Re: syslog-ng creates /dev/log in wrong selinux domain causing avc denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2013-03-19 at 11:05 -0400, Daniel Neuberger wrote:

> I think this is because the syslog-ng daemon is running in the wrong
> domain.  It never transitions from the initrc_t domain:
> 
> [root@foo log]$ ps -efZ | grep syslog
> system_u:system_r:initrc_t:s0   root      4912     1  0 16:20 ?
> 00:00:00 supervising syslog-ng
> system_u:system_r:initrc_t:s0   root      4913  4912  0 16:20 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
> 
> The problem - I think - is that we're using a syslog-ng rpm from the
> vendor's website that installs to /opt rather than /usr as the
> targeted policy seems to expect meaning the daemon and everything has
> the wrong file contexts.  I tried fixing this by updating the contexts
> based off the settings in the logging.fc file from the policy src.rpm,
> but that didn't help:
> 
> [root@foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/*
> [root@foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/*
> [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/syslog-ng.persist
> [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/run/*
> [root@foo ~]$ run_init /etc/init.d/syslog-ng restart
> Authenticating foobar.
> Password:
> Restarting syslog-ng: Stopping syslog-ng:                  [  OK  ]
> Starting syslog-ng:                                        [  OK  ]
> [root@foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root user_u:object_r:device_t:s0      /dev/log
> [root@foo ~]$ ps -efZ | grep syslog
> user_u:system_r:initrc_t:s0     root      6594     1  0 14:35 ?
> 00:00:00 supervising syslog-ng
> user_u:system_r:initrc_t:s0     root      6595  6594  0 14:35 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps

Domain type transitions happen on execve. So you need to make sure that
both the init script as well as the syslog executable file are labeled
properly.

its like this:

init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t

You seem to be hanging at initrc_t so i suspect that your syslog
executable file is mislabeled.

Verify the syslogd init script file and see what it runs when it starts
syslog, then see if that file has a proper label.

> Thanks.
> 
> - Daniel
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux