[refpolicy] Debian: logrotate_t needs to execute syslogd (test -x syslogd)

Václav Ovsík vaclav.ovsik at i.cz
Mon Sep 1 10:41:27 CDT 2008


On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-08-27 at 18:30 +0200, Václav Ovsík wrote:
> >> Hi,
> >> while running cron.daily script /etc/cron.daily/sysklogd following
> >> denials appeared:
> >>
> >> Aug 27 13:13:50 sid kernel: [  554.238311] type=1400
> >> audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273
> >> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> >> scontext=unconfined_u:system_r:logrotate_t:s0
> >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> >> Aug 27 13:13:50 sid kernel: [  554.243321] type=1300
> >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> >>
> >> This is caused by line:
> >>
> >>     test -x /sbin/syslogd || exit 0
> >>
> > 
> >> @@ -133,6 +133,9 @@
> >>  
> >>         # for syslogd-listfiles
> >>         logging_read_syslog_config(logrotate_t)
> >> +
> >> +        # for "test -x /sbin/syslogd"
> >> +       logging_domtrans_syslog(logrotate_t)
> >>  ')
> >>  
> >>  optional_policy(`
> > 
> > No.  Based on the above, this is too much access.  Logging needs an
> > interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> > 
> logrotate regularly restarts services and sends services signals.
> 
> service abc reload
> service abc restart
> 
> So to work without any avc's you really need to allow logratate to
> transition to initrc_t.  Which is why in Fedora policy we have
> 
> # cjp: why is this needed?
> init_domtrans_script(logrotate_t)


This is even in upstream refpolicy and restarting really works on Debian.
Restart is done at the end of script /etc/cron.daily/sysklogd by running:

...
  # Restart syslogd
  #
  /etc/init.d/sysklogd reload-or-restart > /dev/null

So through initrc_t like in Fedora.

The problem is sanity checks at start of script. These contain
"test -x /sbin/syslogd". Script exits if this test fails (SE Linux
Enforced mode).



On Fri, Aug 29, 2008 at 10:38:10AM -0400, Christopher J. PeBenito wrote:
...

> No.  Based on the above, this is too much access.  Logging needs an
> interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150

Thank you for the great example. A new patch based on it is attached. It
can be applied to current HEAD of refpolicy.

Regards
-- 
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/admin/logrotate.te
===================================================================
--- selinux-policy-src.orig/policy/modules/admin/logrotate.te	2008-08-27 17:27:48.000000000 +0200
+++ selinux-policy-src/policy/modules/admin/logrotate.te	2008-09-01 17:11:30.000000000 +0200
@@ -137,6 +137,9 @@
 
 	# for syslogd-listfiles
 	logging_read_syslog_config(logrotate_t)
+
+        # for "test -x /sbin/syslogd"
+	logging_check_exec_syslog(logrotate_t)
 ')
 
 optional_policy(`
Index: selinux-policy-src/policy/modules/system/logging.if
===================================================================
--- selinux-policy-src.orig/policy/modules/system/logging.if	2008-09-01 17:06:01.000000000 +0200
+++ selinux-policy-src/policy/modules/system/logging.if	2008-09-01 17:23:09.000000000 +0200
@@ -283,6 +283,26 @@
 
 ########################################
 ## <summary>
+##	Check if syslogd is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+	gen_require(`
+		syslogd_exec_t;
+	')
+
+	corecmd_list_bin($1)
+	corecmd_read_bin_symlinks($1)
+	allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
 ##	Execute syslogd in the syslog domain.
 ## </summary>
 ## <param name="domain">


More information about the refpolicy mailing list