Hide Forgot
Description of problem: We have just pushed a syslog-ng 3.1.4 build to EPEL6 testing (bug #699541) and detected a couple of SELinux violations that have already been fixed in Fedora 14 (bug #618033). Version-Release number of selected component (if applicable): selinux-policy 3.7.19-54 How reproducible: Always Actual results: type=AVC msg=audit(1303936269.353:427): avc: denied { setrlimit } for pid=3220 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process type=SYSCALL msg=audit(1303936269.353:427): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff501c53c0 a2=1 a3=1 items=0 ppid=3217 pid=3220 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1303936269.358:428): avc: denied { setrlimit } for pid=3222 comm="syslog-ng" scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=process type=SYSCALL msg=audit(1303936269.358:428): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff4e4f27a0 a2=0 a3=1 items=0 ppid=3221 pid=3222 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1303936269.363:429): avc: denied { getattr } for pid=3224 comm="syslog-ng" path="/var/lib/syslog-ng/syslog-ng.ctl" dev=sda3 ino=3147966 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:syslogd_var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1303936269.363:429): arch=c000003e syscall=4 success=no exit=-13 a0=25437c6 a1=7fff4e4f2700 a2=7fff4e4f2700 a3=e items=0 ppid=3223 pid=3224 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=67 comm="syslog-ng" exe="/sbin/syslog-ng" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Additional info: Feeding the above lines to audit2allow produces the following output: #============= syslogd_t ============== allow syslogd_t self:process setrlimit; allow syslogd_t syslogd_var_lib_t:sock_file getattr;
Koji build: * syslog-ng-3.1.4-2.el6 http://koji.fedoraproject.org/koji/buildinfo?buildID=240607 Steps to reproduce the problem: 1) yum install --enablerepo=epel-testing syslog-ng 2) chkconfig rsyslog off; chkconfig syslog-ng on 3) service rsyslog stop; service syslog-ng start
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
allow syslogd_t self:process setrlimit; issue is fixed in the latest RHEL6.1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ but we are missing manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
Miroslav, (In reply to comment #4) > allow syslogd_t self:process setrlimit; > > issue is fixed in the latest RHEL6.1 policy which is available on > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ * [RHEL6 #689431] selinux-policy >= 3.7.19-80.el6 * [RHEL5 #674452] selinux-policy >= 2.4.6-301.el5 > but we are missing > > manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) In order to avoid this (or these) SELinux violation(s) should we start shipping and installing a SELinux module? Or can we expect for the above rule to be added to the main selinux policies (RHEL5 and RHEL6 selinux-policy packages)? tia, jpo
They should be added to the Main Policies.
Miroslav can you back port the changes to RHEL5.
Jose, could you try to test it with the latest RHEL6.1 policy. http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Miroslav, (In reply to comment #11) > Jose, > could you try to test it with the latest RHEL6.1 policy. > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ No more SELinux violations with selinux-policy-3.7.19-93.el6. 1) Upgraded to the SELinux policy 3.7.19-93 RPMS (02-May-2011) * selinux-policy-3.7.19-93.el6.noarch * selinux-policy-targeted-3.7.19-93.el6.noarch 2) Restarted syslog-ng No new messages in the audit.log 3) Upgraded to syslog-ng-3.1.4-3.el6 (from epel-testing) No new messages in the audit.log 4) Also upgraded to syslog-ng 3.2.3 (local build RPMS) Also no new messages in the audit.log. Thanks for the policy update, jpo
Great.
Miroslav, Regarding the backport to RHEL5, should I open a new ticket against the RHEL5/selinux-policy component? /jpo
(In reply to comment #14) > Miroslav, > > Regarding the backport to RHEL5, should I open a new ticket against the > RHEL5/selinux-policy component? > > /jpo Yes, please. Thank you.
(In reply to comment #15) > (In reply to comment #14) > > Miroslav, > > > > Regarding the backport to RHEL5, should I open a new ticket against the > > RHEL5/selinux-policy component? > > > > /jpo > > Yes, please. Thank you. Miroslav, Done. RHEL 5 backport request in bug #704690. /jpo