Re: syslog-ng creates /dev/log in wrong selinux domain causing avc denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/19/2013 01:57 PM, Stephen Smalley wrote:
On 03/19/2013 01:42 PM, Daniel Neuberger wrote:
On 03/19/2013 12:41 PM, Stephen Smalley wrote:
Is /opt mounted with nosuid flags?  If so, that will suppress the domain
transition even if the executable is labeled correctly.

That's it!!!  Well mostly...  Removing nosuid from /opt and rebooting
worked except that syslog-ng isn't starting at all now due to the
following denials:
-------------
type=AVC msg=audit(1363713616.722:556): avc:  denied  { execute_no_trans
} for  pid=5857 comm="syslog-ng" path="/opt/syslog-ng/libexec/syslog-ng"
dev=dm-6 ino=190556 scontext=user_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1363713616.722:556): arch=c000003e syscall=59
success=no exit=-13 a0=400740 a1=7fffe72f8908 a2=1a2e5010 a3=0 items=1
ppid=5849 pid=5857 auid=515 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm="syslog-ng"
exe="/opt/syslog-ng/sbin/syslog-ng" subj=user_u:system_r:syslogd_t:s0
key=(null)

type=CWD msg=audit(1363713616.722:556): cwd="/"

type=PATH msg=audit(1363713616.722:556): item=0
name="/opt/syslog-ng/libexec/syslog-ng" inode=190556 dev=fd:06
mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:syslogd_exec_t:s0
-------------
In plain English from sealert, 'SELinux is preventing syslog-ng
(syslogd_t) "execute_no_trans" to /opt/syslog-ng/libexec/syslog-ng
(syslogd_exec_t).'

Is system_u:object_r:syslogd_exec_t:s0 the wrong label for
/opt/syslog-ng/libexec/syslog-ng?  I tried this instead to no avail:

[root@sdi-u-unstable audit]$ chcon system_u:object_r:syslogd_t:s0
/opt/syslog-ng/libexec/syslog-ng
chcon: failed to change context of /opt/syslog-ng/libexec/syslog-ng to
system_u:object_r:syslogd_t:s0: Permission denied

At this point, I'm unsure if it's a labeling problem or if I need to add
a new rule due to the addition of /opt/syslog-ng/libexec/syslog-ng in
the newer versions of syslog-ng.

Normally you would only label the entrypoint executable for syslogd
(i.e. the executable invoked to launch syslogd) with syslogd_exec_t, not
helper programs internally called by it.  Anything else would get
labeled with a different type, which could just be bin_t for libexec
files.  But you may also need to add an allow rule via local policy
module to allow this if it is new behavior for syslog-ng.

Also, what you tried to do (in labeling the libexec file with syslogd_t) isn't desirable because it conflates a domain type (syslogd_t) used for processes with a file type (e.g. syslogd_exec_t, bin_t, ...). The only case where a domain type should appear on a "file" is for the /proc/pid entries associated with a process in that domain. It shouldn't be used on regular files.


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux