653473 – AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"

Bug 653473 - AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"

Summary: AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-15 15:15 UTC by Ruben Kerkhof
Modified:	2010-11-16 09:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-16 09:56:53 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ruben Kerkhof 2010-11-15 15:15:04 UTC

I use spool files to queue rsyslog messages when my syslog server is unreachable:

$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName buffer # unique name prefix for spool files


Rsyslog tries to search /var/spool/rsyslog

type=AVC msg=audit(1289833491.152:21549): avc:  denied  { search } for  pid=9429 comm="rsyslogd" name="spool" dev=dm-4 ino=404 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1289833491.152:21549): arch=c000003e syscall=4 success=no exit=-2 a0=7fffa9cc0990 a1=7fffa9cc0900 a2=7fffa9cc0900 a3=fffffffa items=1 ppid=9428 pid=9429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1679 comm="rsysl
ogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1289833491.152:21549):  cwd="/"
type=PATH msg=audit(1289833491.152:21549): item=0 name="/var/spool/rsyslog/buffer.qi"

Comment 1 Daniel Walsh 2010-11-15 15:48:02 UTC

This is local customization, you need to add a custom policy

# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mysyslog
# semodule -i mysyslog.pp

Comment 2 Ruben Kerkhof 2010-11-15 16:43:00 UTC

Hi Dan,

I'm just using documented configuration settings, in a default location from the rsyslog examples.
/var/spool/rsyslog is already labeled as var_log_t, so rsyslog has permissions to create the queues and everything, that's all working fine.

It's the { search } of /var/spool that's generating the AVC.
I'm not sure what the { search } permission does, and how much harm there is in allowing it? I guess it's something rsyslog shouldn't be doing.

Comment 3 Daniel Walsh 2010-11-15 17:03:41 UTC

Your right,  my mistake.

Miroslav can you add

files_search_spool(syslogd_t)

Comment 4 Miroslav Grepl 2010-11-16 09:56:53 UTC

Fixed in selinux-policy-3.9.9-1.fc15.noarch.

Note You need to log in before you can comment on or make changes to this bug.