syslog-ng non-standard install generating AVC - selinux - Fedora mailing-lists

30 Dec 2004


      I recently installed FC3 on a machine (we had previously been using FC1), 
so this is my first exposure to selinux.  Consequently, we are running 
the targeted policy in permissive mode.  We use syslog-ng (rather than 
sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute 
log events on a number of other ports beyond the standard syslog 
distribution.
Among other things that we do in syslog-ng include:
  - open non-standard UDP/TCP ports
  - open non-standard files
  - call non-standard routines
As a complete newbie to selinux, I don't know whether it is 
easier/simpler/better/(or even how) to modify the syslog policy or the 
attributes of the executables/files/directories that it touches.  I would 
appreciate some advice and guidance.
AVC log events:
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc:  denied  { write } for  pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc:  denied  { read } for  pid=16202 exe=/bin/bash name=mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc:  denied  { getattr } for  pid=16202 exe=/bin/bash path=/etc/mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc:  denied  { write } for  pid=16202 exe=_executable_1_ name=status dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc:  denied  { getattr } for  pid=16202 exe=_executable_1_ path=_file_1_ dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 10:47:27 gsi10 kernel: audit(1104162447.513:0): avc:  denied  { sys_admin } for  pid=16201 exe=/sbin/syslog-ng capability=21 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { write } for  pid=16201 exe=/sbin/syslog-ng name=log dev=dm-0 ino=166417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { add_name } for  pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { create } for  pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { setattr } for  pid=16201 exe=/sbin/syslog-ng name=e27.log dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { chown } for  pid=16201 exe=/sbin/syslog-ng capability=0 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { fowner } for  pid=16201 exe=/sbin/syslog-ng capability=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { fsetid } for  pid=16201 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc:  denied  { append } for  pid=16201 exe=/sbin/syslog-ng path=_file_2_ dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc:  denied  { write } for  pid=16202 exe=_executable_1_ path=_file_3_ dev=dm-0 ino=166444 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc:  denied  { getattr } for  pid=16202 exe=_executable_1_ path=_file_4_ dev=dm-0 ino=166472 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc:  denied  { read } for  pid=16202 exe=_executable_1_ path=_file_5_ dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc:  denied  { remove_name } for  pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc:  denied  { unlink } for  pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc:  denied  { search } for  pid=1633 exe=_executable_1_ name=bin dev=dm-0 ino=1245185 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc:  denied  { read } for  pid=1633 exe=_executable_1_ name=sh dev=dm-0 ino=3850242 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc:  denied  { execute } for  pid=1633 exe=_executable_1_ name=bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc:  denied  { execute_no_trans } for  pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc:  denied  { read } for  pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc:  denied  { read } for  pid=1633 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc:  denied  { getattr } for  pid=1633 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc:  denied  { search } for  pid=1633 exe=/bin/bash name=sbin dev=dm-0 ino=7356417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sbin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc:  denied  { getattr } for  pid=1633 exe=/bin/bash path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc:  denied  { getattr } for  pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc:  denied  { execute } for  pid=1633 exe=/bin/bash name=rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc:  denied  { execute_no_trans } for  pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc:  denied  { read } for  pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Steve Friedman