Mailing List Archive

Hello, Robert.

Do you have the package "app-admin/setools" installed? If so, you can run
"cat /var/log/audit/audit.log | audit2why" to get an explanation of why the
denials occur, with suggestions for fixing them.

Of course, if your system is logging AVC denials elsewhere, adjust the
command accordingly.

Care to give that a try and output a result or two from it?

HTH,
Brant

On Nov 12, 2016 11:45, "Robert Sharp" <selinux@sharp.homelinux.org> wrote:

Hi there,

is this the best place to raise questions about SELinux, or would I be
better trying chat? I am making a big effort to get to enforcing strict on
a simple server and I am struggling a little.

For example, I run Rsyslog and I have lots of AVCs concerning denied
sendto's to /dev/log. The target context is usually sysadm_t, which does
not seem right, and I also notice that Rsyslog is in the same context. I
would expect it to be in a context involving syslog somehow. I have
restarted the service from the sysadm_r role and it makes no difference.
Also, I do not get asked to authenticate when starting the service, whereas
other services require this, and, there is no entry for rsyslog in
rc-status display despite it being installed in the default runlevel.

Example AVCs:

type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for
pid=6043 comm="smtp" path="/dev/log" scontext=system_u:system_r:postfix_smtp_t
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1

type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for
pid=5949 comm="cleanup" path="/dev/log"
scontext=system_u:system_r:postfix_cleanup_t
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1

type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for
pid=3099 comm="krb5kdc" path="/dev/log" scontext=system_u:system_r:krb5kdc_t
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1


There does not appear to be any specific rsyslog selinux package so I
assume it should all be syslog-related and already in the core policy
(although I cannot find it there). I also note that Red Hat has a page on
setting up Rsyslog in SELinux so I feel fairly sure it should work. It only
tells you how to change the ports, however. I am using TCP on port 514 but
I don't think I need to do anything according to RH.

Have I missed something, done something fundamentally wrong, or just need
to add something to stop the AVCs? Not keen on blindly fixing things so I
want to know what I need to do and why before I do it.

Thanks in anticipation,
Robert Sharp

On Sat, Nov 12, 2016 at 04:45:23PM +0000, Robert Sharp wrote:
> Hi there,
>
> is this the best place to raise questions about SELinux, or would I be
> better trying chat? I am making a big effort to get to enforcing strict
> on a simple server and I am struggling a little.

Here is good, there is also #gentoo-hardened on Freenode which may be
faster depending on the timezone.

> For example, I run Rsyslog and I have lots of AVCs concerning denied
> sendto's to /dev/log. The target context is usually sysadm_t, which does
> not seem right, and I also notice that Rsyslog is in the same context. I
> would expect it to be in a context involving syslog somehow. I have
> restarted the service from the sysadm_r role and it makes no difference.
> Also, I do not get asked to authenticate when starting the service,
> whereas other services require this, and, there is no entry for rsyslog
> in rc-status display despite it being installed in the default runlevel.
>
> Example AVCs:
>
> type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for
> pid=6043 comm="smtp" path="/dev/log"
> scontext=system_u:system_r:postfix_smtp_t
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1
>
> type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for
> pid=5949 comm="cleanup" path="/dev/log"
> scontext=system_u:system_r:postfix_cleanup_t
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1
>
> type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for
> pid=3099 comm="krb5kdc" path="/dev/log"
> scontext=system_u:system_r:krb5kdc_t tcontext=staff_u:sysadm_r:sysadm_t
> tclass=unix_dgram_socket permissive=1

Yeah these are definitely wrong. Do you get the same output as me for
these commands?

# matchpathcon /dev/log
/dev/log system_u:object_r:devlog_t:s0
# ls -alZ /dev/log
srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 Nov 6 01:03 /dev/log=
# semodule -l | grep log
authlogin
locallogin
logging

Does 'restorecon -rFv /dev' reset the context? Also, what is the line
that 'ps auxfZ' says for rsyslog? It might be running in the wrong
context. If it is, I'll probably have to add an fcontext to the policy.

> There does not appear to be any specific rsyslog selinux package so I
> assume it should all be syslog-related and already in the core policy
> (although I cannot find it there). I also note that Red Hat has a page
> on setting up Rsyslog in SELinux so I feel fairly sure it should work.
> It only tells you how to change the ports, however. I am using TCP on
> port 514 but I don't think I need to do anything according to RH.

Redhat stuff is quite different so doesnt always work on gentoo.

> Have I missed something, done something fundamentally wrong, or just
> need to add something to stop the AVCs? Not keen on blindly fixing
> things so I want to know what I need to do and why before I do it.
>
> Thanks in anticipation,
> Robert Sharp

-- Jason

On Sat, Nov 12, 2016 at 10:45 AM, Robert Sharp
<selinux@sharp.homelinux.org> wrote:
>
> There does not appear to be any specific rsyslog selinux package so I assume
> it should all be syslog-related and already in the core policy (although I
> cannot find it there). I also note that Red Hat has a page on setting up
> Rsyslog in SELinux so I feel fairly sure it should work. It only tells you
> how to change the ports, however. I am using TCP on port 514 but I don't
> think I need to do anything according to RH.
>
> Have I missed something, done something fundamentally wrong, or just need to
> add something to stop the AVCs? Not keen on blindly fixing things so I want
> to know what I need to do and why before I do it.
>
> Thanks in anticipation,
> Robert Sharp

If there is no policy package installed and there is not one in the
tree, you are on your own until one is written. I would double check
to ensure one exists because: 1) To the best of my knowledge, there
are logging policies available, and 2) policy packages tend to be
missing from DEPENDS/RDEPENDS for things in the tree on SELinux
profiles.

As for where is best to ask, I would recommend #gentoo-hardened for
this type of question. If you have a very detailed question it is
likely you will get a better response on the mailing list though most
of the frequent/knowledgeable posters idle in the aforementioned IRC
channel.

The SELinux portion of the Gentoo Project's wiki has received a lot of
development by Swift(?). I would strongly recommend reading it. It
will show you the discrepancies between RedHat SELinux administration
and Gentoo SELinux administration (nothing is different except
everything).

On Sun, 13 Nov 2016 16:29:00 -0600
R0b0t1 <r030t1@gmail.com> wrote:

> If there is no policy package installed and there is not one in the
> tree, you are on your own until one is written. I would double check
> to ensure one exists because: 1) To the best of my knowledge, there
> are logging policies available, and 2) policy packages tend to be
> missing from DEPENDS/RDEPENDS for things in the tree on SELinux
> profiles.

There are several rsyslog-specific statements in the system/logging
policy module, which is included in our default policy ebuild
(sec-policy/selinux-base-policy). Thus, rsyslog should be supported by
default.

/dev/log being labeled sysadm_t is definitly a bug, though. I agree
with Jason that your rsyslog binary is probably mislabeled. Please
check the output of 'ps axZ|grep rsyslog', 'ls -lZ /usr/sbin/rsyslogd'
and 'restorecon -Fv /usr/sbin/rsyslogd'.

Regards,
Luis