From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 03 Sep 2008 10:11:15 -0400 Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd (test -x syslogd) In-Reply-To: <20080901154127.GA29443@bobek.pm.i.cz> References: <20080827163048.GA7735@bobek.pm.i.cz> <1220020690.22710.42.camel@gorn.columbia.tresys.com> <48B80C62.3080703@redhat.com> <20080827163048.GA7735@bobek.pm.i.cz> <1220020690.22710.42.camel@gorn.columbia.tresys.com> <20080901154127.GA29443@bobek.pm.i.cz> Message-ID: <1220451075.28287.29.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2008-09-01 at 17:41 +0200, V?clav Ovs?k wrote: > On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote: > > Christopher J. PeBenito wrote: > > > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote: > > >> Hi, > > >> while running cron.daily script /etc/cron.daily/sysklogd following > > >> denials appeared: > > >> > > >> Aug 27 13:13:50 sid kernel: [ 554.238311] type=1400 > > >> audit(1219835630.106:5): avc: denied { execute } for pid=5273 > > >> comm="sysklogd" name="syslogd" dev=hda2 ino=28 > > >> scontext=unconfined_u:system_r:logrotate_t:s0 > > >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file > > >> Aug 27 13:13:50 sid kernel: [ 554.243321] type=1300 > > >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13 > > >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273 > > >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" > > >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null) > > >> > > >> This is caused by line: > > >> > > >> test -x /sbin/syslogd || exit 0 > > >> > > > > > >> @@ -133,6 +133,9 @@ > > >> > > >> # for syslogd-listfiles > > >> logging_read_syslog_config(logrotate_t) > > >> + > > >> + # for "test -x /sbin/syslogd" > > >> + logging_domtrans_syslog(logrotate_t) > > >> ') > > >> > > >> optional_policy(` > > > > > No. Based on the above, this is too much access. Logging needs an > > interface like corecmd_check_exec_shell(), but for syslogd_exec_t. > > > Thank you for the great example. A new patch based on it is attached. It > can be applied to current HEAD of refpolicy. Merged. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150