Bug 996135 - targeted policy prevents the use of a program destination for syslog-ng
targeted policy prevents the use of a program destination for syslog-ng
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-12 09:35 EDT by Bill Pemberton
Modified: 2013-08-21 20:55 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 20:55:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Pemberton 2013-08-12 09:35:26 EDT
Description of problem:

It appears that the targeted policy doesn't provide a way to use a program target with syslog-ng. The policy won't allow syslogd_t to run /bin/bash so it doesn't matter how the destination program is actually labeled.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.12.1-69
syslog-ng-3.4.1-1

How reproducible:
every time

Steps to Reproduce:
1. install syslog-ng and change the configuation file to use a program destination, for example in syslog-ng.conf:

destination d_auth {  program("/usr/local/bin/foo.pl");};

At this point, the target program can be pretty much anything, because we're going to get denied no matter what.

2.  start syslog-ng


Actual results:

A denial such as
type=AVC msg=audit(1376057129.316:180564): avc:  denied  { execute } for  pid=19455 comm="syslog-ng" name="bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

 

Expected results:

The program should be run, or at least there should be some sort of correct label for the program to make it run, but it appears the targeted policy is denying it before it can even get that far.
Comment 1 Daniel Walsh 2013-08-13 18:34:57 EDT
If you run this in permissive mode what other AVC's do you get?
Comment 2 Bill Pemberton 2013-08-14 09:07:34 EDT
With permissive, I get:

type=AVC msg=audit(1376485299.850:97310): avc:  denied  { execute } for  pid=522 comm="syslog-ng" name="bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.850:97310): avc:  denied  { execute_no_trans } for  pid=522 comm="syslog-ng" path="/usr/bin/bash" dev="dm-0" ino=660608 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute } for  pid=522 comm="sh" name="foo.pl" dev="dm-0" ino=671398 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute_no_trans } for  pid=522 comm="sh" path="/usr/local/bin/foo.pl" dev="dm-0" ino=671398 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1376485299.852:97311): avc:  denied  { execute } for  pid=522 comm="sh" name="perl" dev="dm-0" ino=662275 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 3 Daniel Walsh 2013-08-14 10:54:59 EDT
d30eb6c37953c7543d3878256a285e735862866e fixes this in git, you can add a custom policy module for now.
Comment 4 Fedora Update System 2013-08-20 04:28:31 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 5 Fedora Update System 2013-08-20 20:17:21 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-08-21 20:55:13 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.