getting denials when run from init script but not from command-line

Johnny Tan linuxweb at gmail.com
Wed Mar 5 23:34:42 UTC 2008 

I took the Fedora-8 SRPM for rsyslog 2.0.2 and rebuilt it 
for CentOS-5 x86_64. After doing:

# semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd
# semanage fcontext -a -t klogd_exec_t /sbin/rklogd

I can do "service rsyslog start" and it works.


Then, I did the rebuild for rsyslog version 3.11.6. Had to 
tweak the spec and conf files a bit, but got it packaged and 
installed. And made sure the above contexts were retained 
(they were).

However, when I go to run it "service rsyslog start" using 
the same init script that worked with the 2.0.2 version, I 
get this:

==
type=SYSCALL msg=audit(03/05/2008 17:43:26.966:224) : 
arch=x86_64 syscall=bind success=yes exit=0 a0=1 a1=51b2ae0 
a2=10 a3=7fffa9e3f63c items=0 ppid=29717 pid=29718 auid=root 
uid=root gid=root euid=root suid=root fsuid=root egid=root 
sgid=root fsgid=root tty=(none) comm=rsyslogd 
exe=/sbin/rsyslogd subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(03/05/2008 17:43:26.966:224) : avc: 
denied  { node_bind } for  pid=29718 comm=rsyslogd src=61514 
scontext=root:system_r:syslogd_t:s0 
tcontext=system_u:object_r:inaddr_any_node_t:s0 
tclass=tcp_socket
==


BUT, when I run it directly from the command-line:
/sbin/rsyslogd
I do NOT get those denials.

I know how to create the module to allow the above, but what 
I'm more interested in is what allows me to run it from the 
command-line but not from the init script.

The line that starts the rsyslogd in the init script is:
         daemon rsyslogd $SYSLOGD_OPTIONS
("daemon" being a function sourced from /etc/init.d/functions)

But even if I replace that line with a simple:
/sbin/rsyslogd
it still gives me the denials.


Anyone have ideas why? I don't want to just create the 
module and sweep this under the rug.


Here's the full start() function section of the 
/etc/init.d/rsyslog:

start() {
         [ -x /sbin/rsyslogd ] || exit 5

         # Source config
         if [ -f /etc/sysconfig/rsyslog ] ; then
                 . /etc/sysconfig/rsyslog
         else
                 KLOGD_OPTIONS="-2"
         fi

         if [ -z "$SYSLOG_UMASK" ] ; then
               SYSLOG_UMASK=077;
         fi
         umask $SYSLOG_UMASK

         echo -n $"Starting system logger: "
         daemon rsyslogd $SYSLOGD_OPTIONS
         RETVAL=$?
         echo
         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
         return $RETVAL
}


Thanks,
johnn

More information about the fedora-selinux-list mailing list