On Sat, Nov 12, 2016 at 04:45:23PM +0000, Robert Sharp wrote:
> Hi there,
>
> is this the best place to raise questions about SELinux, or would I be
> better trying chat? I am making a big effort to get to enforcing strict
> on a simple server and I am struggling a little.
Here is good, there is also #gentoo-hardened on Freenode which may be
faster depending on the timezone.
> For example, I run Rsyslog and I have lots of AVCs concerning denied
> sendto's to /dev/log. The target context is usually sysadm_t, which does
> not seem right, and I also notice that Rsyslog is in the same context. I
> would expect it to be in a context involving syslog somehow. I have
> restarted the service from the sysadm_r role and it makes no difference.
> Also, I do not get asked to authenticate when starting the service,
> whereas other services require this, and, there is no entry for rsyslog
> in rc-status display despite it being installed in the default runlevel.
>
> Example AVCs:
>
> type=AVC msg=audit(1478957011.808:1910): avc: denied { sendto } for
> pid=6043 comm="smtp" path="/dev/log"
> scontext=system_u:system_r:postfix_smtp_t
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1
>
> type=AVC msg=audit(1478953126.199:1909): avc: denied { sendto } for
> pid=5949 comm="cleanup" path="/dev/log"
> scontext=system_u:system_r:postfix_cleanup_t
> tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1
>
> type=AVC msg=audit(1478952507.872:1907): avc: denied { sendto } for
> pid=3099 comm="krb5kdc" path="/dev/log"
> scontext=system_u:system_r:krb5kdc_t tcontext=staff_u:sysadm_r:sysadm_t
> tclass=unix_dgram_socket permissive=1
Yeah these are definitely wrong. Do you get the same output as me for
these commands?
# matchpathcon /dev/log
/dev/log system_u:object_r:devlog_t:s0
# ls -alZ /dev/log
srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 Nov 6 01:03 /dev/log=
# semodule -l | grep log
authlogin
locallogin
logging
Does 'restorecon -rFv /dev' reset the context? Also, what is the line
that 'ps auxfZ' says for rsyslog? It might be running in the wrong
context. If it is, I'll probably have to add an fcontext to the policy.
> There does not appear to be any specific rsyslog selinux package so I
> assume it should all be syslog-related and already in the core policy
> (although I cannot find it there). I also note that Red Hat has a page
> on setting up Rsyslog in SELinux so I feel fairly sure it should work.
> It only tells you how to change the ports, however. I am using TCP on
> port 514 but I don't think I need to do anything according to RH.
Redhat stuff is quite different so doesnt always work on gentoo.
> Have I missed something, done something fundamentally wrong, or just
> need to add something to stop the AVCs? Not keen on blindly fixing
> things so I want to know what I need to do and why before I do it.
>
> Thanks in anticipation,
> Robert Sharp
-- Jason
