syslog-ng creates /dev/log in wrong selinux domain causing avc denials
Daniel Neuberger
daniel.neuberger at gmail.com
Tue Mar 19 19:39:26 UTC 2013
On 03/19/2013 02:00 PM, Stephen Smalley wrote:
>> Normally you would only label the entrypoint executable for syslogd
>> (i.e. the executable invoked to launch syslogd) with syslogd_exec_t, not
>> helper programs internally called by it. Anything else would get
>> labeled with a different type, which could just be bin_t for libexec
>> files. But you may also need to add an allow rule via local policy
>> module to allow this if it is new behavior for syslog-ng.
>
> Also, what you tried to do (in labeling the libexec file with syslogd_t)
> isn't desirable because it conflates a domain type (syslogd_t) used for
> processes with a file type (e.g. syslogd_exec_t, bin_t, ...). The only
> case where a domain type should appear on a "file" is for the /proc/pid
> entries associated with a process in that domain. It shouldn't be used
> on regular files.
Thanks! Using your advice, I was able to get it working by adding the
below to the policy:
----------------------------
require {
type syslogd_t;
type var_t;
type bin_t;
class process getsched;
class file { read execute execute_no_trans };
class dir write;
}
#============= syslogd_t ==============
allow syslogd_t bin_t:file { read execute execute_no_trans };
allow syslogd_t self:process getsched;
allow syslogd_t var_t:dir write;
----------------------------
Any recommendations on whether that seems like the right solution? I'm
new to writing policy, but it seems too permissive to me. Anyone have a
reference that would help me to recognize the difference between a good
policy and something that just allows whatever to make it work?
Also, why does nosuid suppress domain transitions? I couldn't find any
details on Google or in the RHEL docs.
Thanks again for all the help.
More information about the selinux
mailing list