1 |
On Sat, Nov 12, 2016 at 04:45:23PM +0000, Robert Sharp wrote: |
2 |
> Hi there, |
3 |
> |
4 |
> is this the best place to raise questions about SELinux, or would I be |
5 |
> better trying chat? I am making a big effort to get to enforcing strict |
6 |
> on a simple server and I am struggling a little. |
7 |
|
8 |
Here is good, there is also #gentoo-hardened on Freenode which may be |
9 |
faster depending on the timezone. |
10 |
|
11 |
> For example, I run Rsyslog and I have lots of AVCs concerning denied |
12 |
> sendto's to /dev/log. The target context is usually sysadm_t, which does |
13 |
> not seem right, and I also notice that Rsyslog is in the same context. I |
14 |
> would expect it to be in a context involving syslog somehow. I have |
15 |
> restarted the service from the sysadm_r role and it makes no difference. |
16 |
> Also, I do not get asked to authenticate when starting the service, |
17 |
> whereas other services require this, and, there is no entry for rsyslog |
18 |
> in rc-status display despite it being installed in the default runlevel. |
19 |
> |
20 |
> Example AVCs: |
21 |
> |
22 |
> type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for |
23 |
> pid=6043 comm="smtp" path="/dev/log" |
24 |
> scontext=system_u:system_r:postfix_smtp_t |
25 |
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
26 |
> |
27 |
> type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for |
28 |
> pid=5949 comm="cleanup" path="/dev/log" |
29 |
> scontext=system_u:system_r:postfix_cleanup_t |
30 |
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1 |
31 |
> |
32 |
> type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for |
33 |
> pid=3099 comm="krb5kdc" path="/dev/log" |
34 |
> scontext=system_u:system_r:krb5kdc_t tcontext=staff_u:sysadm_r:sysadm_t |
35 |
> tclass=unix_dgram_socket permissive=1 |
36 |
|
37 |
Yeah these are definitely wrong. Do you get the same output as me for |
38 |
these commands? |
39 |
|
40 |
# matchpathcon /dev/log |
41 |
/dev/log system_u:object_r:devlog_t:s0 |
42 |
# ls -alZ /dev/log |
43 |
srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 Nov 6 01:03 /dev/log= |
44 |
# semodule -l | grep log |
45 |
authlogin |
46 |
locallogin |
47 |
logging |
48 |
|
49 |
Does 'restorecon -rFv /dev' reset the context? Also, what is the line |
50 |
that 'ps auxfZ' says for rsyslog? It might be running in the wrong |
51 |
context. If it is, I'll probably have to add an fcontext to the policy. |
52 |
|
53 |
> There does not appear to be any specific rsyslog selinux package so I |
54 |
> assume it should all be syslog-related and already in the core policy |
55 |
> (although I cannot find it there). I also note that Red Hat has a page |
56 |
> on setting up Rsyslog in SELinux so I feel fairly sure it should work. |
57 |
> It only tells you how to change the ports, however. I am using TCP on |
58 |
> port 514 but I don't think I need to do anything according to RH. |
59 |
|
60 |
Redhat stuff is quite different so doesnt always work on gentoo. |
61 |
|
62 |
> Have I missed something, done something fundamentally wrong, or just |
63 |
> need to add something to stop the AVCs? Not keen on blindly fixing |
64 |
> things so I want to know what I need to do and why before I do it. |
65 |
> |
66 |
> Thanks in anticipation, |
67 |
> Robert Sharp |
68 |
|
69 |
-- Jason |