Hi,
while running cron.daily script /etc/cron.daily/sysklogd following
denials appeared:
Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400 audit(1219835630.106:5): avc: denied { execute } for pid=5273 comm="sysklogd" name="syslogd" dev=hda2 ino=28 scontext=unconfined_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300 audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13 a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
This is caused by line:
test -x /sbin/syslogd || exit 0
near start of script. Access needs to be allowed test fails otherwise.
Reported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496809
A patch is included. Can be merged?
Thanks
--
Zito
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate_syslog_exec.patch
Type: text/x-diff
Size: 411 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080827/24b561f3/attachment.bin
On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> Hi,
> while running cron.daily script /etc/cron.daily/sysklogd following
> denials appeared:
>
> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400
> audit(1219835630.106:5): avc: denied { execute } for pid=5273
> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> scontext=unconfined_u:system_r:logrotate_t:s0
> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300
> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
>
> This is caused by line:
>
> test -x /sbin/syslogd || exit 0
>
> @@ -133,6 +133,9 @@
>
> # for syslogd-listfiles
> logging_read_syslog_config(logrotate_t)
> +
> + # for "test -x /sbin/syslogd"
> + logging_domtrans_syslog(logrotate_t)
> ')
>
> optional_policy(`
No. Based on the above, this is too much access. Logging needs an
interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Christopher J. PeBenito wrote:
> On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
>> Hi,
>> while running cron.daily script /etc/cron.daily/sysklogd following
>> denials appeared:
>>
>> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400
>> audit(1219835630.106:5): avc: denied { execute } for pid=5273
>> comm="sysklogd" name="syslogd" dev=hda2 ino=28
>> scontext=unconfined_u:system_r:logrotate_t:s0
>> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
>> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300
>> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
>> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
>> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
>>
>> This is caused by line:
>>
>> test -x /sbin/syslogd || exit 0
>>
>
>> @@ -133,6 +133,9 @@
>>
>> # for syslogd-listfiles
>> logging_read_syslog_config(logrotate_t)
>> +
>> + # for "test -x /sbin/syslogd"
>> + logging_domtrans_syslog(logrotate_t)
>> ')
>>
>> optional_policy(`
>
> No. Based on the above, this is too much access. Logging needs an
> interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
>
logrotate regularly restarts services and sends services signals.
service abc reload
service abc restart
So to work without any avc's you really need to allow logratate to
transition to initrc_t. Which is why in Fedora policy we have
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> >> Hi,
> >> while running cron.daily script /etc/cron.daily/sysklogd following
> >> denials appeared:
> >>
> >> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400
> >> audit(1219835630.106:5): avc: denied { execute } for pid=5273
> >> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> >> scontext=unconfined_u:system_r:logrotate_t:s0
> >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> >> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300
> >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> >>
> >> This is caused by line:
> >>
> >> test -x /sbin/syslogd || exit 0
> >>
> >
> >> @@ -133,6 +133,9 @@
> >>
> >> # for syslogd-listfiles
> >> logging_read_syslog_config(logrotate_t)
> >> +
> >> + # for "test -x /sbin/syslogd"
> >> + logging_domtrans_syslog(logrotate_t)
> >> ')
> >>
> >> optional_policy(`
> >
> > No. Based on the above, this is too much access. Logging needs an
> > interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> >
> logrotate regularly restarts services and sends services signals.
>
> service abc reload
> service abc restart
>
> So to work without any avc's you really need to allow logratate to
> transition to initrc_t. Which is why in Fedora policy we have
>
> # cjp: why is this needed?
> init_domtrans_script(logrotate_t)
This is even in upstream refpolicy and restarting really works on Debian.
Restart is done at the end of script /etc/cron.daily/sysklogd by running:
...
# Restart syslogd
#
/etc/init.d/sysklogd reload-or-restart > /dev/null
So through initrc_t like in Fedora.
The problem is sanity checks at start of script. These contain
"test -x /sbin/syslogd". Script exits if this test fails (SE Linux
Enforced mode).
On Fri, Aug 29, 2008 at 10:38:10AM -0400, Christopher J. PeBenito wrote:
...
> No. Based on the above, this is too much access. Logging needs an
> interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
Thank you for the great example. A new patch based on it is attached. It
can be applied to current HEAD of refpolicy.
Regards
--
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/admin/logrotate.te
===================================================================
--- selinux-policy-src.orig/policy/modules/admin/logrotate.te 2008-08-27 17:27:48.000000000 +0200
+++ selinux-policy-src/policy/modules/admin/logrotate.te 2008-09-01 17:11:30.000000000 +0200
@@ -137,6 +137,9 @@
# for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
Index: selinux-policy-src/policy/modules/system/logging.if
===================================================================
--- selinux-policy-src.orig/policy/modules/system/logging.if 2008-09-01 17:06:01.000000000 +0200
+++ selinux-policy-src/policy/modules/system/logging.if 2008-09-01 17:23:09.000000000 +0200
@@ -283,6 +283,26 @@
########################################
## <summary>
+## Check if syslogd is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+ gen_require(`
+ syslogd_exec_t;
+ ')
+
+ corecmd_list_bin($1)
+ corecmd_read_bin_symlinks($1)
+ allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
On Mon, 2008-09-01 at 17:41 +0200, V?clav Ovs?k wrote:
> On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote:
> > Christopher J. PeBenito wrote:
> > > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> > >> Hi,
> > >> while running cron.daily script /etc/cron.daily/sysklogd following
> > >> denials appeared:
> > >>
> > >> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400
> > >> audit(1219835630.106:5): avc: denied { execute } for pid=5273
> > >> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> > >> scontext=unconfined_u:system_r:logrotate_t:s0
> > >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> > >> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300
> > >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> > >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> > >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> > >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> > >>
> > >> This is caused by line:
> > >>
> > >> test -x /sbin/syslogd || exit 0
> > >>
> > >
> > >> @@ -133,6 +133,9 @@
> > >>
> > >> # for syslogd-listfiles
> > >> logging_read_syslog_config(logrotate_t)
> > >> +
> > >> + # for "test -x /sbin/syslogd"
> > >> + logging_domtrans_syslog(logrotate_t)
> > >> ')
> > >>
> > >> optional_policy(`
> > >
> > No. Based on the above, this is too much access. Logging needs an
> > interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> >
> Thank you for the great example. A new patch based on it is attached. It
> can be applied to current HEAD of refpolicy.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150