Bug 428422 - SELinux does not allow syslog to use additional socket files
SELinux does not allow syslog to use additional socket files
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 428423
  Show dependency treegraph
 
Reported: 2008-01-11 08:14 EST by Eduard Benes
Modified: 2008-02-04 16:29 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-04 16:29:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eduard Benes 2008-01-11 08:14:39 EST
While testing bug #275041 found out that the actual problem with not being able 
to use non-default socket file (/dev/log) is in selinux policy, that does not 
allow to work with sockets in /var/log/ (var_log_t:sock_file). Would it make 
sense to allow using additional socket files in /var/log/ directory?

The log below shows that using the described steps to reproduce in bz# 275041 
works when in Permissive mode but does not in Enforcing mode.

SELinux policy:
  RHEL4 - selinux-policy-targeted-1.17.30-2.149
  RHEL5 - selinux-policy-2.4.6-108.el5

== SELinux in permissive ==
# getenforce
Permissive
# vim /etc/sysconfig/syslog 
# grep /etc/sysconfig/syslog -e newsock
SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
# rpm -q sysklogd
sysklogd-1.4.1-26_EL.ia64
# grep /var/log/messages -e something
Jan 11 07:31:53 ia64-4as root: something

== SELinux enforcing targeted ==
# setenforce 1
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
connect: Connection refused.
# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.149.noarch

== AVCs ==
# /etc/init.d/syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# getenforce 
Enforcing
# ausearch  -sv no -ts 07:43
----
time->Fri Jan 11 07:43:27 2008
type=PATH msg=audit(1200055407.304:46):  flags=10  inode=2593753 dev=08:02 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=SOCKADDR msg=audit(1200055407.304:46): 
saddr=01002F7661722F6C6F672F6E6577736F636B
type=SYSCALL msg=audit(1200055407.304:46): arch=c0000032 syscall=1191 
success=no exit=-13 a0=a a1=60000fffffffade0 a2=12 a3=0 items=1 pid=883 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="syslogd" exe="/sbin/syslogd"
type=AVC msg=audit(1200055407.304:46): avc:  denied  { create } for  pid=883 
comm="syslogd" name="newsock" scontext=root:system_r:syslogd_t 
tcontext=root:object_r:var_log_t tclass=sock_file
# ausearch  -sv no -ts 07:43 | audit2allow
allow syslogd_t var_log_t:sock_file create; <<-- more permissions will be 
needed (unlink, ...)
Comment 1 RHEL Product and Program Management 2008-01-11 08:45:39 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Daniel Walsh 2008-01-11 15:25:40 EST
I think you would need custom policy for this, as this is not a standard behavior.

Note You need to log in before you can comment on or make changes to this bug.