RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 700235 - syslog-ng 3.1.x SElinux violations
Summary: syslog-ng 3.1.x SElinux violations
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-27 20:44 UTC by Jose Pedro Oliveira
Modified: 2022-05-11 15:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-13 12:28:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jose Pedro Oliveira 2011-04-27 20:44:50 UTC 
Description of problem:
We have just pushed a syslog-ng 3.1.4 build to EPEL6 testing (bug #699541)
and detected a couple of SELinux violations that have already been fixed in
Fedora 14 (bug #618033).


Version-Release number of selected component (if applicable):
selinux-policy 3.7.19-54

How reproducible:
Always

  
Actual results:
type=AVC msg=audit(1303936269.353:427): avc:  denied  { setrlimit } for  pid=3220 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process

type=SYSCALL msg=audit(1303936269.353:427): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff501c53c0 a2=1 a3=1 items=0 ppid=3217 pid=3220 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1303936269.358:428): avc:  denied  { setrlimit } for  pid=3222 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process

type=SYSCALL msg=audit(1303936269.358:428): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff4e4f27a0 a2=0 a3=1 items=0 ppid=3221 pid=3222 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1303936269.363:429): avc:  denied  { getattr } for  pid=3224 comm="syslog-ng" path="/var/lib/syslog-ng/syslog-ng.ctl" dev=sda3 ino=3147966 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:syslogd_var_lib_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1303936269.363:429): arch=c000003e syscall=4 success=no exit=-13 a0=25437c6 a1=7fff4e4f2700 a2=7fff4e4f2700 a3=e items=0 ppid=3223 pid=3224 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Additional info:
Feeding the above lines to audit2allow produces the following output:

#============= syslogd_t ==============
allow syslogd_t self:process setrlimit;
allow syslogd_t syslogd_var_lib_t:sock_file getattr;
Comment 1 Jose Pedro Oliveira 2011-04-27 20:53:22 UTC 
Koji build:

 * syslog-ng-3.1.4-2.el6
   http://koji.fedoraproject.org/koji/buildinfo?buildID=240607

Steps to reproduce the problem:

 1) yum install --enablerepo=epel-testing syslog-ng
 2) chkconfig rsyslog off; chkconfig syslog-ng on
 3) service rsyslog stop; service syslog-ng start
Comment 3 RHEL Program Management 2011-04-28 06:00:59 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4 Miroslav Grepl 2011-04-28 07:13:45 UTC 
allow syslogd_t self:process setrlimit;

issue is fixed in the latest RHEL6.1 policy which is available on

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/


but we are missing

manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
Comment 8 Jose Pedro Oliveira 2011-05-10 15:18:23 UTC 
Miroslav,

(In reply to comment #4)
> allow syslogd_t self:process setrlimit;
> 
> issue is fixed in the latest RHEL6.1 policy which is available on
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

 * [RHEL6 #689431] selinux-policy >= 3.7.19-80.el6
 * [RHEL5 #674452] selinux-policy >= 2.4.6-301.el5

> but we are missing
> 
> manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)

In order to avoid this (or these) SELinux violation(s) should we start shipping and installing a SELinux module? Or can we expect for the above rule to be added
to the main selinux policies (RHEL5 and RHEL6 selinux-policy packages)?

tia,
jpo
Comment 9 Daniel Walsh 2011-05-12 05:45:16 UTC 
They should be added to the Main Policies.
Comment 10 Daniel Walsh 2011-05-12 05:45:38 UTC 
Miroslav can you back port the changes to RHEL5.
Comment 11 Miroslav Grepl 2011-05-13 10:18:31 UTC 
Jose,
could you try to test it with the latest RHEL6.1 policy.

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 12 Jose Pedro Oliveira 2011-05-13 12:25:19 UTC 
Miroslav,

(In reply to comment #11)
> Jose,
> could you try to test it with the latest RHEL6.1 policy.
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

No more SELinux violations with selinux-policy-3.7.19-93.el6.


1) Upgraded to the SELinux policy 3.7.19-93 RPMS (02-May-2011)

   * selinux-policy-3.7.19-93.el6.noarch
   * selinux-policy-targeted-3.7.19-93.el6.noarch

2) Restarted syslog-ng

   No new messages in the audit.log

3) Upgraded to syslog-ng-3.1.4-3.el6 (from epel-testing)

   No new messages in the audit.log

4) Also upgraded to syslog-ng 3.2.3 (local build RPMS)

   Also no new messages in the audit.log.


Thanks for the policy update,
jpo
Comment 13 Miroslav Grepl 2011-05-13 12:28:35 UTC 
Great.
Comment 14 Jose Pedro Oliveira 2011-05-13 13:11:06 UTC 
Miroslav,

Regarding the backport to RHEL5, should I open a new ticket against the  RHEL5/selinux-policy component?

/jpo
Comment 15 Miroslav Grepl 2011-05-13 13:12:01 UTC 
(In reply to comment #14)
> Miroslav,
> 
> Regarding the backport to RHEL5, should I open a new ticket against the 
> RHEL5/selinux-policy component?
> 
> /jpo

Yes, please. Thank you.
Comment 16 Jose Pedro Oliveira 2011-05-14 03:31:18 UTC 
(In reply to comment #15)
> (In reply to comment #14)
> > Miroslav,
> > 
> > Regarding the backport to RHEL5, should I open a new ticket against the 
> > RHEL5/selinux-policy component?
> > 
> > /jpo
> 
> Yes, please. Thank you.

Miroslav,

Done. RHEL 5 backport request in bug #704690.

/jpo
Note You need to log in before you can comment on or make changes to this bug.