Bug 704690 - syslog-ng 3.x SELinux violations
syslog-ng 3.x SELinux violations
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 718161
  Show dependency treegraph
 
Reported: 2011-05-13 23:16 EDT by Jose Pedro Oliveira
Modified: 2012-10-16 07:25 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-313.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 718161 (view as bug list)
Environment:
Last Closed: 2011-07-21 05:20:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2011-05-13 23:16:10 EDT
Description of problem:
Syslog-ng under RHEL5 needs several SELinux rules that are already available in the Fedora 14 or RHEL 6 selinux-policy package.

This is a follow up of bug #700235.


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-300.el5_6.1


Additional info:

SELinux rules missing from selinux-policy-2.4.6-300.el5_6.1

   #============= syslogd_t ==============
   allow syslogd_t self:process setrlimit;
   allow syslogd_t usr_t:dir { write remove_name add_name };
   allow syslogd_t usr_t:file { write rename create };
   allow syslogd_t usr_t:sock_file create;


selinux-policy-2.4.6-304.el5 (from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/) already includes the rule

   allow syslogd_t self:process setrlimit;

but still needs the following:

   #============= syslogd_t ==============
   allow syslogd_t usr_t:dir { write remove_name add_name };   
   allow syslogd_t usr_t:file { write rename create unlink };
   allow syslogd_t usr_t:sock_file { getattr unlink create };
Comment 1 Jose Pedro Oliveira 2011-05-13 23:25:54 EDT
Audit log entries with selinux-policy-2.4.6-304.el5
---------------------------------------------------

type=AVC msg=audit(1305371145.760:294): avc:  denied  { write } for  pid=17853 comm="syslog-ng" name="syslog-ng" dev=sda1 ino=1540910 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

type=AVC msg=audit(1305371145.760:294): avc:  denied  { add_name } for  pid=17853 comm="syslog-ng" name="syslog-ng.persist-" scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

type=AVC msg=audit(1305371145.760:294): avc:  denied  { create } for  pid=17853 comm="syslog-ng" name="syslog-ng.persist-" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

type=SYSCALL msg=audit(1305371145.760:294): arch=40000003 syscall=5 success=yes exit=3 a0=9945bd8 a1=8242 a2=180 a3=8242 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305371145.760:295): avc:  denied  { write } for  pid=17853 comm="syslog-ng" path="/usr/com/syslog-ng/syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

type=SYSCALL msg=audit(1305371145.760:295): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfeaf63b a2=1 a3=4000 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305371145.760:296): avc:  denied  { remove_name } for  pid=17853 comm="syslog-ng" name="syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

type=AVC msg=audit(1305371145.760:296): avc:  denied  { rename } for  pid=17853 comm="syslog-ng" name="syslog-ng.persist-" dev=sda1 ino=1540979 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

type=AVC msg=audit(1305371145.760:296): avc:  denied  { unlink } for  pid=17853 comm="syslog-ng" name="syslog-ng.persist" dev=sda1 ino=1540980 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

type=SYSCALL msg=audit(1305371145.760:296): arch=40000003 syscall=38 success=yes exit=0 a0=9945bd8 a1=993ebc8 a2=a7c390 a3=1 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305371145.780:297): avc:  denied  { getattr } for  pid=17853 comm="syslog-ng" path="/usr/com/syslog-ng/syslog-ng.ctl" dev=sda1 ino=1540978 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305371145.780:297): arch=40000003 syscall=195 success=yes exit=0 a0=993d62a a1=bfeaf5d0 a2=3b0ff4 a3=993d62a items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305371145.780:298): avc:  denied  { unlink } for  pid=17853 comm="syslog-ng" name="syslog-ng.ctl" dev=sda1 ino=1540978 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305371145.780:298): arch=40000003 syscall=10 success=yes exit=0 a0=993d62a a1=bfeaf5d0 a2=a7c390 a3=993d62a items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305371145.780:299): avc:  denied  { create } for  pid=17853 comm="syslog-ng" name="syslog-ng.ctl" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305371145.780:299): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfeaf620 a2=a7c390 a3=993d618 items=0 ppid=17852 pid=17853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)
Comment 2 Daniel Walsh 2011-05-17 05:08:51 EDT
/usr/com/syslog-ng/syslog-ng.persist-

Is not a proper location to store this, It should either be in /var/run, /var/lib or /var/log
Comment 3 Jose Pedro Oliveira 2011-05-17 08:38:18 EDT
(In reply to comment #2)
> /usr/com/syslog-ng/syslog-ng.persist-
> 
> Is not a proper location to store this, It should either be in /var/run,
> /var/lib or /var/log

Dan,

Thanks for the catch. I tracked the problem down to the expansion of the rpm macro _sharedstatedir in the spcefile:

 * RHEL5

   $ rpm --showrc | grep sharedstatedir
   ...
   -14: _sharedstatedir	%{_prefix}/com
   ...

