Bug 428423 - SELinux does not allow syslog to use additional socket files
Summary: SELinux does not allow syslog to use additional socket files
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy
Version: 4.7
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 428422
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-11 13:15 UTC by Eduard Benes
Modified: 2008-05-07 15:33 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-07 15:33:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Eduard Benes 2008-01-11 13:15:28 UTC 
+++ This bug was initially created as a clone of Bug #428422 +++

While testing bug #275041 found out that the actual problem with not being able 
to use non-default socket file (/dev/log) is in selinux policy, that does not 
allow to work with sockets in /var/log/ (var_log_t:sock_file). Would it make 
sense to allow using additional socket files in /var/log/ directory?

The log below shows that using the described steps to reproduce in bz# 275041 
works when in Permissive mode but does not in Enforcing mode.

SELinux policy:
  RHEL4 - selinux-policy-targeted-1.17.30-2.149
  RHEL5 - selinux-policy-2.4.6-108.el5

== SELinux in permissive ==
# getenforce
Permissive
# vim /etc/sysconfig/syslog 
# grep /etc/sysconfig/syslog -e newsock
SYSLOGD_OPTIONS="-m 0 -a /var/log/newsock"
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
# rpm -q sysklogd
sysklogd-1.4.1-26_EL.ia64
# grep /var/log/messages -e something
Jan 11 07:31:53 ia64-4as root: something

== SELinux enforcing targeted ==
# setenforce 1
# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# logger -d -u /var/log/newsock something
connect: Connection refused.
# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.149.noarch

== AVCs ==
# /etc/init.d/syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
# getenforce 
Enforcing
# ausearch  -sv no -ts 07:43
----
time->Fri Jan 11 07:43:27 2008
type=PATH msg=audit(1200055407.304:46):  flags=10  inode=2593753 dev=08:02 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=SOCKADDR msg=audit(1200055407.304:46): 
saddr=01002F7661722F6C6F672F6E6577736F636B
type=SYSCALL msg=audit(1200055407.304:46): arch=c0000032 syscall=1191 
success=no exit=-13 a0=a a1=60000fffffffade0 a2=12 a3=0 items=1 pid=883 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="syslogd" exe="/sbin/syslogd"
type=AVC msg=audit(1200055407.304:46): avc:  denied  { create } for  pid=883 
comm="syslogd" name="newsock" scontext=root:system_r:syslogd_t 
tcontext=root:object_r:var_log_t tclass=sock_file
# ausearch  -sv no -ts 07:43 | audit2allow
allow syslogd_t var_log_t:sock_file create; <<-- more permissions will be 
needed (unlink, ...)
Comment 1 Daniel Walsh 2008-05-07 15:33:54 UTC 
Fixed in RHEL5.  You would need custom policy for RHEl4.
Note You need to log in before you can comment on or make changes to this bug.