On 03/19/2013 12:41 PM, Stephen Smalley wrote:
Is /opt mounted with nosuid flags? If so, that will suppress the domain
transition even if the executable is labeled correctly.
That's it!!! Well mostly... Removing nosuid from /opt and rebooting
worked except that syslog-ng isn't starting at all now due to the
following denials:
-------------
type=AVC msg=audit(1363713616.722:556): avc: denied { execute_no_trans
} for pid=5857 comm="syslog-ng" path="/opt/syslog-ng/libexec/syslog-ng"
dev=dm-6 ino=190556 scontext=user_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1363713616.722:556): arch=c000003e syscall=59
success=no exit=-13 a0=400740 a1=7fffe72f8908 a2=1a2e5010 a3=0 items=1
ppid=5849 pid=5857 auid=515 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm="syslog-ng"
exe="/opt/syslog-ng/sbin/syslog-ng" subj=user_u:system_r:syslogd_t:s0
key=(null)
type=CWD msg=audit(1363713616.722:556): cwd="/"
type=PATH msg=audit(1363713616.722:556): item=0
name="/opt/syslog-ng/libexec/syslog-ng" inode=190556 dev=fd:06
mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:syslogd_exec_t:s0
-------------
In plain English from sealert, 'SELinux is preventing syslog-ng
(syslogd_t) "execute_no_trans" to /opt/syslog-ng/libexec/syslog-ng
(syslogd_exec_t).'
Is system_u:object_r:syslogd_exec_t:s0 the wrong label for
/opt/syslog-ng/libexec/syslog-ng? I tried this instead to no avail:
[root@sdi-u-unstable audit]$ chcon system_u:object_r:syslogd_t:s0
/opt/syslog-ng/libexec/syslog-ng
chcon: failed to change context of /opt/syslog-ng/libexec/syslog-ng to
system_u:object_r:syslogd_t:s0: Permission denied
At this point, I'm unsure if it's a labeling problem or if I need to add
a new rule due to the addition of /opt/syslog-ng/libexec/syslog-ng in
the newer versions of syslog-ng.
Thanks for all the help.
- Daniel
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
