syslog-ng creates /dev/log in wrong selinux domain causing avc denials

Dominick Grift dominick.grift at gmail.com
Tue Mar 19 15:50:49 UTC 2013 

On Tue, 2013-03-19 at 11:05 -0400, Daniel Neuberger wrote:

> I think this is because the syslog-ng daemon is running in the wrong
> domain.  It never transitions from the initrc_t domain:
> 
> [root at foo log]$ ps -efZ | grep syslog
> system_u:system_r:initrc_t:s0   root      4912     1  0 16:20 ?
> 00:00:00 supervising syslog-ng
> system_u:system_r:initrc_t:s0   root      4913  4912  0 16:20 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
> 
> The problem - I think - is that we're using a syslog-ng rpm from the
> vendor's website that installs to /opt rather than /usr as the
> targeted policy seems to expect meaning the daemon and everything has
> the wrong file contexts.  I tried fixing this by updating the contexts
> based off the settings in the logging.fc file from the policy src.rpm,
> but that didn't help:
> 
> [root at foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/*
> [root at foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/*
> [root at foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/syslog-ng.persist
> [root at foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/run/*
> [root at foo ~]$ run_init /etc/init.d/syslog-ng restart
> Authenticating foobar.
> Password:
> Restarting syslog-ng: Stopping syslog-ng:                  [  OK  ]
> Starting syslog-ng:                                        [  OK  ]
> [root at foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root user_u:object_r:device_t:s0      /dev/log
> [root at foo ~]$ ps -efZ | grep syslog
> user_u:system_r:initrc_t:s0     root      6594     1  0 14:35 ?
> 00:00:00 supervising syslog-ng
> user_u:system_r:initrc_t:s0     root      6595  6594  0 14:35 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps

Domain type transitions happen on execve. So you need to make sure that
both the init script as well as the syslog executable file are labeled
properly.

its like this:

init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t

You seem to be hanging at initrc_t so i suspect that your syslog
executable file is mislabeled.

Verify the syslogd init script file and see what it runs when it starts
syslog, then see if that file has a proper label.

> Thanks.
> 
> - Daniel
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list