Bug 718439 - syslog-ng: Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated)
Summary: syslog-ng: Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (dep...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: syslog-ng
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthias Runge
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 689752
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-03 00:51 UTC by Jose Pedro Oliveira
Modified: 2012-08-06 20:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
BalaBit 108 0 None None None Never

Description Jose Pedro Oliveira 2011-07-03 00:51:29 UTC 
Description of problem:
There appears to be problems with syslog-ng with capabilities support and kernels 2.6.38+.

Version-Release number of selected component (if applicable):
syslog-ng-3.2.4-6.fc1

Actual results:

----------
Jul  3 01:16:53 hyperion syslog-ng[29691]: syslog-ng shutting down; version='3.2.4'
Jul  3 01:16:53 hyperion kernel: : [256794.432386] ------------[ cut here ]------------
Jul  3 01:16:53 hyperion kernel: : [256794.432398] WARNING: at kernel/printk.c:288 do_syslog+0x8e/0x45a()
Jul  3 01:16:53 hyperion kernel: : [256794.432402] Hardware name: To Be Filled By O.E.M.
Jul  3 01:16:53 hyperion kernel: : [256794.432405] Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated).
Jul  3 01:16:53 hyperion kernel: : [256794.432408] Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table mperf ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables virtio_net kvm_intel kvm snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm microcode intel_ips i2c_i801 r8169 e1000e snd_timer snd soundcore iTCO_wdt mii iTCO_vendor_support snd_page_alloc ipv6 radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
Jul  3 01:16:53 hyperion kernel: : [256794.432456] Pid: 20875, comm: syslog-ng Not tainted 2.6.38.8-32.fc15.x86_64 #1
Jul  3 01:16:53 hyperion kernel: : [256794.432460] Call Trace:
Jul  3 01:16:53 hyperion kernel: : [256794.432468]  [<ffffffff8105511a>] warn_slowpath_common+0x83/0x9b
Jul  3 01:16:53 hyperion kernel: : [256794.432474]  [<ffffffff810551d5>] warn_slowpath_fmt+0x46/0x48
Jul  3 01:16:53 hyperion kernel: : [256794.432481]  [<ffffffff811e7a85>] ? security_capable+0x29/0x2b
Jul  3 01:16:53 hyperion syslog-ng[20875]: syslog-ng starting up; version='3.2.4'
Jul  3 01:16:53 hyperion kernel: : [256794.432487]  [<ffffffff810557f9>] do_syslog+0x8e/0x45a
Jul  3 01:16:53 hyperion kernel: : [256794.432494]  [<ffffffff8116b6fe>] ? proc_reg_open+0x41/0x122
Jul  3 01:16:53 hyperion kernel: : [256794.432501]  [<ffffffff81111621>] ? kmem_cache_alloc_trace+0xc6/0xd8
Jul  3 01:16:53 hyperion kernel: : [256794.432507]  [<ffffffff81174d95>] kmsg_open+0x1c/0x1e
Jul  3 01:16:53 hyperion kernel: : [256794.432513]  [<ffffffff8116b764>] proc_reg_open+0xa7/0x122
Jul  3 01:16:53 hyperion kernel: : [256794.432518]  [<ffffffff81174d5c>] ? kmsg_release+0x0/0x1d
Jul  3 01:16:53 hyperion kernel: : [256794.432523]  [<ffffffff8116b6bd>] ? proc_reg_open+0x0/0x122
Jul  3 01:16:53 hyperion kernel: : [256794.432531]  [<ffffffff8111fc5c>] __dentry_open+0x161/0x283
Jul  3 01:16:53 hyperion kernel: : [256794.432539]  [<ffffffff8147595e>] ? _raw_spin_lock+0xe/0x10
Jul  3 01:16:53 hyperion kernel: : [256794.432545]  [<ffffffff81120bd0>] nameidata_to_filp+0x60/0x67
Jul  3 01:16:53 hyperion kernel: : [256794.432552]  [<ffffffff8112ca7f>] finish_open+0xa1/0x17f
Jul  3 01:16:53 hyperion kernel: : [256794.432558]  [<ffffffff8112bbc8>] ? do_path_lookup+0xca/0xf6
Jul  3 01:16:53 hyperion kernel: : [256794.432564]  [<ffffffff8112cfc2>] do_filp_open+0x186/0x60a
Jul  3 01:16:53 hyperion kernel: : [256794.432570]  [<ffffffff81124d1b>] ? might_fault+0x21/0x23
Jul  3 01:16:53 hyperion kernel: : [256794.432578]  [<ffffffff8104127e>] ? should_resched+0xe/0x2d
Jul  3 01:16:53 hyperion kernel: : [256794.432583]  [<ffffffff81474408>] ? _cond_resched+0xe/0x22
Jul  3 01:16:53 hyperion kernel: : [256794.432591]  [<ffffffff812324e1>] ? might_fault+0x21/0x23
Jul  3 01:16:53 hyperion kernel: : [256794.432598]  [<ffffffff81136b3d>] ? alloc_fd+0x72/0x11d
Jul  3 01:16:53 hyperion kernel: : [256794.432604]  [<ffffffff81120c37>] do_sys_open+0x60/0xf2
Jul  3 01:16:53 hyperion kernel: : [256794.432609]  [<ffffffff81120ce9>] sys_open+0x20/0x22
Jul  3 01:16:53 hyperion kernel: : [256794.432616]  [<ffffffff81009bc2>] system_call_fastpath+0x16/0x1b
Jul  3 01:16:53 hyperion kernel: : [256794.432620] ---[ end trace eef189876080657a ]---
----------


