Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377331 - selinux policy for the bashlogger use flag
Summary: selinux policy for the bashlogger use flag
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-01 21:08 UTC by Matthew Thode ( prometheanfire )
Modified: 2011-09-17 12:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-01 21:08:40 UTC
bashlogger logs all bash to /dev/log

This is currently being denied and probably should not be.

Reproducible: Always




type=AVC msg=audit(1312230850.360:60): avc:  denied  { write } for  pid=2096 comm="bash" name="log" dev=tmpfs ino=1643 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devlog_t tclass=sock_file
type=SYSCALL msg=audit(1312230850.360:60): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=6e3bc307a120 a2=6e a3=0 items=0 ppid=2091 pid=2096 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=root:staff_r:staff_t key=(null)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-14 13:38:33 UTC
Will be part of base policy r2.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-19 20:52:26 UTC
in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-03 14:26:12 UTC
I'm going to pull this one again - upstream does not accept this rule.

I'll keep the bug open since I want to explain to users how they can make small adjustments to the policy themselves in a more manageable way (rather than audit2allow everything and having a gazzilion fix modules running).
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-04 12:25:47 UTC
So I don't forget...

"""
logging_send_syslog_msg(sysadm_t)
"""
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-17 12:17:59 UTC
Documentation is now available:

http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#localpolicy