Bug 540559 - selinux policy needs to allow log pipe
Summary: selinux policy needs to allow log pipe
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Security - General
Version: 1.3.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.5 639035
TreeView+ depends on / blocked
 
Reported: 2009-11-23 16:45 UTC by Rich Megginson
Modified: 2015-12-07 16:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:50:41 UTC


Attachments (Terms of Use)
selinux alert using named pipe log (2.52 KB, text/plain)
2009-11-23 16:45 UTC, Rich Megginson
no flags Details
Patch (1.30 KB, patch)
2009-11-23 17:51 UTC, Nathan Kinder
no flags Details | Diff
Revised Patch (1.30 KB, patch)
2009-11-24 16:28 UTC, Nathan Kinder
rmeggins: review+
Details | Diff

Description Rich Megginson 2009-11-23 16:45:52 UTC
Created attachment 373167 [details]
selinux alert using named pipe log

Cannot use named pipe log script with selinux.  Attached is the report from the selinux troubleshoot tool.

Comment 1 Nathan Kinder 2009-11-23 17:51:52 UTC
Created attachment 373188 [details]
Patch

This patch should take care of the AVC.  It allows dirsrv_t processes to manage any fifo files labelled as dirsrv_var_log_t.

Comment 2 Nathan Kinder 2009-11-24 16:28:41 UTC
Created attachment 373481 [details]
Revised Patch

My previous patch had a type in one of the policy macro names.  This patch corrects that typo.

Comment 3 Rich Megginson 2009-11-24 18:24:52 UTC
Comment on attachment 373481 [details]
Revised Patch

Works fine on RHEL5 i386

Comment 4 Rich Megginson 2009-11-24 18:43:57 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   c177c34..b2e2a3f  master -> master

commit b2e2a3f5294707e1ccf2b25fd281ce3653dac819
Author: Nathan Kinder <nkinder@redhat.com>
Date:   Mon Nov 23 09:48:50 2009 -0800

    Allow dirsrv_t to log to a fifo in SELinux policy.

Comment 7 Amita Sharma 2011-06-01 09:29:24 UTC
[root@testvm slapd-testvm]# setenforce 1
[root@testvm slapd-testvm]# getenforce
Enforcing

[root@testvm slapd-testvm]# /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-testvm/access123.pipe -d -u nobody
Creating log pipe /var/log/dirsrv/slapd-testvm/access123.pipe
Listening to log pipe /var/log/dirsrv/slapd-testvm/access123.pipe number of lines 1000
^CRead 0 total lines
/var/log/dirsrv/slapd-testvm/access123.pipe ============================================================


[root@testvm slapd-testvm]# ls -l /var/log/dirsrv/slapd-testvm/
total 928
-rw-------. 1 nobody nobody 787750 Jun  1 14:47 access
prw-------. 1 nobody root        0 Jun  1 14:57 access123.pipe
-rw-------. 1 nobody nobody     63 May 20 15:13 access123.pipe.rotationinfo
-rw-------. 1 nobody nobody     63 May 24 12:40 access.rotationinfo
-rw-------. 1 nobody nobody  58342 Jun  1 14:45 audit
-rw-------. 1 nobody nobody     63 May 16 15:28 audit.rotationinfo
-rw-------. 1 nobody nobody  40435 Jun  1 14:45 errors
-rw-------. 1 nobody nobody  22014 May 30 12:02 errors.20110523-165700
-rw-------. 1 nobody nobody    162 May 30 17:14 errors.rotationinfo


Note You need to log in before you can comment on or make changes to this bug.