 * RHEL6

   $ rpm --showrc | grep sharedstatedir
   ...
   -14: _sharedstatedir	/var/lib
   ....


With this problem corrected, the audit.log messages are now reduced to:

----------
type=AVC msg=audit(1305696492.659:190): avc:  denied  { getattr } for  pid=4761 comm="syslog-ng" path="/var/lib/syslog-ng/syslog-ng.ctl" dev=sda1 ino=1867935 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305696492.659:190): arch=40000003 syscall=195 success=yes exit=0 a0=835b62a a1=bfd45f10 a2=3b0ff4 a3=835b62a items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305696492.659:191): avc:  denied  { unlink } for  pid=4761 comm="syslog-ng" name="syslog-ng.ctl" dev=sda1 ino=1867935 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305696492.659:191): arch=40000003 syscall=10 success=yes exit=0 a0=835b62a a1=bfd45f10 a2=b4d390 a3=835b62a items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)

type=AVC msg=audit(1305696492.659:192): avc:  denied  { create } for  pid=4761 comm="syslog-ng" name="syslog-ng.ctl" scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:syslogd_var_lib_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1305696492.659:192): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfd45f60 a2=b4d390 a3=835b618 items=0 ppid=4760 pid=4761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)
----------


Audit2allow translates these messages to


#============= syslogd_t ==============
allow syslogd_t syslogd_var_lib_t:sock_file { getattr unlink create };


/jpo
Comment 4 Miroslav Grepl 2011-05-17 08:47:04 EDT
Which we fixed in RHEL6 and I will fix it in RHEL5.
Comment 6 Miroslav Grepl 2011-05-19 11:32:07 EDT
Fixed in selinux-policy-2.4.6-306.el5
Comment 8 Jose Pedro Oliveira 2011-05-19 12:04:52 EDT
(In reply to comment #6)
> Fixed in selinux-policy-2.4.6-306.el5

Miroslav,

Are you planning to upload this release to
  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
so that I can test it?

tia,
jpo
Comment 9 Jose Pedro Oliveira 2011-05-25 19:59:55 EDT
Restarting syslog-ng no longer produces SELinux violations with

 * selinux-policy-2.4.6-307.el5

downloaded from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

/jpo
Comment 10 Milos Malik 2011-06-17 05:54:45 EDT
I have built my own syslog-ng-3.2.4-1 for RHEL-5.7 and an issue appeared:

# service syslog-ng start
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied'
Starting syslog-ng: syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied'
                                                           [  OK  ]
# ausearch -m avc -ts recent
----
time->Fri Jun 17 05:48:27 2011
type=SYSCALL msg=audit(1308304107.710:993): arch=40000003 syscall=185 success=no exit=-13 a0=9b5de1c a1=9b5de24 a2=a29208 a3=9b5de1c items=0 ppid=13481 pid=13482 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=133 comm="syslog-ng" exe="/sbin/syslog-ng" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1308304107.710:993): avc:  denied  { setcap } for  pid=13482 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=process
----
# rpm -qa selinux-policy\*
selinux-policy-strict-2.4.6-312.el5
selinux-policy-targeted-2.4.6-312.el5
selinux-policy-mls-2.4.6-312.el5
selinux-policy-devel-2.4.6-312.el5
selinux-policy-2.4.6-312.el5
selinux-policy-minimum-2.4.6-312.el5
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
#
Comment 11 Daniel Walsh 2011-06-17 13:53:32 EDT
Did someone add drop_capability support to syslog-ng?
Comment 12 Jose Pedro Oliveira 2011-06-17 14:14:26 EDT
(In reply to comment #11)
> Did someone add drop_capability support to syslog-ng?

AFAIK we haven't been shipping syslog-ng for Fedora and for EPEL with linux capabilities suppport enabled [1] (but it's in my todo list).

Regards,
jpo

[1] - configure --enable-linux-caps
Comment 13 Daniel Walsh 2011-06-17 15:05:47 EDT
Added fix for F16/F15 bug I guess we have to add this to all distros.
Comment 15 Jose Pedro Oliveira 2011-06-20 11:57:14 EDT
For the record
--------------
The future syslog-ng 3.2.4 package for EPEL5 will be based on the one listed in ticket 714409:

 * Bug 714409 - EPEL5: Update syslog-ng to version 3.2.4
   https://bugzilla.redhat.com/show_bug.cgi?id=714409

/jpo
Comment 17 Matthias Runge 2011-06-30 14:02:55 EDT
(In reply to comment #13)
> Added fix for F16/F15 bug I guess we have to add this to all distros.

Good to hear. I'd like to ship an caps-enabled build for f15; I just submitted it into testing.
Comment 20 Matthias Runge 2011-07-01 04:32:08 EDT
OK, thank you. 

I'll delay submitting syslog-ng until you pushed a newer f15 release. How long will this take?
Comment 21 errata-xmlrpc 2011-07-21 05:20:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 22 errata-xmlrpc 2011-07-21 07:56:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.