Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-11174

selinux prevents syslogd_t from execution the systemd_systemctl_exec_t

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.2.0
    • selinux-policy
    • None
    • selinux-policy-38.1.30-1.el9
    • sst_security_selinux
    • ssg_security
    • 21
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      SELinux policy defines a new type for scripts which can be executed from the rsyslog service and which can do almost anything (they are almost unconfined). The rsyslog service can execute a script with that label and the automatic SELinux transition happens.

      Show
      SELinux policy defines a new type for scripts which can be executed from the rsyslog service and which can do almost anything (they are almost unconfined). The rsyslog service can execute a script with that label and the automatic SELinux transition happens.
    • Pass
    • None
    • Bug Fix
    • Hide
      .SELinux policy allows `rsyslogd` to execute confined commands

      Previously, the SELinux policy was missing a rule to allow the `rsyslogd` daemon to execute SELinux-confined commands, such as `systemctl`. As a consequence, commands executed as an argument of the `omprog` directive failed. This update adds rules to the SELinux policy so that executables in the `/usr/libexec/rsyslog` directory that are run as an argument of `omprog` are in the `syslogd_unconfined_script_t` unconfined domain. As a result, commands executed as an argument of `omprog` finish successfully.
      Show
      .SELinux policy allows `rsyslogd` to execute confined commands Previously, the SELinux policy was missing a rule to allow the `rsyslogd` daemon to execute SELinux-confined commands, such as `systemctl`. As a consequence, commands executed as an argument of the `omprog` directive failed. This update adds rules to the SELinux policy so that executables in the `/usr/libexec/rsyslog` directory that are run as an argument of `omprog` are in the `syslogd_unconfined_script_t` unconfined domain. As a result, commands executed as an argument of `omprog` finish successfully.
    • Done
    • None

      What were you trying to do that didn't work?

      Running a script using the rsyslog's omprog module I want to be able to send a signal HUP to the rsyslog service so it does not cleanup.

      Please provide the package NVR for which bug is seen:

      rsyslog-8.2102.0-113.el9_2.1.x86_64
      selinux-policy-38.1.11-2.el9_2.4.noarch

      possibly even older - did not try

      How reproducible:

      100%

      Steps to reproduce

      1. setup omprog to run a script which calls systemctl --signal=HUP kill rsyslog
      2. let it be triggered by some message
      3.  

      Expected results

      no AVC

      Actual results

      [0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent
      ----
      time->Wed Sep 27 15:13:34 2023
      type=PROCTITLE msg=audit(1695820414.146:1410): proctitle=2F7573722F62696E2F73797374656D63746C002D2D7369676E616C3D485550006B696C6C00727379736C6F67
      type=PATH msg=audit(1695820414.146:1410): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=8519390 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=PATH msg=audit(1695820414.146:1410): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1695820414.146:1410): cwd="/"
      type=EXECVE msg=audit(1695820414.146:1410): argc=4 a0="/usr/bin/systemctl" a1="--signal=HUP" a2="kill" a3="rsyslog"
      type=BPRM_FCAPS msg=audit(1695820414.146:1410): fver=0 fp=0 fi=0 fe=0 old_pp=000001fffffeffff old_pi=0 old_pe=000001fffffeffff old_pa=0 pp=000001fffffeffff pi=0 pe=000001fffffeffff pa=0 frootid=0
      type=SYSCALL msg=audit(1695820414.146:1410): arch=c000003e syscall=59 success=yes exit=0 a0=55d1dee86950 a1=55d1dee84650 a2=55d1dee81e90 a3=1b6 items=2 ppid=160570 pid=160581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:syslogd_t:s0 key=(null)
      type=AVC msg=audit(1695820414.146:1410): avc:  denied  { execute_no_trans } for  pid=160581 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1695820414.146:1410): avc:  denied  { read open } for  pid=160581 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1695820414.146:1410): avc:  denied  { execute } for  pid=160581 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      ----
      time->Wed Sep 27 15:13:45 2023
      type=PROCTITLE msg=audit(1695820425.306:1413): proctitle=2F7573722F62696E2F73797374656D63746C002D2D7369676E616C3D485550006B696C6C00727379736C6F67
      type=PATH msg=audit(1695820425.306:1413): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=8519390 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=PATH msg=audit(1695820425.306:1413): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1695820425.306:1413): cwd="/"
      type=EXECVE msg=audit(1695820425.306:1413): argc=4 a0="/usr/bin/systemctl" a1="--signal=HUP" a2="kill" a3="rsyslog"
      type=BPRM_FCAPS msg=audit(1695820425.306:1413): fver=0 fp=0 fi=0 fe=0 old_pp=000001fffffeffff old_pi=0 old_pe=000001fffffeffff old_pa=0 pp=000001fffffeffff pi=0 pe=000001fffffeffff pa=0 frootid=0
      type=SYSCALL msg=audit(1695820425.306:1413): arch=c000003e syscall=59 success=yes exit=0 a0=55f2c7153950 a1=55f2c7151650 a2=55f2c714ee90 a3=1b6 items=2 ppid=161650 pid=161661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:syslogd_t:s0 key=(null)
      type=AVC msg=audit(1695820425.306:1413): avc:  denied  { execute_no_trans } for  pid=161661 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1695820425.306:1413): avc:  denied  { read open } for  pid=161661 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1695820425.306:1413): avc:  denied  { execute } for  pid=161661 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
      [0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent  | audit2allow 
      
      
      #============= syslogd_t ==============
      allow syslogd_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };
      

      Additional info

      in enforcing I saw also getattr permission triggered

      [0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent
      ----
      time->Wed Sep 27 15:03:30 2023
      type=PROCTITLE msg=audit(1695819810.490:1170): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
      type=PATH msg=audit(1695819810.490:1170): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1695819810.490:1170): cwd="/"
      type=SYSCALL msg=audit(1695819810.490:1170): arch=c000003e syscall=59 success=no exit=-13 a0=55cd5e6e9950 a1=55cd5e6e7650 a2=55cd5e6e4e90 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
      type=AVC msg=audit(1695819810.490:1170): avc:  denied  { execute } for  pid=146348 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
      ----
      time->Wed Sep 27 15:03:30 2023
      type=PROCTITLE msg=audit(1695819810.490:1171): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
      type=PATH msg=audit(1695819810.490:1171): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1695819810.490:1171): cwd="/"
      type=SYSCALL msg=audit(1695819810.490:1171): arch=c000003e syscall=4 success=no exit=-13 a0=55cd5e6e9950 a1=7ffe041a3f70 a2=7ffe041a3f70 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
      type=AVC msg=audit(1695819810.490:1171): avc:  denied  { getattr } for  pid=146348 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
      ----
      time->Wed Sep 27 15:03:30 2023
      type=PROCTITLE msg=audit(1695819810.490:1172): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
      type=PATH msg=audit(1695819810.490:1172): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1695819810.490:1172): cwd="/"
      type=SYSCALL msg=audit(1695819810.490:1172): arch=c000003e syscall=4 success=no exit=-13 a0=55cd5e6e9950 a1=7ffe041a3f50 a2=7ffe041a3f50 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
      type=AVC msg=audit(1695819810.490:1172): avc:  denied  { getattr } for  pid=146348 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
      

            rhn-support-zpytela Zdenek Pytela
            dapospis@redhat.com Dalibor Pospíšil
            Zdenek Pytela
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: