5

So I've got three files I need rsyslog to open in order to forward the entries to another server. SELinux is preventing this with the following error:

type=AVC msg=audit(1371186588.768:1324460): avc: denied { open } for pid=3714 comm="rsyslogd" name="named.debug.log" dev=dm-0 ino=1180551 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:named_cache_t:s0 tclass=file type=SYSCALL msg=audit(1371186588.768:1324460): arch=c000003e syscall=2 success=no exit=-13 a0=7fb254001b30 a1=80100 a2=180 a3=2e67756265642e64 items=0 ppid=1 pid=3714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7926 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

Running this through audit2allow, I get the following:

module rsysloglocal 1.0; require { type named_cache_t; type syslogd_t; class file { read write }; } #============= syslogd_t ============== allow syslogd_t named_cache_t:file { read write };

Unfortunately, this doesn't work. I'm still getting the message above from SELinux.

The files I need to watch with rsyslog are in /var/named/data/log/, which is why SELinux is referencing the named_cache_t thing (I think).

Any thoughts?

Edit: semodule -l output:

abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 aide 1.5.0 aisexec 1.0.0 amanda 1.12.0 amavis 1.10.3 amtu 1.2.0 apache 2.1.2 apcupsd 1.6.1 arpwatch 1.8.1 asterisk 1.7.1 audioentropy 1.6.0 automount 1.12.1 avahi 1.11.2 awstats 1.2.0 bind 1.10.2 bitlbee 1.2.1 bluetooth 3.2.2 boinc 1.0.0 bugzilla 1.0 cachefilesd 1.0.17 calamaris 1.5.1 canna 1.10.0 ccs 1.4.1 cdrecord 2.2.1 certmaster 1.0.2 certmonger 1.0.0 certwatch 1.5.0 cfengine 1.0.0 cgroup 1.0.0 chrome 1.0.0 chronyd 1.0.1 cipe 1.5.0 clamav 1.7.1 clogd 1.0.0 cloudform 1.0 cmirrord 1.0.0 cobbler 1.1.0 comsat 1.7.0 condor 1.0.0 consolekit 1.5.1 corosync 1.0.0 courier 1.8.1 cpufreqselector 1.1.0 ctdbd 1.0.0 cups 1.13.0 cvs 1.8.0 cyphesis 1.2.0 cyrus 1.9.1 daemontools 1.2.0 dbskk 1.5.0 dcc 1.8.2 denyhosts 1.0.0 devicekit 1.0.0 dhcp 1.8.1 dictd 1.7.0 dirsrv-admin 1.0.0 dirsrv 1.0.0 dnsmasq 1.8.1 dovecot 1.11.1 drbd 1.0.0 ethereal 2.0.0 execmem 1.0.0 exim 1.4.2 fail2ban 1.3.2 fcoemon 1.0.0 fetchmail 1.9.2 finger 1.9.0 firewallgui 1.0.0 fprintd 1.0.1 ftp 1.11.0 games 2.1.0 git 1.0.3 gitosis 1.0.1 glance 1.0.0 gnome 2.0.0 gnomeclock 1.0.0 gpg 2.2.1 gpm 1.7.1 gpsd 1.0.2 guest 1.0.1 hal 1.12.1 hddtemp 1.0.0 howl 1.8.1 icecast 1.0.0 inn 1.9.0 ipsec 1.10.2 irc 2.1.0 iscsi 1.6.2 jabber 1.8.0 java 2.2.1 kdump 1.0.1 kdumpgui 1.0.0 kerberos 1.10.2 kerneloops 1.3.1 keystone 1.0.0 kismet 1.4.2 ksmtuned 1.0.0 ktalk 1.7.1 ldap 1.10.0 likewise 1.0.0 lircd 1.0.1 livecd 1.0.0 lldpad 1.0.0 lockdev 1.3.0 logadm 1.0.0 lpd 1.12.0 mailman 1.7.2 matahari 1.0.0 mediawiki 1.0.0 memcached 1.1.2 milter 1.1.1 modemmanager 1.0.1 mono 1.6.1 mozilla 2.1.1 mpd 1.0.0 mplayer 2.1.0 mrtg 1.8.0 munin 1.7.0 mysql 1.11.3 nagios 1.8.0 namespace 1.0.0 ncftool 1.0.0 netlabel 1.3.0 nis 1.10.0 nova 1.0.0 nslcd 1.0.1 nsplugin 1.0.0 ntop 1.8.1 ntp 1.9.1 nut 1.0.1 nx 1.4.0 oddjob 1.7.0 openct 1.4.0 openoffice 1.0.0 openvpn 1.9.1 pads 1.0.0 passenger 1.0.0 pcscd 1.5.2 pegasus 1.8.0 permissivedomains 1.0.0 pingd 1.0.0 piranha 1.0.0 plymouthd 1.0.0 podsleuth 1.2.1 policykit 1.1.0 portmap 1.9.0 portreserve 1.1.1 postfix 1.11.0 postgresql 1.12.1 postgrey 1.7.0 ppp 1.11.2 prelude 1.1.2 privoxy 1.9.1 procmail 1.11.0 psad 1.0.0 ptchown 1.0.1 publicfile 1.1.0 pulseaudio 1.1.2 puppet 1.0.0 pyzor 2.1.0 qemu 1.3.2 qmail 1.5.0 qpidd 1.0.0 quantum 1.0.0 radius 1.11.0 radvd 1.11.2 razor 2.1.0 rdisc 1.7.1 remotelogin 1.7.0 rgmanager 1.0.0 rhcs 1.1.0 rhev 1.0 rhgb 1.9.0 rhsmcertd 1.0.0 ricci 1.6.0 rlogin 1.9.0 roundup 1.7.0 rpcbind 1.4.1 rshd 1.7.0 rssh 2.0.0 rsync 1.9.1 rsysloglocal 1.0 rtkit 1.0.1 rwho 1.6.0 samba 1.12.0 sambagui 1.0.0 sandbox 1.0.0 sanlock 1.0.0 sasl 1.12.1 sblim 1.0.0 screen 2.2.2 sectoolm 1.0.0 seunshare 1.1.0 sge 1.0.0 shutdown 1.0.0 slocate 1.9.0 smartmon 1.9.1 smokeping 1.0.0 smoltclient 1.0.0 snmp 1.10.2 snort 1.8.1 sosreport 1.0.0 soundserver 1.8.0 spamassassin 2.2.0 squid 1.9.0 sssd 1.0.2 staff 2.0.1 stunnel 1.9.0 sysadm_secadm 1.0.0 sysstat 1.5.1 tcpd 1.4.0 telepathy 1.0.0 telnet 1.9.1 tftp 1.12.0 tgtd 1.0.1 tmpreaper 1.4.0 tor 1.6.1 tuned 1.0.1 tvtime 2.0.0 ulogd 1.1.0 uml 2.1.0 unconfined 3.1.1 unconfineduser 1.0.0 unlabelednet 1.0 unprivuser 2.0.1 usbmodules 1.2.0 usbmuxd 1.0.0 userhelper 1.5.0 usernetctl 1.5.0 uucp 1.10.2 uuidd 1.0.0 varnishd 1.1.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.0 vmware 2.2.0 vpn 1.12.0 w3c 1.0.0 wdmd 1.0.0 webadm 1.1.0 webalizer 1.10.0 wine 1.6.1 xen 1.9.2 xfs 1.6.0 xguest 1.0.1 zabbix 1.2.0 zarafa 1.0.0 zebra 1.10.1 zosremote 1.1.0

