinux doesn't allow rsyslog to run external application while using a shell execute action (for info about this type of rule see rsyslog.conf(5) manpage). Version-Release number of selected component (if applicable): rsyslog-1.19.6-3.fc8 How reproducible: add rule containing program execution to rsyslog.conf, restart rsyslogd and log something which matches the rule Steps to Reproduce: 0. $ su - 1. # echo '$template bla_logged,"%timegenerated% the b_l_a was logged"'>>/etc/rsyslog.conf 2. # echo ':msg, contains, "bla" ^logger;bla_logged' >> /etc/rsyslog.conf 3. # service rsyslog restart 4. # logger blanket 5. # tail /var/log/messages Actual results: Selinux Troubleshooter appears. If enforcing mode is off, the last rows in the messages file are Nov 20 11:39:50 dhcp-lab-131 msamia: blanket Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012 SELinux is preventing rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012 For complete SELinux messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3 If enforcing mode is on, last messages are Nov 20 11:39:50 dhcp-lab-131 msamia: blanket Nov 20 11:39:52 dhcp-lab-131 setroubleshoot: #012 SELinux is preventing rsyslogd (syslogd_t) "search" to <Unknown> (bin_t).#012 For complete SELinux messages. run sealert -l 1c97093d-e18d-409e-b930-d33b5ac0a5c3 Expected results: no selinux troubleshooter appearing and /var/log/messages containing Nov 20 11:39:50 dhcp-lab-131 msamia: blanket Nov 20 11:39:50 dhcp-lab-131 logger: Nov 20 11:39:50 the b_l_a was logged Additional info: Summary SELinux is preventing rsyslogd (syslogd_t) "search" to <Unknown> (bin_t). Detailed Description SELinux denied access requested by rsyslogd. It is not expected that this access is required by rsyslogd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-53.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name dhcp-lab-131.englab.brq.redhat.com Platform Linux dhcp-lab-131.englab.brq.redhat.com 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 Alert Count 6 First Seen Tue 20 Nov 2007 10:16:41 AM CET Last Seen Tue 20 Nov 2007 11:39:50 AM CET Local ID 1c97093d-e18d-409e-b930-d33b5ac0a5c3 Line Numbers Raw Audit Messages avc: denied { search } for comm=rsyslogd dev=dm-0 name=sbin pid=22379 scontext=system_u:system_r:syslogd_t:s0 tclass=dir tcontext=system_u:object_r:bin_t:s0
In order to make this work with SELinux you really need to write policy for the script. Otherwise we just need to remove SELinux protection for syslog, since there is no way to know what the script is going to do.