540559 – selinux policy needs to allow log pipe

Bug 540559 - selinux policy needs to allow log pipe

Summary: selinux policy needs to allow log pipe

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Security - General
Sub Component:
Version:	1.3.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	389_1.2.5 639035
TreeView+	depends on / blocked

Reported:	2009-11-23 16:45 UTC by Rich Megginson
Modified:	2015-12-07 16:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-07 16:50:41 UTC
Embargoed:

Attachments	(Terms of Use)
selinux alert using named pipe log (2.52 KB, text/plain) 2009-11-23 16:45 UTC, Rich Megginson	no flags	Details
Patch (1.30 KB, patch) 2009-11-23 17:51 UTC, Nathan Kinder	no flags	Details \| Diff
Revised Patch (1.30 KB, patch) 2009-11-24 16:28 UTC, Nathan Kinder	rmeggins: review+	Details \| Diff
Show Obsolete (1) View All

Description Rich Megginson 2009-11-23 16:45:52 UTC

Created attachment 373167 [details]
selinux alert using named pipe log

Cannot use named pipe log script with selinux.  Attached is the report from the selinux troubleshoot tool.

Comment 1 Nathan Kinder 2009-11-23 17:51:52 UTC

Created attachment 373188 [details]
Patch

This patch should take care of the AVC.  It allows dirsrv_t processes to manage any fifo files labelled as dirsrv_var_log_t.

Comment 2 Nathan Kinder 2009-11-24 16:28:41 UTC

Created attachment 373481 [details]
Revised Patch

My previous patch had a type in one of the policy macro names.  This patch corrects that typo.

Comment 3 Rich Megginson 2009-11-24 18:24:52 UTC

Comment on attachment 373481 [details]
Revised Patch

Works fine on RHEL5 i386

Comment 4 Rich Megginson 2009-11-24 18:43:57 UTC

To ssh://git.fedorahosted.org/git/389/ds.git
   c177c34..b2e2a3f  master -> master

commit b2e2a3f5294707e1ccf2b25fd281ce3653dac819
Author: Nathan Kinder <nkinder>
Date:   Mon Nov 23 09:48:50 2009 -0800

    Allow dirsrv_t to log to a fifo in SELinux policy.

Comment 7 Amita Sharma 2011-06-01 09:29:24 UTC

[root@testvm slapd-testvm]# setenforce 1
[root@testvm slapd-testvm]# getenforce
Enforcing

[root@testvm slapd-testvm]# /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-testvm/access123.pipe -d -u nobody
Creating log pipe /var/log/dirsrv/slapd-testvm/access123.pipe
Listening to log pipe /var/log/dirsrv/slapd-testvm/access123.pipe number of lines 1000
^CRead 0 total lines
/var/log/dirsrv/slapd-testvm/access123.pipe ============================================================


[root@testvm slapd-testvm]# ls -l /var/log/dirsrv/slapd-testvm/
total 928
-rw-------. 1 nobody nobody 787750 Jun  1 14:47 access
prw-------. 1 nobody root        0 Jun  1 14:57 access123.pipe
-rw-------. 1 nobody nobody     63 May 20 15:13 access123.pipe.rotationinfo
-rw-------. 1 nobody nobody     63 May 24 12:40 access.rotationinfo
-rw-------. 1 nobody nobody  58342 Jun  1 14:45 audit
-rw-------. 1 nobody nobody     63 May 16 15:28 audit.rotationinfo
-rw-------. 1 nobody nobody  40435 Jun  1 14:45 errors
-rw-------. 1 nobody nobody  22014 May 30 12:02 errors.20110523-165700
-rw-------. 1 nobody nobody    162 May 30 17:14 errors.rotationinfo

Note You need to log in before you can comment on or make changes to this bug.