Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 488718

Summary: app-admin/syslog-ng-3.4.3[caps] and selinux-2.20130424-r3: missing cap rules
Product: Gentoo Linux Reporter: Vincent Brillault <gentoo>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r4
Package list:
Runtime testing required: ---

Description Vincent Brillault 2013-10-20 12:27:51 UTC 
syslog-ng does not have the right to call setcap/getcap but it should.

Initial error:
'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]
 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]
'''

[1960492.378440] type=1400 audit(1382271725.961:442895): avc:  denied  { setcap } for  pid=20165 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process


After giving it the setcap rights:
'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ]
 * Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;
Error managing capability set, cap_set_proc returned an error;  [ ok ]
'''

The following avc appears 8 times:
[1960667.928447] type=1400 audit(1382271901.375:442901): avc:  denied  { getcap } for  pid=20260 comm="syslog-ng" ipaddr=109.190.145.114 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process

Adding getcap fixes the issue:
'allow syslogd_t self:process { setcap getcap };'

'''
root@lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ]
 * Starting syslog-ng ... [ ok ]
'''
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2013-10-21 18:45:34 UTC 
Thanks, great report. Committed to repo, will be in rev4
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2013-12-16 14:48:01 UTC 
r4 is in the tree
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-01-12 20:53:55 UTC 
r4 is now stable in the tree