From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 29 Aug 2008 10:38:10 -0400
Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd
	(test	-x syslogd)
In-Reply-To: <20080827163048.GA7735@bobek.pm.i.cz>
References: <20080827163048.GA7735@bobek.pm.i.cz>
Message-ID: <1220020690.22710.42.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> Hi,
> while running cron.daily script /etc/cron.daily/sysklogd following
> denials appeared:
> 
> Aug 27 13:13:50 sid kernel: [  554.238311] type=1400
> audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273
> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> scontext=unconfined_u:system_r:logrotate_t:s0
> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> Aug 27 13:13:50 sid kernel: [  554.243321] type=1300
> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> 
> This is caused by line:
> 
>     test -x /sbin/syslogd || exit 0
> 

> @@ -133,6 +133,9 @@
>  
>         # for syslogd-listfiles
>         logging_read_syslog_config(logrotate_t)
> +
> +        # for "test -x /sbin/syslogd"
> +       logging_domtrans_syslog(logrotate_t)
>  ')
>  
>  optional_policy(`

No.  Based on the above, this is too much access.  Logging needs an
interface like corecmd_check_exec_shell(), but for syslogd_exec_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150