Additional info:

Upstream ticket:
 * 2.6.38+ will require CAP_SYSLOG (CAP_SYS_ADMIN not enough) 
   https://bugzilla.balabit.com/show_bug.cgi?id=108
Comment 1 Matthias Runge 2011-07-03 19:20:45 UTC 
oops. Thank you for this report and the pointer.
Comment 2 Matthias Runge 2011-07-08 06:45:36 UTC 
Does this error still occur using 

https://admin.fedoraproject.org/updates/libcap-ng-0.6.6-1.fc15
Comment 3 Jose Pedro Oliveira 2011-07-08 10:04:52 UTC 
(In reply to comment #2)
> Does this error still occur using 
> 
> https://admin.fedoraproject.org/updates/libcap-ng-0.6.6-1.fc15

Different header file

 * cap-ng.h vs sys/capability.h

and different library

 * libcap-ng.so vs libcap.so


and syslog-ng's configure only looks for the header file sys/capability.h and the library -lcap.
Comment 4 Matthias Runge 2011-07-08 10:16:09 UTC 
ok, understood. Should be related to

https://bugzilla.redhat.com/show_bug.cgi?id=689752

right?
Comment 5 Jose Pedro Oliveira 2011-08-07 00:52:37 UTC 
Libcap v2.22 is already available for Fedora 15 in the updates repository.
Comment 6 Jose Pedro Oliveira 2011-08-07 00:58:47 UTC 
How to reproduce the kernel trace:

System:
VM with Fedora 15 x86_64 (and fully updated)

Packages:
kernel-2.6.40-4.fc15.x86_64
systemd-26-8.fc15.x86_64
libcap-2.22-1.fc15.x86_64
rsyslog-5.8.2-1.fc15.x86_64
syslog-ng-3.2.4-6.fc15.x86_64  (from updates-testing)

Steps:
1) boot vm with rsyslog as the running syslog daemon
2) systemctl disable rsyslog.service;
3) systemctl enable syslog-ng.service
4) systemctl stop rsyslog.service
5) systemctl start syslog-ng.service
6) see kernel trace in /var/log/messages

