Bug 974932 - selinux denies rsyslog to drop priviliges
selinux denies rsyslog to drop priviliges
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-17 03:39 EDT by Jens Kuehnel
Modified: 2014-09-30 19:35 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-208.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:31:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jens Kuehnel 2013-06-17 03:39:12 EDT
Description of problem:
rsyslog can drop privileges with option $PrivDropToUser and $PrivDropToGroup, but SElinux does not allow setuid/setgid.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.10.noarch

How reproducible:
100%


Steps to Reproduce:
1. Create user rsyslog with: useradd -r rsyslog 
2. Remove line "$ModLoad imklog" to rsyslog.conf
3. Add line "$PrivDropToUser rsyslog" to rsyslog.conf
3. Fix permission in /var/log/ to allow writes
4. restart

Actual results:
could not set requested userid: Operation not permitted

Expected results:
no output, and eUID 


Additional info:
I created the following te to fix this:
module rsyslog-drop-priv 1.0;

require {
        type syslogd_t;
        class capability setuid;
        class capability setgid;
}

#============= syslogd_t ==============
allow syslogd_t self:capability setuid;
allow syslogd_t self:capability setgid;
Comment 2 Daniel Walsh 2013-06-18 11:49:29 EDT
02dd9555a1e7c22c1ce8276ca7e82dabc0a11223 fixes this in git.
Comment 3 Miroslav Grepl 2013-07-17 08:24:17 EDT
Back ported.
Comment 6 errata-xmlrpc 2013-11-21 05:31:12 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.