From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 29 Aug 2008 10:49:06 -0400 Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd (test -x syslogd) In-Reply-To: <1220020690.22710.42.camel@gorn.columbia.tresys.com> References: <20080827163048.GA7735@bobek.pm.i.cz> <1220020690.22710.42.camel@gorn.columbia.tresys.com> Message-ID: <48B80C62.3080703@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Christopher J. PeBenito wrote: > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote: >> Hi, >> while running cron.daily script /etc/cron.daily/sysklogd following >> denials appeared: >> >> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400 >> audit(1219835630.106:5): avc: denied { execute } for pid=5273 >> comm="sysklogd" name="syslogd" dev=hda2 ino=28 >> scontext=unconfined_u:system_r:logrotate_t:s0 >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file >> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300 >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13 >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273 >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null) >> >> This is caused by line: >> >> test -x /sbin/syslogd || exit 0 >> > >> @@ -133,6 +133,9 @@ >> >> # for syslogd-listfiles >> logging_read_syslog_config(logrotate_t) >> + >> + # for "test -x /sbin/syslogd" >> + logging_domtrans_syslog(logrotate_t) >> ') >> >> optional_policy(` > > No. Based on the above, this is too much access. Logging needs an > interface like corecmd_check_exec_shell(), but for syslogd_exec_t. > logrotate regularly restarts services and sends services signals. service abc reload service abc restart So to work without any avc's you really need to allow logratate to transition to initrc_t. Which is why in Fedora policy we have # cjp: why is this needed? init_domtrans_script(logrotate_t)