syslog-ng non-standard install generating AVC
Russell Coker
russell at coker.com.au
Tue Jan 4 09:38:57 UTC 2005
On Friday 31 December 2004 03:03, Steve Friedman <steve at adsi-m4.com> wrote:
> I recently installed FC3 on a machine (we had previously been using FC1),
> so this is my first exposure to selinux. Consequently, we are running
> the targeted policy in permissive mode. We use syslog-ng (rather than
> sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute
> log events on a number of other ports beyond the standard syslog
> distribution.
>
> Among other things that we do in syslog-ng include:
> - open non-standard UDP/TCP ports
> - open non-standard files
> - call non-standard routines
>
> As a complete newbie to selinux, I don't know whether it is
> easier/simpler/better/(or even how) to modify the syslog policy or the
> attributes of the executables/files/directories that it touches. I would
> appreciate some advice and guidance.
>
> AVC log events:
>
> Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc: denied {
> write } for pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc
> ino=-268435446 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:proc_kmsg_t tclass=file Dec 27 04:02:17 gsi10
If you remove klogd.te from the policy source then that access will be
allowed. I guess we could just assume that syslog-ng is being used if there
is no klogd.te and put the necessary rules for TCP access in the same
section.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list