Edit 2: I've also tried this using only read permissions (allow syslogd_t named_cache_t:file read;) rather than read / write. No dice.

Improve this question
5
  • Can you update the question with the output of semodule -l? Commented Jun 14, 2013 at 14:04
  • Done. It looks like the rsysloglocal module that I created is loaded. Commented Jun 14, 2013 at 14:49
  • Sorry, I just came back to this. On your second edit: yeah you can't really give write-only access to a file since from an Access Control point of view a write is a subset of read (since applications rarely just blindly write to a file except with O_APPEND) so you'll need both. Is this a server that can be rebooted? It's really weird that the policy module is loaded but it's still denying it. All I can think of right now is that the AVC cache may have stale data. Commented Jun 14, 2013 at 17:11
  • @JoelDavis: Any sources for that. In my opinion, applications very often create new files which they open for writing only. And the append case you're talking about is also notable. I would say that opening for both reading and writing is less common. Commented Jul 1, 2014 at 7:27
  • @MikeH: Most selinux issues are resolved by changing the security labels of the respective files, not by adding new rules for random security labels unrelated to what you are doing. Commented Jul 1, 2014 at 7:30

3 Answers 3

Reset to default
0

Create a type enforcement file rsysloglocal.te:

mkdir -p /opt/selinux/rsyslog cd /opt/selinux/rsyslog vi rsysloglocal.te

with the following content:

module rsysloglocal 1.0; require { type syslogd_t; type auditd_log_t; class dir { getattr open read search }; class file { getattr open read ioctl}; } #============= syslogd_t ============== #!!!! This avc is allowed in the current policy allow syslogd_t auditd_log_t:dir { getattr search open read }; allow syslogd_t auditd_log_t:file { getattr open read ioctl};

Then, run commands:

checkmodule -M -m -o rsysloglocal.mod rsysloglocal.te; semodule_package -o rsysloglocal.pp -m rsysloglocal.mod; semodule -i rsysloglocal.pp service auditd restart service rsyslog restart service rsyslog status

and

tail -F /var/log/audit/audit.log

Should be without errors now.

Improve this answer
0

Maybe setsebool logging_syslogd_list_non_security_dirs true is sufficient.

# grep avc /var/log/audit/audit.log| audit2allow -M custom ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i custom.pp # cat custom.te module custom 1.0; require { type unlabeled_t; type syslogd_t; class dir read; } #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'logging_syslogd_list_non_security_dirs' allow syslogd_t unlabeled_t:dir read;
Improve this answer
-1

So I finally got the SELinux errors to go away.

I ended up having to allow the following attributes: 

allow syslogd_t named_cache_t:file { read ioctl open getattr };

I found this out by just stringing together a bunch of audit2allow procedures to come up with the final module. I renamed the module rsysloglocal.te. I had to manually compile it by doing the following:

checkmodule -M -m -o rsysloglocal.mod rsysloglocal.te semodule_package -o rsysloglocal.pp -m rsysloglocal.mod semodule -i rsysloglocal.pp
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.