syslog-ng creates /dev/log in wrong selinux domain causing avc denials

Stephen Smalley sds at tycho.nsa.gov
Tue Mar 19 16:41:01 UTC 2013 

On 03/19/2013 11:05 AM, Daniel Neuberger wrote:
> All,
>
> We are getting AVC denials like the following:
>
> audit.log:type=AVC msg=audit(1363623746.304:77): avc:  denied  { write
> } for  pid=7569 comm="audispd" name="log" dev=tmpfs ino=12139
> scontext=system_u:system_r:audisp_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363628993.829:922): avc:  denied  {
> write } for  pid=8402 comm="logger" name="log" dev=tmpfs ino=12139
> scontext=user_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363628997.219:952): avc:  denied  {
> write } for  pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139
> scontext=user_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363628997.285:955): avc:  denied  {
> write } for  pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139
> scontext=user_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> ...
> audit.log:type=AVC msg=audit(1363629158.017:1081): avc:  denied  {
> write } for  pid=9213 comm="logger" name="log" dev=tmpfs ino=12139
> scontext=user_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363629420.696:1144): avc:  denied  {
> write } for  pid=4944 comm="ntpd" name="log" dev=tmpfs ino=12139
> scontext=system_u:system_r:ntpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363629420.807:1145): avc:  denied  {
> write } for  pid=9700 comm="ntpd" name="log" dev=tmpfs ino=12139
> scontext=user_u:system_r:ntpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> audit.log:type=AVC msg=audit(1363634382.869:2143): avc:  denied  {
> write } for  pid=9973 comm="groupadd" name="log" dev=tmpfs ino=32837
> scontext=user_u:system_r:groupadd_t:s0
> tcontext=user_u:object_r:device_t:s0 tclass=sock_file
> ...
>
> The problem seems to be that syslog-ng is creating /dev/log in the wrong domain:
>
> [root at foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root user_u:object_r:device_t:s0      /dev/log
> [root at foo ~]$ chcon system_u:object_r:devlog_t:s0 /dev/log
> [root at foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root system_u:object_r:devlog_t:s0    /dev/log
> [root at foo ~]$ run_init /etc/init.d/syslog-ng restart
> Authenticating foobar.
> Password:
> Restarting syslog-ng: Stopping syslog-ng:                  [  OK  ]
> Starting syslog-ng:                                        [  OK  ]
> [root at foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root user_u:object_r:device_t:s0      /dev/log
>
> I think this is because the syslog-ng daemon is running in the wrong
> domain.  It never transitions from the initrc_t domain:
>
> [root at foo log]$ ps -efZ | grep syslog
> system_u:system_r:initrc_t:s0   root      4912     1  0 16:20 ?
> 00:00:00 supervising syslog-ng
> system_u:system_r:initrc_t:s0   root      4913  4912  0 16:20 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
>
> The problem - I think - is that we're using a syslog-ng rpm from the
> vendor's website that installs to /opt rather than /usr as the
> targeted policy seems to expect meaning the daemon and everything has
> the wrong file contexts.  I tried fixing this by updating the contexts
> based off the settings in the logging.fc file from the policy src.rpm,
> but that didn't help:
>
> [root at foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/*
> [root at foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/*
> [root at foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/syslog-ng.persist
> [root at foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
> /opt/syslog-ng/var/run/*
> [root at foo ~]$ run_init /etc/init.d/syslog-ng restart
> Authenticating foobar.
> Password:
> Restarting syslog-ng: Stopping syslog-ng:                  [  OK  ]
> Starting syslog-ng:                                        [  OK  ]
> [root at foo ~]$ ls -Z /dev/log
> srw-rw-rw-  root root user_u:object_r:device_t:s0      /dev/log
> [root at foo ~]$ ps -efZ | grep syslog
> user_u:system_r:initrc_t:s0     root      6594     1  0 14:35 ?
> 00:00:00 supervising syslog-ng
> user_u:system_r:initrc_t:s0     root      6595  6594  0 14:35 ?
> 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
>
> Restarting after making these changes, didn't help either.  At this
> point, I'm out of ideas for how to properly fix the problem.  I also
> tried relabeling the whole system, then applying the above changes and
> that didn't help.
>
> FYI, we are running a RHEL 5.5 system, but are using the RHEL 5.7
> kernel and selinux rpms including:
>
> libselinux-1.33.4-5.7.el5.i386
> libselinux-1.33.4-5.7.el5.x86_64
> libselinux-python-1.33.4-5.7.el5.x86_64
> libselinux-utils-1.33.4-5.7.el5.x86_64
> selinux-policy-2.4.6-316.el5.noarch
> selinux-policy-targeted-2.4.6-316.el5.noarch
>
> We're using syslog-ng-3.1.4-1.rhel5.x86_64.rpm from the vendor's
> website which installs everything in /opt/syslog-ng rather than the
> normal RHEL locations.
>
> Any pointers would be much appreciated.  I'm assuming I should be able
> to fix this without modifying the policy, but maybe I'm missing
> something.

Is /opt mounted with nosuid flags?  If so, that will suppress the domain 
transition even if the executable is labeled correctly.

Did you confirm that /opt/syslog-ng/sbin/syslog-ng has the right 
security context with an ls -Z after running the chcon command?  Also, 
if you want this to persist across relabels, you will need to use 
semanage fcontext -a to add definitions to the file_contexts 
configuration for these files so that subsequent relabels will not reset 
them each time.

More information about the selinux mailing list