Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 540559

Summary: selinux policy needs to allow log pipe
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Security - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: high    
Version: 1.3.0CC: amsharma
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:50:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 533025, 639035    
Attachments:
Description Flags
selinux alert using named pipe log
none
Patch
none
Revised Patch rmeggins: review+

Description Rich Megginson 2009-11-23 16:45:52 UTC 
Created attachment 373167 [details]
selinux alert using named pipe log

Cannot use named pipe log script with selinux.  Attached is the report from the selinux troubleshoot tool.
Comment 1 Nathan Kinder 2009-11-23 17:51:52 UTC 
Created attachment 373188 [details]
Patch

This patch should take care of the AVC.  It allows dirsrv_t processes to manage any fifo files labelled as dirsrv_var_log_t.
Comment 2 Nathan Kinder 2009-11-24 16:28:41 UTC 
Created attachment 373481 [details]
Revised Patch

My previous patch had a type in one of the policy macro names.  This patch corrects that typo.
Comment 3 Rich Megginson 2009-11-24 18:24:52 UTC 
Comment on attachment 373481 [details]
Revised Patch

Works fine on RHEL5 i386
Comment 4 Rich Megginson 2009-11-24 18:43:57 UTC 
To ssh://git.fedorahosted.org/git/389/ds.git
   c177c34..b2e2a3f  master -> master

commit b2e2a3f5294707e1ccf2b25fd281ce3653dac819
Author: Nathan Kinder <nkinder>
Date:   Mon Nov 23 09:48:50 2009 -0800

    Allow dirsrv_t to log to a fifo in SELinux policy.
Comment 7 Amita Sharma 2011-06-01 09:29:24 UTC 
[root@testvm slapd-testvm]# setenforce 1
[root@testvm slapd-testvm]# getenforce
Enforcing

[root@testvm slapd-testvm]# /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-testvm/access123.pipe -d -u nobody
Creating log pipe /var/log/dirsrv/slapd-testvm/access123.pipe
Listening to log pipe /var/log/dirsrv/slapd-testvm/access123.pipe number of lines 1000
^CRead 0 total lines
/var/log/dirsrv/slapd-testvm/access123.pipe ============================================================


[root@testvm slapd-testvm]# ls -l /var/log/dirsrv/slapd-testvm/
total 928
-rw-------. 1 nobody nobody 787750 Jun  1 14:47 access
prw-------. 1 nobody root        0 Jun  1 14:57 access123.pipe
-rw-------. 1 nobody nobody     63 May 20 15:13 access123.pipe.rotationinfo
-rw-------. 1 nobody nobody     63 May 24 12:40 access.rotationinfo
-rw-------. 1 nobody nobody  58342 Jun  1 14:45 audit
-rw-------. 1 nobody nobody     63 May 16 15:28 audit.rotationinfo
-rw-------. 1 nobody nobody  40435 Jun  1 14:45 errors
-rw-------. 1 nobody nobody  22014 May 30 12:02 errors.20110523-165700
-rw-------. 1 nobody nobody    162 May 30 17:14 errors.rotationinfo