Trace
--------------------
Aug  7 02:50:53 localhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.2" x-pid="690" x-info="http://www.rsyslog.com"] exiting on signal 15.
Aug  7 02:50:53 localhost kernel: : [  251.396893] ------------[ cut here ]------------
Aug  7 02:50:53 localhost kernel: : [  251.396902] WARNING: at kernel/printk.c:322 do_syslog+0x8e/0x45a()
Aug  7 02:50:53 localhost kernel: : [  251.396935] Hardware name: VMware Virtual Platform
Aug  7 02:50:53 localhost kernel: : [  251.396936] Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated).
Aug  7 02:50:53 localhost kernel: : [  251.396938] Modules linked in: sunrpc bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv4 nf_conntrack_ipv6 nf_defrag_ipv4 nf_defrag_ipv6 ip6table_filter xt_state nf_conntrack ip6_tables snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq snd_seq_device snd_pcm ppdev microcode vmw_balloon snd_timer parport_pc snd i2c_piix4 parport soundcore shpchp snd_page_alloc e1000 i2c_core mptspi mptscsih mptbase scsi_transport_spi [last unloaded: speedstep_lib]
Aug  7 02:50:53 localhost kernel: : [  251.396963] Pid: 1192, comm: syslog-ng Not tainted 2.6.40-4.fc15.x86_64 #1
Aug  7 02:50:53 localhost kernel: : [  251.396965] Call Trace:
Aug  7 02:50:53 localhost kernel: : [  251.396969]  [<ffffffff81054c8e>] warn_slowpath_common+0x83/0x9b
Aug  7 02:50:53 localhost kernel: : [  251.396972]  [<ffffffff81054d49>] warn_slowpath_fmt+0x46/0x48
Aug  7 02:50:53 localhost kernel: : [  251.396976]  [<ffffffff8105e5bd>] ? ns_capable+0x3a/0x4f
Aug  7 02:50:53 localhost syslog-ng[1192]: syslog-ng starting up; version='3.2.4'
Aug  7 02:50:53 localhost kernel: : [  251.396978]  [<ffffffff8105537e>] do_syslog+0x8e/0x45a
Aug  7 02:50:53 localhost kernel: : [  251.396982]  [<ffffffff81171a1e>] ? proc_reg_open+0x41/0x122
Aug  7 02:50:53 localhost kernel: : [  251.396985]  [<ffffffff8111663f>] ? kmem_cache_alloc_trace+0xc6/0xd8
Aug  7 02:50:53 localhost kernel: : [  251.396988]  [<ffffffff8117b5cd>] kmsg_open+0x1c/0x1e
Aug  7 02:50:53 localhost kernel: : [  251.396990]  [<ffffffff81171a84>] proc_reg_open+0xa7/0x122
Aug  7 02:50:53 localhost kernel: : [  251.396992]  [<ffffffff8117b594>] ? read_vmcore+0x1cc/0x1cc
Aug  7 02:50:53 localhost kernel: : [  251.396995]  [<ffffffff811719dd>] ? proc_alloc_inode+0xa1/0xa1
Aug  7 02:50:53 localhost kernel: : [  251.396998]  [<ffffffff81125405>] __dentry_open+0x17d/0x2be
Aug  7 02:50:53 localhost kernel: : [  251.397006]  [<ffffffff814b6fe6>] ? _raw_spin_lock+0xe/0x10
Aug  7 02:50:53 localhost kernel: : [  251.397008]  [<ffffffff8112638f>] nameidata_to_filp+0x60/0x67
Aug  7 02:50:53 localhost kernel: : [  251.397011]  [<ffffffff81131b2a>] do_last+0x434/0x581
Aug  7 02:50:53 localhost kernel: : [  251.397013]  [<ffffffff811327fc>] path_openat+0xc8/0x31c
Aug  7 02:50:53 localhost kernel: : [  251.397016]  [<ffffffff810b2135>] ? __call_rcu+0x130/0x139
Aug  7 02:50:53 localhost kernel: : [  251.397018]  [<ffffffff81132a88>] do_filp_open+0x38/0x86
Aug  7 02:50:53 localhost kernel: : [  251.397021]  [<ffffffff8113c341>] ? alloc_fd+0x72/0x11d
Aug  7 02:50:53 localhost kernel: : [  251.397023]  [<ffffffff81126404>] do_sys_open+0x6e/0x100
Aug  7 02:50:53 localhost kernel: : [  251.397025]  [<ffffffff810a0c7c>] ? audit_syscall_entry+0x145/0x171
Aug  7 02:50:53 localhost kernel: : [  251.397027]  [<ffffffff811264b6>] sys_open+0x20/0x22
Aug  7 02:50:53 localhost kernel: : [  251.397029]  [<ffffffff814bd7c2>] system_call_fastpath+0x16/0x1b
Aug  7 02:50:53 localhost kernel: : [  251.397031] ---[ end trace ac416a71ae31ead5 ]---
--------------------
Comment 7 Jose Pedro Oliveira 2011-08-07 01:11:09 UTC 
Additional comments:

 * syslog-ng appears to be working; at least it is running and logs messages
   produced by the logger utility

 * the kernel trace doesn't occur during the following operations
   (ordered):

   1) systemctl stop syslog-ng.service; systemctl start rsyslog.service
   2) logger test1
   3) systemctl stop rsyslog.service; systemctl start syslog-ng.service
   4) logger test2

   But rsyslog doesn't appear to be working correctly as the log message
   from the second operation doesn't get to the /var/log/messages file
   ( but the one from 4) does).

 * a syslog-ng 3.2.4 compiled with capabilities and the upstream patch 
   http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=ae0ff59d9a761c2fda8a19b0c05e0e05c59bae57
   doesn't even start.

Could someone also test this?

Thanks in advance,
jpo
Comment 8 Jose Pedro Oliveira 2011-08-07 01:33:41 UTC 
Syslog-ng 3.2.4 with the upstream patch:

 * http://um-pe09-2.di.uminho.pt/fedora/15/syslog-ng-3.2.4-6.2.fc15.src.rpm

Contents diff from syslog-ng-3.2.4-6.fc15.src.rpm:

 * http://um-pe09-2.di.uminho.pt/fedora/15/diff.txt
Comment 9 Fedora End Of Life 2012-08-06 20:01:00 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Fedora End Of Life 2012-08-06 20:01:30 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.