-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.2.0
-
rsyslog-8.2310.0-3.el9
-
None
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
QE ack, Dev ack
-
False
-
-
Yes
-
None
-
Bug Fix
-
-
Done
-
-
x86_64
-
None
Hi:
We have a rsyslog omprog script which is working fine under RHEL7/8. we tried it under RHEL 9.2/9.3 stream but it failed to load. we tried to figure why and found omprog is sensitive about script owner/permissions. my example rsyslog files are below:
============
>cat /etc/rsyslog.d/example.conf
module(load="omprog")
. action(type="omprog" binary="/usr/bin/a.sh")
>cat /usr/bin/a.sh
#!/usr/bin/bash
while true;do
sleep 1
done
>ls -la /usr/bin/a.sh
rwx----- 1 bin bin 45 Aug 26 23:36 /usr/bin/a.sh
============
The rsyslog error messages are below:
Aug 26 23:40:39 test.example.com rsyslogd[1691]: child process (pid 1695) exited with status 126 [v8.2102.0-117.el9]
Aug 26 23:40:39 test.example.com rsyslogd[1691]: omprog: program '/usr/bin/a.sh' (pid 1695) terminated; will be restarted [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2119 ]
Aug 26 23:40:39 test.example.com rsyslogd[1691]: action 'action-0-omprog' suspended (module 'omprog'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2007 ]
Aug 26 23:40:40 test.example.com postfix/smtpd[1707]: disconnect from unknown[95.214.26.184] ehlo=1 auth=0/1 quit=1 commands=2/3
Aug 26 23:40:40 test.example.com rsyslogd[1691]: action 'action-0-omprog' resumed (module 'omprog') [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2359 ]
The workaround is easy. if we "chown root.root a.sh" or "chmod 755 a.sh" then rsyslog is happy loading the script. we have tried rsyslog version "8.2102.0-113" and "8.2102.0-117" (comes from stream) under RHEL 9.2.
- external trackers
- links to
-
RHBA-2023:124274
rsyslog bug fix and enhancement update
[RHEL-5196] rsyslog omprog failed under some file permissions
Hi rh-ee-alakatos, please check the RN text for accuracy. Thanks for the great draft!
This ticket has been added into tickets.yaml file for RHEL 9.4 Beta Release Notes.
pm-rhel
added a comment - Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
pm-rhel
added a comment - Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. Hi:
the new rpm is working fine. I don't have selinux enabled (selinux=0 as boot parameter).
It works under the testing environment and our original script also works fine.
thanks again for your kind help!
Attila Lakatos (Inactive)
added a comment - I accidentally did not backport the entire patch from upstream PR. Now it should be fixed. Please try again with:
https://kojihub.stream.centos.org/koji/taskinfo?taskID=2837242
Let me know if you have selinux enabled. If yes, are there any AVCs?
Attila Lakatos (Inactive)
added a comment - I accidentally did not backport the entire patch from upstream PR. Now it should be fixed. Please try again with:
https://kojihub.stream.centos.org/koji/taskinfo?taskID=2837242
Let me know if you have selinux enabled. If yes, are there any AVCs? Hi:
ok. the testing environment is RHEL 9.2 under rsyslog >= 8.2102.0-107 with files below:
=========
>cat /etc/rsyslog.d/example.conf
module(load="omprog")
. action(type="omprog" binary="/usr/bin/a.sh" output="/tmp/result.log)
>cat /usr/bin/a.sh
#!/bin/bash
whoami
whoami >/tmp/test/me
while true;do
sleep 1
done
>ls -la /usr/bin/a.sh
rwx----- 1 root root 68 Sep 6 00:24 /usr/bin/a.sh
>rm -f /tmp/result.log; rm -rf /tmp/test; mkdir /tmp/test; chmod 700 /tmp/test; chown bin.bin /tmp/test; systemctl restart rsyslog
>cat /tmp/result.log
root
/usr/bin/a.sh: line 3: /tmp/test/me: Permission denied
>cat /tmp/test/me
cat: /tmp/test/me: No such file or directory
=========
when the script works correctly under 8.2102.0-105:
>cat /tmp/result.log
root
>cat /tmp/test/me
root
Attila Lakatos (Inactive)
added a comment - May I ask you to post your reproducer again? Just to be sure. Thanks.
Attila Lakatos (Inactive)
added a comment - May I ask you to post your reproducer again? Just to be sure. Thanks. Hi:
Unfortunately the new build didn't work for me. the result is the same as previous 8.2102.0-111 and 8.2102.0-117. I tried several times to make sure. then I downgrade to 8.2102.0-105 to make sure the testing script works again.
I was using this rpm: https://kojihub.stream.centos.org/kojifiles/work/tasks/3067/2813067/rsyslog-8.2102.0-117.el9.TESTINGONLY.x86_64.rpm
Thanks for your kind help!
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (rsyslog bug fix and enhancement update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:2206