From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 29 Aug 2008 10:38:10 -0400 Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd (test -x syslogd) In-Reply-To: <20080827163048.GA7735@bobek.pm.i.cz> References: <20080827163048.GA7735@bobek.pm.i.cz> Message-ID: <1220020690.22710.42.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote: > Hi, > while running cron.daily script /etc/cron.daily/sysklogd following > denials appeared: > > Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400 > audit(1219835630.106:5): avc: denied { execute } for pid=5273 > comm="sysklogd" name="syslogd" dev=hda2 ino=28 > scontext=unconfined_u:system_r:logrotate_t:s0 > tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file > Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300 > audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13 > a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" > subj=unconfined_u:system_r:logrotate_t:s0 key=(null) > > This is caused by line: > > test -x /sbin/syslogd || exit 0 > > @@ -133,6 +133,9 @@ > > # for syslogd-listfiles > logging_read_syslog_config(logrotate_t) > + > + # for "test -x /sbin/syslogd" > + logging_domtrans_syslog(logrotate_t) > ') > > optional_policy(` No. Based on the above, this is too much access. Logging needs an interface like corecmd_check_exec_shell(), but for syslogd_exec_t. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150