Bug 653473 - AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"
Summary: AVC: denied { search } for pid=9429 comm="rsyslogd" name="spool"
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-15 15:15 UTC by Ruben Kerkhof
Modified: 2010-11-16 09:56 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-16 09:56:53 UTC
Type: ---


Attachments (Terms of Use)

Description Ruben Kerkhof 2010-11-15 15:15:04 UTC
I use spool files to queue rsyslog messages when my syslog server is unreachable:

$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName buffer # unique name prefix for spool files


Rsyslog tries to search /var/spool/rsyslog

type=AVC msg=audit(1289833491.152:21549): avc:  denied  { search } for  pid=9429 comm="rsyslogd" name="spool" dev=dm-4 ino=404 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1289833491.152:21549): arch=c000003e syscall=4 success=no exit=-2 a0=7fffa9cc0990 a1=7fffa9cc0900 a2=7fffa9cc0900 a3=fffffffa items=1 ppid=9428 pid=9429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1679 comm="rsysl
ogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1289833491.152:21549):  cwd="/"
type=PATH msg=audit(1289833491.152:21549): item=0 name="/var/spool/rsyslog/buffer.qi"

Comment 1 Daniel Walsh 2010-11-15 15:48:02 UTC
This is local customization, you need to add a custom policy

# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mysyslog
# semodule -i mysyslog.pp

Comment 2 Ruben Kerkhof 2010-11-15 16:43:00 UTC
Hi Dan,

I'm just using documented configuration settings, in a default location from the rsyslog examples.
/var/spool/rsyslog is already labeled as var_log_t, so rsyslog has permissions to create the queues and everything, that's all working fine.

It's the { search } of /var/spool that's generating the AVC.
I'm not sure what the { search } permission does, and how much harm there is in allowing it? I guess it's something rsyslog shouldn't be doing.

Comment 3 Daniel Walsh 2010-11-15 17:03:41 UTC
Your right,  my mistake.

Miroslav can you add

files_search_spool(syslogd_t)

Comment 4 Miroslav Grepl 2010-11-16 09:56:53 UTC
Fixed in selinux-policy-3.9.9-1.fc15.noarch.


Note You need to log in before you can comment on or make changes to this bug.