SELinux is preventing /usr/libexec/postfix/pickup from 'sendto' accesses on the unix_dgram_socket /dev/log. Doing nothing specific, just happened somewhere in the background. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pickup should be allowed sendto access on the log unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /dev/log [ unix_dgram_socket ] Source pickup Source Path /usr/libexec/postfix/pickup Port <Neznámé> Host (removed) Source RPM Packages postfix-2.8.1-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Po 21. březen 2011, 13:38:28 CET Last Seen Po 21. březen 2011, 15:18:30 CET Local ID c12968ef-1e31-4a59-a4a7-170ecb28ddd6 Raw Audit Messages type=AVC msg=audit(1300717110.387:246): avc: denied { sendto } for pid=5453 comm="pickup" path="/dev/log" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1300717110.387:246): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7faff82217c0 a2=6e a3=7fffdfc7ad80 items=0 ppid=1458 pid=5453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 key=(null) Hash: pickup,postfix_pickup_t,init_t,unix_dgram_socket,sendto audit2allow #============= postfix_pickup_t ============== allow postfix_pickup_t init_t:unix_dgram_socket sendto; audit2allow -R #============= postfix_pickup_t ============== allow postfix_pickup_t init_t:unix_dgram_socket sendto;
If systemd is impersonating syslog, it has to label the socket appropriately.
*** Bug 689410 has been marked as a duplicate of this bug. ***
*** Bug 689098 has been marked as a duplicate of this bug. ***
*** Bug 689097 has been marked as a duplicate of this bug. ***
*** Bug 689089 has been marked as a duplicate of this bug. ***
*** Bug 689255 has been marked as a duplicate of this bug. ***
*** Bug 689723 has been marked as a duplicate of this bug. ***
I am now seeing during using F15 #============= vpnc_t ============== allow vpnc_t init_t:unix_dgram_socket sendto; #============= staff_dbusd_t ============== allow staff_dbusd_t init_t:unix_dgram_socket sendto; #============= staff_sudo_t ============== allow staff_sudo_t init_t:unix_dgram_socket sendto;
We have in init_daemon_domain() interface tunable_policy(`init_systemd',` allow $1 init_t:unix_dgram_socket sendto; ') Dan, looks like it is needed for all domains.
*** Bug 689720 has been marked as a duplicate of this bug. ***
No systemd needs to set the socket label on the /dev/log socket to syslogd_t. It is not executing the correct impersonation code. I added a patch to systemd, that allowed it to figure out the label to associated with a socket and then execute setsockcreatecon(CONTEXT) before binding to a socket. For some reason systemd is not calling this code on the /dev/log socket.
I meant as 'broken_symptoms' for now.
You could add this to logging_send_syslog_msg for now, But I really want to make sure systemd is working correctly and syslogd is working correctly.
This should be a blocker. We should not have to allow every domain to communicate with the init system in order to allow this bug to remain.
We could try to label /lib/systemd/systemd-kmsg-syslogd as syslogd_exec_t
*** Bug 689946 has been marked as a duplicate of this bug. ***
*** Bug 690250 has been marked as a duplicate of this bug. ***
So, the proiblem is probably like this: systemd at early boot creates /dev/log, and eventually spawns /lib/systemd/systemd-kmsg-syslogd for it during early boot. That is a tiny bridge that connects /dev/log to kmsg, so that we have proper logging for the first time during early boot. Later on, when rsyslog is about to get started that bridge is terminated and the very same /dev/log is passed on to rsyslog. The effect of this is that both rsyslogd and systemd-kmsg-syslogd get the same /dev/log socket passed, which is labelled according to the policy for systemd-kmsg-syslogd since that is what we start first. Most likely the policy should just be updated to label rsyslogd and systemd-kmsg-syslogd the same way. Reassigning to selinux.
Fixed in selinux-policy-3.9.16-6.fc15