Bug#496809: selinux-policy-default: logrotate_t needs to test exec syslogd

Wed, 27 Aug 2008 09:25:39 -0700 

Package: selinux-policy-default
Version: 2:0.0.20080702-6
Severity: normal
Tags: patch

Hi,
while running cron.daily script /etc/cron.daily/sysklogd following
denials appeared:

Aug 27 13:13:50 sid kernel: [  554.238311] type=1400 audit(1219835630.106:5): 
avc:  denied  { execute } for  pid=5273 comm="sysklogd" name="syslogd" dev=hda2 
ino=28 scontext=unconfined_u:system_r:logrotate_t:s0 
tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
Aug 27 13:13:50 sid kernel: [  554.243321] type=1300 audit(1219835630.106:5): 
arch=40000003 syscall=33 success=no exit=-13 a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 
items=0 ppid=5161 pid=5273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" 
subj=unconfined_u:system_r:logrotate_t:s0 key=(null)

This is caused by line:

    test -x /sbin/syslogd || exit 0

near start of script. Access needs to be allowed test fails otherwise.
Thanks
-- 
Zito

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-3    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-4   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-5   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-1   SELinux policy compiler
ii  setools                       3.3.4.ds-4 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information

Index: selinux-policy-src/policy/modules/admin/logrotate.te
===================================================================
--- selinux-policy-src.orig/policy/modules/admin/logrotate.te	2008-08-27 17:27:48.000000000 +0200
+++ selinux-policy-src/policy/modules/admin/logrotate.te	2008-08-27 17:30:27.000000000 +0200
@@ -137,6 +137,9 @@
 
 	# for syslogd-listfiles
 	logging_read_syslog_config(logrotate_t)
+
+        # for "test -x /sbin/syslogd"
+	logging_domtrans_syslog(logrotate_t)
 ')
 
 optional_policy(`

Reply via email to