From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=)
Date: Wed, 27 Aug 2008 18:30:48 +0200
Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd (test -x
	syslogd)
Message-ID: <20080827163048.GA7735@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,
while running cron.daily script /etc/cron.daily/sysklogd following
denials appeared:

Aug 27 13:13:50 sid kernel: [  554.238311] type=1400 audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273 comm="sysklogd" name="syslogd" dev=hda2 ino=28 scontext=unconfined_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
Aug 27 13:13:50 sid kernel: [  554.243321] type=1300 audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13 a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" subj=unconfined_u:system_r:logrotate_t:s0 key=(null)

This is caused by line:

    test -x /sbin/syslogd || exit 0

near start of script. Access needs to be allowed test fails otherwise.
Reported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496809
A patch is included. Can be merged?
Thanks
-- 
Zito
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate_syslog_exec.patch
Type: text/x-diff
Size: 411 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080827/24b561f3/attachment.bin