syslog-ng creates /dev/log in wrong selinux domain causing avc denials
Daniel Neuberger
daniel.neuberger at gmail.com
Tue Mar 19 16:40:53 UTC 2013
On Tue, Mar 19, 2013 at 11:50 AM, Dominick Grift
<dominick.grift at gmail.com> wrote:
> Domain type transitions happen on execve. So you need to make sure that
> both the init script as well as the syslog executable file are labeled
> properly.
>
> its like this:
>
> init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t
>
> You seem to be hanging at initrc_t so i suspect that your syslog
> executable file is mislabeled.
>
> Verify the syslogd init script file and see what it runs when it starts
> syslog, then see if that file has a proper label.
Thanks Dominick. The file run by the syslogd init script has the
proper label, but I realized that the init script itself was labeled
initrc_t instead of sylogd_script_exec_t, but fixing that still didn't
help:
[root at foo ~]$ chcon system_u:object_r:syslogd_script_exec_t:s0
/etc/init.d/syslog-ng
[root at foo ~]$ ls -Z /etc/init.d/syslog-ng /opt/syslog-ng/sbin/syslog-ng
-rwxr-xr-x root root system_u:object_r:syslogd_script_exec_t:s0
/etc/init.d/syslog-ng
-rwxr-xr-x root root system_u:object_r:syslogd_exec_t:s0
/opt/syslog-ng/sbin/syslog-ng
[root at foo ~]$ run_init /etc/init.d/syslog-ng restart
Authenticating foobar.
Password:
Restarting syslog-ng: Stopping syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
[root at foo ~]$ ps -efZ | grep syslog
user_u:system_r:initrc_t:s0 root 7199 1 0 16:30 ?
00:00:00 supervising syslog-ng
user_u:system_r:initrc_t:s0 root 7200 7199 0 16:30 ?
00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
I agree with your diagnosis, but fixing the labeling doesn't seem to
help. Any other ideas?
Thanks.
- Daniel
More information about the selinux
mailing list