From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 03 Sep 2008 10:11:15 -0400
Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd
	(test	-x syslogd)
In-Reply-To: <20080901154127.GA29443@bobek.pm.i.cz>
References: <20080827163048.GA7735@bobek.pm.i.cz>
	<1220020690.22710.42.camel@gorn.columbia.tresys.com>
	<48B80C62.3080703@redhat.com> <20080827163048.GA7735@bobek.pm.i.cz>
	<1220020690.22710.42.camel@gorn.columbia.tresys.com>
	<20080901154127.GA29443@bobek.pm.i.cz>
Message-ID: <1220451075.28287.29.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2008-09-01 at 17:41 +0200, V?clav Ovs?k wrote:
> On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote:
> > Christopher J. PeBenito wrote:
> > > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> > >> Hi,
> > >> while running cron.daily script /etc/cron.daily/sysklogd following
> > >> denials appeared:
> > >>
> > >> Aug 27 13:13:50 sid kernel: [  554.238311] type=1400
> > >> audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273
> > >> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> > >> scontext=unconfined_u:system_r:logrotate_t:s0
> > >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> > >> Aug 27 13:13:50 sid kernel: [  554.243321] type=1300
> > >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> > >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> > >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> > >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> > >>
> > >> This is caused by line:
> > >>
> > >>     test -x /sbin/syslogd || exit 0
> > >>
> > > 
> > >> @@ -133,6 +133,9 @@
> > >>  
> > >>         # for syslogd-listfiles
> > >>         logging_read_syslog_config(logrotate_t)
> > >> +
> > >> +        # for "test -x /sbin/syslogd"
> > >> +       logging_domtrans_syslog(logrotate_t)
> > >>  ')
> > >>  
> > >>  optional_policy(`
> > > 
> > No.  Based on the above, this is too much access.  Logging needs an
> > interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> > 
> Thank you for the great example. A new patch based on it is attached. It
> can be applied to current HEAD of refpolicy.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150