Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5196

rsyslog omprog failed under some file permissions

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.4
    • rhel-9.2.0
    • rsyslog
    • rsyslog-8.2310.0-3.el9
    • Normal
    • sst_security_special_projects
    • ssg_security
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .Rsyslog can execute privileged commands through `omprog`

      Previously, the `omprog` module of Rsyslog could not execute certain external programs, especially programs that contain privileged commands. As a consequence, the use of scripts that involve privileged commands through `omprog` was restricted. With this update, the SELinux policy was adjusted. Place your scripts into the `/usr/libexec/rsyslog` directory to ensure compatibility with the adjusted SELinux policy. As a result, Rsyslog now can execute scripts, including those with privileged commands, through the `omprog` module.
      Show
      .Rsyslog can execute privileged commands through `omprog` Previously, the `omprog` module of Rsyslog could not execute certain external programs, especially programs that contain privileged commands. As a consequence, the use of scripts that involve privileged commands through `omprog` was restricted. With this update, the SELinux policy was adjusted. Place your scripts into the `/usr/libexec/rsyslog` directory to ensure compatibility with the adjusted SELinux policy. As a result, Rsyslog now can execute scripts, including those with privileged commands, through the `omprog` module.
    • Done
    • None

      Hi:
      We have a rsyslog omprog script which is working fine under RHEL7/8. we tried it under RHEL 9.2/9.3 stream but it failed to load. we tried to figure why and found omprog is sensitive about script owner/permissions. my example rsyslog files are below:

      ============
      >cat /etc/rsyslog.d/example.conf
      module(load="omprog")
      . action(type="omprog" binary="/usr/bin/a.sh")

      >cat /usr/bin/a.sh
      #!/usr/bin/bash
      while true;do
      sleep 1
      done

      >ls -la /usr/bin/a.sh
      rwx----- 1 bin bin 45 Aug 26 23:36 /usr/bin/a.sh
      ============

      The rsyslog error messages are below:

      Aug 26 23:40:39 test.example.com rsyslogd[1691]: child process (pid 1695) exited with status 126 [v8.2102.0-117.el9]
      Aug 26 23:40:39 test.example.com rsyslogd[1691]: omprog: program '/usr/bin/a.sh' (pid 1695) terminated; will be restarted [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2119 ]
      Aug 26 23:40:39 test.example.com rsyslogd[1691]: action 'action-0-omprog' suspended (module 'omprog'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2007 ]
      Aug 26 23:40:40 test.example.com postfix/smtpd[1707]: disconnect from unknown[95.214.26.184] ehlo=1 auth=0/1 quit=1 commands=2/3
      Aug 26 23:40:40 test.example.com rsyslogd[1691]: action 'action-0-omprog' resumed (module 'omprog') [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2359 ]

      The workaround is easy. if we "chown root.root a.sh" or "chmod 755 a.sh" then rsyslog is happy loading the script. we have tried rsyslog version "8.2102.0-113" and "8.2102.0-117" (comes from stream) under RHEL 9.2.

            rh-ee-alakatos Attila Lakatos
            jira-bugzilla-migration RH Bugzilla Integration
            Attila Lakatos Attila Lakatos
            Jiri Jaburek Jiri Jaburek
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: