[refpolicy] Debian: logrotate_t needs to execute syslogd (test -x syslogd)

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Wed, 2008-08-27 at 18:30 +0200, Václav Ovsík wrote:
>> Hi,
>> while running cron.daily script /etc/cron.daily/sysklogd following
>> denials appeared:
>>
>> Aug 27 13:13:50 sid kernel: [  554.238311] type=1400
>> audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273
>> comm="sysklogd" name="syslogd" dev=hda2 ino=28
>> scontext=unconfined_u:system_r:logrotate_t:s0
>> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
>> Aug 27 13:13:50 sid kernel: [  554.243321] type=1300
>> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
>> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
>> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
>>
>> This is caused by line:
>>
>>     test -x /sbin/syslogd || exit 0
>>
> 
>> @@ -133,6 +133,9 @@
>>  
>>         # for syslogd-listfiles
>>         logging_read_syslog_config(logrotate_t)
>> +
>> +        # for "test -x /sbin/syslogd"
>> +       logging_domtrans_syslog(logrotate_t)
>>  ')
>>  
>>  optional_policy(`
> 
> No.  Based on the above, this is too much access.  Logging needs an
> interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> 
logrotate regularly restarts services and sends services signals.

service abc reload
service abc restart

So to work without any avc's you really need to allow logratate to
transition to initrc_t.  Which is why in Fedora policy we have

# cjp: why is this needed?
init_domtrans_script(logrotate_t)