I recently installed FC3 on a machine (we had previously been using FC1), so this is my first exposure to selinux. Consequently, we are running the targeted policy in permissive mode. We use syslog-ng (rather than sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute log events on a number of other ports beyond the standard syslog distribution.
Among other things that we do in syslog-ng include: - open non-standard UDP/TCP ports - open non-standard files - call non-standard routines
As a complete newbie to selinux, I don't know whether it is easier/simpler/better/(or even how) to modify the syslog policy or the attributes of the executables/files/directories that it touches. I would appreciate some advice and guidance.
AVC log events:
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { read } for pid=16202 exe=/bin/bash name=mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { getattr } for pid=16202 exe=/bin/bash path=/etc/mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { write } for pid=16202 exe=_executable_1_ name=status dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_1_ dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 10:47:27 gsi10 kernel: audit(1104162447.513:0): avc: denied { sys_admin } for pid=16201 exe=/sbin/syslog-ng capability=21 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=log dev=dm-0 ino=166417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { add_name } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { create } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { setattr } for pid=16201 exe=/sbin/syslog-ng name=e27.log dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { chown } for pid=16201 exe=/sbin/syslog-ng capability=0 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fowner } for pid=16201 exe=/sbin/syslog-ng capability=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fsetid } for pid=16201 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { append } for pid=16201 exe=/sbin/syslog-ng path=_file_2_ dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { write } for pid=16202 exe=_executable_1_ path=_file_3_ dev=dm-0 ino=166444 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_4_ dev=dm-0 ino=166472 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { read } for pid=16202 exe=_executable_1_ path=_file_5_ dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { remove_name } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { unlink } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { search } for pid=1633 exe=_executable_1_ name=bin dev=dm-0 ino=1245185 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { read } for pid=1633 exe=_executable_1_ name=sh dev=dm-0 ino=3850242 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { execute } for pid=1633 exe=_executable_1_ name=bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { execute_no_trans } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { read } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { read } for pid=1633 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { search } for pid=1633 exe=/bin/bash name=sbin dev=dm-0 ino=7356417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sbin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute } for pid=1633 exe=/bin/bash name=rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute_no_trans } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { read } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=fileSteve Friedman
