Re: syslog-ng creates /dev/log in wrong selinux domain causing avc denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/19/2013 12:41 PM, Stephen Smalley wrote:
Is /opt mounted with nosuid flags?  If so, that will suppress the domain
transition even if the executable is labeled correctly.

That's it!!! Well mostly... Removing nosuid from /opt and rebooting worked except that syslog-ng isn't starting at all now due to the following denials:
-------------
type=AVC msg=audit(1363713616.722:556): avc: denied { execute_no_trans } for pid=5857 comm="syslog-ng" path="/opt/syslog-ng/libexec/syslog-ng" dev=dm-6 ino=190556 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1363713616.722:556): arch=c000003e syscall=59 success=no exit=-13 a0=400740 a1=7fffe72f8908 a2=1a2e5010 a3=0 items=1 ppid=5849 pid=5857 auid=515 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="syslog-ng" exe="/opt/syslog-ng/sbin/syslog-ng" subj=user_u:system_r:syslogd_t:s0 key=(null)

type=CWD msg=audit(1363713616.722:556): cwd="/"

type=PATH msg=audit(1363713616.722:556): item=0 name="/opt/syslog-ng/libexec/syslog-ng" inode=190556 dev=fd:06 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_exec_t:s0
-------------
In plain English from sealert, 'SELinux is preventing syslog-ng (syslogd_t) "execute_no_trans" to /opt/syslog-ng/libexec/syslog-ng (syslogd_exec_t).'

Is system_u:object_r:syslogd_exec_t:s0 the wrong label for /opt/syslog-ng/libexec/syslog-ng? I tried this instead to no avail:

[root@sdi-u-unstable audit]$ chcon system_u:object_r:syslogd_t:s0 /opt/syslog-ng/libexec/syslog-ng chcon: failed to change context of /opt/syslog-ng/libexec/syslog-ng to system_u:object_r:syslogd_t:s0: Permission denied

At this point, I'm unsure if it's a labeling problem or if I need to add a new rule due to the addition of /opt/syslog-ng/libexec/syslog-ng in the newer versions of syslog-ng.

Thanks for all the help.

- Daniel
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux