syslog-ng creates /dev/log in wrong selinux domain causing avc denials
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 22 15:39:09 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/2013 03:54 PM, Daniel Neuberger wrote:
> On 03/19/2013 04:01 PM, Stephen Smalley wrote:
>> We followed the existing convention that nosuid disables security state
>> changes for executables in that filesystem and applied it to SELinux
>> security contexts in addition to the existing restrictions on
>> setuid/setgid executables. If you didn't trust setuid/setgid bits from
>> that filesystem, why would you trust security contexts from it? But in
>> retrospect, it might have been better to have a separate flag for that
>> purpose.
>
> Interesting. I guess I can see both sides. In our case, we have a
> separate requirement to specify nosuid, but now we have to justify not
> doing so in order to keep SELinux working. So it makes sense to me from a
> technical standpoint, but decisions aren't always made that way. So I
> agree that having a separate flag would be useful to allow more
> flexibility. Thanks for the explanation.
>
> One more question. I tried putting my semanage calls to update the file
> contexts in a custom rpm depending on the selinux-policy-targeted rpm. In
> the rpm scriptlet, I first made all the semanage calls and then called
> restorecon on the appropriate paths so that the new file contexts would be
> applied without having to relabel the entire file system. This all works
> except when the rpm is installed by anaconda during a kickstart install.
> In that case, I have to run restorecon again during kspost or manually
> after the install. Any ideas why or suggestions for a better solution?
>
> For those interested, here is a summary of the complete solution to get
> the syslog-ng daemon as installed by the balabit rpms on RHEL 5 working
> with selinux:
>
> * Make sure nosuid is not set on /opt * Update file contexts:
> /usr/sbin/semanage fcontext -a -t syslogd_script_exec_t
> /etc/init.d/syslog-ng /usr/sbin/semanage fcontext -a -t syslogd_exec_t
> /opt/syslog-ng/sbin/syslog-ng /usr/sbin/semanage fcontext -a -t var_run_t
> /opt/syslog-ng/var/run /usr/sbin/semanage fcontext -a -t syslogd_var_lib_t
> /opt/syslog-ng/var/syslog-ng.persist /usr/sbin/semanage fcontext -a -t
> syslogd_var_lib_t /opt/syslog-ng/var/run/syslog-ng.pid /usr/sbin/semanage
> fcontext -a -t syslogd_var_lib_t /opt/syslog-ng/var/run/syslog-ng.ctl
> /usr/sbin/semanage fcontext -a -t syslog_conf_t
> /opt/syslog-ng/etc/syslog-ng.conf
You pobably want to run all these commands within a transaction.
Something like
semanage -i << _EOF
fcontext -a -t syslogd_script_exec_t /etc/init.d/syslog-ng
fcontext -a -t syslogd_exec_t /opt/syslog-ng/sbin/syslog-ng
...
_eof
Should make it run a lot faster.
> * Apply changes to file contexts: restorecon -R /opt/syslog-ng/
> /etc/init.d/syslog-ng
>
I have no idea why this would fail unless the restorecon is failing for some
reason. I guest I would put selinux-policy-base in a Requires(Post) block to
make sure it is installed.
> * save local.te: -------------------------------- module sdi_syslog 1.0;
>
> require { type syslogd_t; type var_t; type bin_t; class process getsched;
> class file { read execute execute_no_trans }; class dir write; }
>
> #============= syslogd_t ============== allow syslogd_t bin_t:file { read
> execute execute_no_trans }; allow syslogd_t self:process getsched; allow
> syslogd_t var_t:dir write; --------------------------------
>
> * Compile and install our local syslog-ng selinux policy: checkmodule -M -m
> -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i
> local.pp
>
> * If you had to update the mount options on /opt, reboot * Otherwise, run:
> rm -f /dev/log service syslog-ng restart * Verify that syslog is running in
> syslogd_t type domain and that /dev/log is created as type devlog_t
>
> ..
>
> FYI, the local policy is probably too permissive as Stephen mentioned in
> one of the previous posts. Hopefully, I will find time to fix that
> eventually at which point I will try to remember to post an update. Until
> then though, this is the best I've got.
>
> Suggestions are welcomed.
>
> Thanks so much for the help!
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFMex0ACgkQrlYvE4MpobOytwCgjxaxuI2evS8S5FwLVGKgwABE
yQcAoKEepMB3x52L4Ugya33TibppT1dx
=SaOR
-----END PGP SIGNATURE-----
More information about the selinux
mailing list