Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 377331

Summary: selinux policy for the bashlogger use flag
Product: Gentoo Linux Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: prometheanfire, selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-01 21:08:40 UTC
bashlogger logs all bash to /dev/log

This is currently being denied and probably should not be.

Reproducible: Always




type=AVC msg=audit(1312230850.360:60): avc:  denied  { write } for  pid=2096 comm="bash" name="log" dev=tmpfs ino=1643 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devlog_t tclass=sock_file
type=SYSCALL msg=audit(1312230850.360:60): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=6e3bc307a120 a2=6e a3=0 items=0 ppid=2091 pid=2096 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=root:staff_r:staff_t key=(null)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-14 13:38:33 UTC
Will be part of base policy r2.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-19 20:52:26 UTC
in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-03 14:26:12 UTC
I'm going to pull this one again - upstream does not accept this rule.

I'll keep the bug open since I want to explain to users how they can make small adjustments to the policy themselves in a more manageable way (rather than audit2allow everything and having a gazzilion fix modules running).
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-04 12:25:47 UTC
So I don't forget...

"""
logging_send_syslog_msg(sysadm_t)
"""
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-17 12:17:59 UTC
Documentation is now available:

http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#localpolicy