Bug 666513 - /var/spool/rsyslog is missing and no selinux policy for this dir
/var/spool/rsyslog is missing and no selinux policy for this dir
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-31 05:13 EST by Luc de Louw
Modified: 2012-10-19 06:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:19:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Luc de Louw 2010-12-31 05:13:10 EST
Description of problem:
When using the remote logging capabilities of rsyslog and turning on disk queuing, the directory /var/spool/rsyslog is missing.

When creating it manually some selinux adjustments must be done.

/etc/rsyslog.conf reads as follow:

$WorkDirectory /var/spool/rsyslog  # default location for work (spool) files
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown
*.*                                                     @@10.0.0.1


Version-Release number of selected component (if applicable):
rsyslog-3.22.1-3.el5_5.1

How reproducible:
Always

Steps to Reproduce:
1. configure rsyslogd as described above
2. stop remote syslog server to provoke qfiles being written
3. sealert -a /var/log/audit/audit.log shows AVCs 
  
Actual results:
type=AVC msg=audit(1293784547.828:140849): avc:  denied  { search } for  pid=22409 comm="rsyslogd" name="spool" dev=dm-5 ino=65537 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1293784547.828:140849): arch=40000003 syscall=195 success=no exit=-13 a0=bfe39630 a1=bfe39510 a2=8feff4 a3=3 items=0 ppid=22408 pid=22409 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24271 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1293784663.744:140852): avc:  denied  { write } for  pid=22471 comm="rsyslogd" name="rsyslog" dev=dm-5 ino=65764 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1293784663.744:140852): arch=40000003 syscall=5 success=no exit=-13 a0=8a927a8 a1=41 a2=180 a3=0 items=0 ppid=1 pid=22471 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24271 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=


Expected results:
No Selinux AVC


Additional info:

On RHEL5 the following policy would help:

module rsyslog 1.0;

require {
        type syslogd_t;
        type var_spool_t;
        class dir { write remove_name search add_name };
        class file { write read create unlink getattr };
}

#============= syslogd_t ==============
allow syslogd_t var_spool_t:dir { write remove_name search add_name };
allow syslogd_t var_spool_t:file { write read create unlink getattr };

Alternatively one can change the fcontext of the spool directory:

semanage fcontext -a -t var_log_t "/var/spool/rsyslog(/.*)?"
restorecon -v -r /var/spool/rsyslog

Another alternative would possibly be to define the rsyslog spool somewhere in /var/log instead.
Comment 1 Miroslav Grepl 2011-01-03 10:27:54 EST
I am seeing on my RHEL5 machine

# matchpathcon /var/spool/rsyslog
/var/spool/rsyslog	system_u:object_r:var_log_t


I have selinux-policy-2.4.6-300.el5.

The preview of this policy is available on

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 2 Luc de Louw 2011-03-01 14:53:27 EST
Hi Miroslav,

On http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ I just see a empty page with a Red Hat logo  :-(

I'll test it ASAP if I get access to the preview. A bug fix is quite important on a project we are working on.

Thanks,

Luc
Comment 3 Daniel Walsh 2011-03-01 14:59:50 EST
Luc try again.
Comment 4 Luc de Louw 2011-03-01 15:15:54 EST
Thanks Dan, works now :-)

I'll try to get some time to test it in the next few days...

Thanks,

Luc
Comment 8 errata-xmlrpc 2011-07-21 05:19:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 9 errata-xmlrpc 2011-07-21 07:50:08 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.