488718 – app-admin/syslog-ng-3.4.3[caps] and selinux-2.20130424-r3: missing cap rules

Bug 488718 - app-admin/syslog-ng-3.4.3[caps] and selinux-2.20130424-r3: missing cap rules

Summary: app-admin/syslog-ng-3.4.3[caps] and selinux-2.20130424-r3: missing cap rules

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r4
Keywords:

Depends on:
Blocks:

Reported:	2013-10-20 12:27 UTC by Vincent Brillault
Modified:	2014-01-12 20:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2013-10-20 12:27:51 UTC

syslog-ng does not have the right to call setcap/getcap but it should.

Initial error:
'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]
 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]
'''

[1960492.378440] type=1400 audit(1382271725.961:442895): avc:  denied  { setcap } for  pid=20165 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process


After giving it the setcap rights:
'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ]
 * Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;  [ ok ]
'''

The following avc appears 8 times:
[1960667.928447] type=1400 audit(1382271901.375:442901): avc:  denied  { getcap } for  pid=20260 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process

Adding getcap fixes the issue:
'allow syslogd_t self:process { setcap getcap };'

'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ]
 * Starting syslog-ng ... [ ok ]
'''

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2013-10-21 18:45:34 UTC

Thanks, great report. Committed to repo, will be in rev4

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2013-12-16 14:48:01 UTC

r4 is in the tree

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2014-01-12 20:53:55 UTC

r4 is now stable in the tree