Bug 689435 (systemdsyslog) - SELinux is preventing /usr/libexec/postfix/pickup from 'sendto' accesses on the unix_dgram_socket /dev/log.
Summary: SELinux is preventing /usr/libexec/postfix/pickup from 'sendto' accesses on t...
Keywords:
Status: CLOSED ERRATA
Alias: systemdsyslog
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:153f2449782...
: 689089 689097 689098 689255 689410 689720 689723 689946 690250 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-21 14:19 UTC by Matěj Cepl
Modified: 2018-04-11 06:56 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-17 15:54:44 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2011-03-21 14:19:43 UTC
SELinux is preventing /usr/libexec/postfix/pickup from 'sendto' accesses on the unix_dgram_socket /dev/log.

Doing nothing specific, just happened somewhere in the background.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that pickup should be allowed sendto access on the log unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pickup /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                /dev/log [ unix_dgram_socket ]
Source                        pickup
Source Path                   /usr/libexec/postfix/pickup
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           postfix-2.8.1-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar
                              15 05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Po 21. březen 2011, 13:38:28 CET
Last Seen                     Po 21. březen 2011, 15:18:30 CET
Local ID                      c12968ef-1e31-4a59-a4a7-170ecb28ddd6

Raw Audit Messages
type=AVC msg=audit(1300717110.387:246): avc:  denied  { sendto } for  pid=5453 comm="pickup" path="/dev/log" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_dgram_socket


type=SYSCALL msg=audit(1300717110.387:246): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7faff82217c0 a2=6e a3=7fffdfc7ad80 items=0 ppid=1458 pid=5453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 key=(null)

Hash: pickup,postfix_pickup_t,init_t,unix_dgram_socket,sendto

audit2allow

#============= postfix_pickup_t ==============
allow postfix_pickup_t init_t:unix_dgram_socket sendto;

audit2allow -R

#============= postfix_pickup_t ==============
allow postfix_pickup_t init_t:unix_dgram_socket sendto;

Comment 1 Daniel Walsh 2011-03-21 21:43:32 UTC
If systemd is impersonating syslog, it has to label the socket appropriately.

Comment 2 Daniel Walsh 2011-03-21 21:51:02 UTC
*** Bug 689410 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2011-03-21 21:56:30 UTC
*** Bug 689098 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2011-03-21 22:01:01 UTC
*** Bug 689097 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2011-03-21 22:06:32 UTC
*** Bug 689089 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Walsh 2011-03-21 22:12:01 UTC
*** Bug 689255 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2011-03-22 10:13:48 UTC
*** Bug 689723 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2011-03-22 11:43:37 UTC
I am now seeing during using F15

#============= vpnc_t ==============
allow vpnc_t init_t:unix_dgram_socket sendto;

#============= staff_dbusd_t ==============
allow staff_dbusd_t init_t:unix_dgram_socket sendto;

#============= staff_sudo_t ==============
allow staff_sudo_t init_t:unix_dgram_socket sendto;

Comment 9 Miroslav Grepl 2011-03-22 11:55:43 UTC
We have in init_daemon_domain() interface

tunable_policy(`init_systemd',`
  allow $1 init_t:unix_dgram_socket sendto;
')

Dan,
looks like it is needed for all domains.

Comment 10 Daniel Walsh 2011-03-22 11:57:17 UTC
*** Bug 689720 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2011-03-22 12:04:04 UTC
No systemd needs to set the socket label on the /dev/log socket to syslogd_t.

It is not executing the correct impersonation code.


I added a patch to systemd, that allowed it to figure out the label to associated with a socket and then execute setsockcreatecon(CONTEXT) before binding to a socket.  For some reason systemd is not calling this code on the /dev/log socket.

Comment 12 Miroslav Grepl 2011-03-22 12:08:01 UTC
I meant as 'broken_symptoms' for now.

Comment 13 Daniel Walsh 2011-03-22 13:01:32 UTC
You could add this to logging_send_syslog_msg for now,  But I really want to make sure systemd is working correctly and syslogd is working correctly.

Comment 14 Daniel Walsh 2011-03-22 14:35:12 UTC
This should be a blocker.  We should not have to allow every domain to communicate with the init system in order to allow this bug to remain.

Comment 15 Daniel Walsh 2011-03-22 20:02:20 UTC
We could try to label

/lib/systemd/systemd-kmsg-syslogd as syslogd_exec_t

Comment 16 Daniel Walsh 2011-03-22 20:47:03 UTC
*** Bug 689946 has been marked as a duplicate of this bug. ***

Comment 17 Tomas Heinrich 2011-03-24 11:53:34 UTC
*** Bug 690250 has been marked as a duplicate of this bug. ***

Comment 18 Lennart Poettering 2011-03-28 09:42:48 UTC
So, the proiblem is probably like this:

systemd at early boot creates /dev/log, and eventually spawns /lib/systemd/systemd-kmsg-syslogd for it during early boot. That is a tiny bridge that connects /dev/log to kmsg, so that we have proper logging for the first time during early boot. Later on, when rsyslog is about to get started that bridge is terminated and the very same /dev/log is passed on to rsyslog. 

The effect of this is that both rsyslogd and systemd-kmsg-syslogd get the same /dev/log socket passed, which is labelled according to the policy for systemd-kmsg-syslogd since that is what we start first.

Most likely the policy should just be updated to label rsyslogd and systemd-kmsg-syslogd the same way. Reassigning to selinux.

Comment 19 Daniel Walsh 2011-03-29 14:39:35 UTC
Fixed in selinux-policy-3.9.16-6.fc15


Note You need to log in before you can comment on or make changes to this bug.