Bug#496809: marked as done (selinux-policy-default: logrotate_t needs to test exec syslogd)

Debian Bug Tracking System Tue, 16 Sep 2008 15:38:30 -0700

Your message dated Tue, 16 Sep 2008 22:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496809: fixed in refpolicy 2:0.0.20080702-9
has caused the Debian Bug report #496809,
regarding selinux-policy-default: logrotate_t needs to test exec syslogd
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496809
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: selinux-policy-default
Version: 2:0.0.20080702-6
Severity: normal
Tags: patch

Hi,
while running cron.daily script /etc/cron.daily/sysklogd following
denials appeared:

Aug 27 13:13:50 sid kernel: [  554.238311] type=1400 audit(1219835630.106:5): 
avc:  denied  { execute } for  pid=5273 comm="sysklogd" name="syslogd" dev=hda2 
ino=28 scontext=unconfined_u:system_r:logrotate_t:s0 
tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
Aug 27 13:13:50 sid kernel: [  554.243321] type=1300 audit(1219835630.106:5): 
arch=40000003 syscall=33 success=no exit=-13 a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 
items=0 ppid=5161 pid=5273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash" 
subj=unconfined_u:system_r:logrotate_t:s0 key=(null)

This is caused by line:

    test -x /sbin/syslogd || exit 0

near start of script. Access needs to be allowed test fails otherwise.
Thanks
-- 
Zito

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-3    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-4   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-5   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-1   SELinux policy compiler
ii  setools                       3.3.4.ds-4 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information

Index: selinux-policy-src/policy/modules/admin/logrotate.te
===================================================================
--- selinux-policy-src.orig/policy/modules/admin/logrotate.te	2008-08-27 17:27:48.000000000 +0200
+++ selinux-policy-src/policy/modules/admin/logrotate.te	2008-08-27 17:30:27.000000000 +0200
@@ -137,6 +137,9 @@
 
 	# for syslogd-listfiles
 	logging_read_syslog_config(logrotate_t)
+
+        # for "test -x /sbin/syslogd"
+	logging_domtrans_syslog(logrotate_t)
 ')
 
 optional_policy(`

--- End Message ---

--- Begin Message ---

Source: refpolicy
Source-Version: 2:0.0.20080702-9

We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive:

refpolicy_0.0.20080702-9.diff.gz
  to pool/main/r/refpolicy/refpolicy_0.0.20080702-9.diff.gz
refpolicy_0.0.20080702-9.dsc
  to pool/main/r/refpolicy/refpolicy_0.0.20080702-9.dsc
selinux-policy-default_0.0.20080702-9_all.deb
  to pool/main/r/refpolicy/selinux-policy-default_0.0.20080702-9_all.deb
selinux-policy-dev_0.0.20080702-9_all.deb
  to pool/main/r/refpolicy/selinux-policy-dev_0.0.20080702-9_all.deb
selinux-policy-doc_0.0.20080702-9_all.deb
  to pool/main/r/refpolicy/selinux-policy-doc_0.0.20080702-9_all.deb
selinux-policy-mls_0.0.20080702-9_all.deb
  to pool/main/r/refpolicy/selinux-policy-mls_0.0.20080702-9_all.deb
selinux-policy-src_0.0.20080702-9_all.deb
  to pool/main/r/refpolicy/selinux-policy-src_0.0.20080702-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Coker <[EMAIL PROTECTED]> (supplier of updated refpolicy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 16 Sep 2008 20:42:00 +1000
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src 
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:0.0.20080702-9
Distribution: unstable
Urgency: low
Maintainer: Russell Coker <[EMAIL PROTECTED]>
Changed-By: Russell Coker <[EMAIL PROTECTED]>
Description: 
 selinux-policy-default - Strict and Targeted variants of the SELinux policy
 selinux-policy-dev - Headers from the SELinux reference policy for building 
modules
 selinux-policy-doc - Documentation for the SELinux reference policy
 selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
 selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 496809 499064
Changes: 
 refpolicy (2:0.0.20080702-9) unstable; urgency=low
 .
   * Allow the Postfix newaliases to create new /etc/aliases.db file so that
     the postinst for Postfix can work.
   * The last update broke unconfined_mail_t for systems not running postfix,
     fixing that (thanks Martin Orr).
     Closes: #499064
   * Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk).
     Closes: #496809
Checksums-Sha1: 
 368f57f231c40b8d4749a7ab6edc6ffcdc48c88b 1489 refpolicy_0.0.20080702-9.dsc
 3b0c6b240e332f25a2eabf85896394e036e58c5c 71021 refpolicy_0.0.20080702-9.diff.gz
 ff155884c7f45a62e90533100417c4edbb19e658 2001826 
selinux-policy-default_0.0.20080702-9_all.deb
 ee5466a3dc8367dc35c5d321ae854a29f3014a3b 2036214 
selinux-policy-mls_0.0.20080702-9_all.deb
 d5e4c397b4311beee2a8fba41d7c9b237d70a90a 797068 
selinux-policy-src_0.0.20080702-9_all.deb
 005be4029c42af4292d79d2334ff5368dc5c7881 702168 
selinux-policy-dev_0.0.20080702-9_all.deb
 71f48776df0b85356256ce303fe031c2d67fa5a5 421052 
selinux-policy-doc_0.0.20080702-9_all.deb
Checksums-Sha256: 
 154674074b264628f84aabf79750e1de15ab4d8d564d5760836ab6f18aaa9c31 1489 
refpolicy_0.0.20080702-9.dsc
 bce7093fbaafd9613e2243a6c75a9f51430c158cf9dedc08c7ca6509a6713eed 71021 
refpolicy_0.0.20080702-9.diff.gz
 9830063f356d8c7fc6adf1243ba8b2cab3833063e3ffd439c6f4a7a1e27ad265 2001826 
selinux-policy-default_0.0.20080702-9_all.deb
 b2bbb2713dc1908dd57cfa592dfc0c5d2fc33a92db4452815d1c08d9ed1fcb7a 2036214 
selinux-policy-mls_0.0.20080702-9_all.deb
 ade5ec0183d4fd11a54b93aa11a094daaeb7ed350120b4bbd911541ddb2637a5 797068 
selinux-policy-src_0.0.20080702-9_all.deb
 dc7e4588ce7f4e8d1b2a157f5e355b46f4c86c0681c14a5671135fc947c2f8c0 702168 
selinux-policy-dev_0.0.20080702-9_all.deb
 f33fdfaddef9a46ab12c5060efab0d6fea445311aa3b0c801e53bc637ba3e500 421052 
selinux-policy-doc_0.0.20080702-9_all.deb
Files: 
 43f460ac3224aede5c2f9720dc3e863c 1489 admin standard 
refpolicy_0.0.20080702-9.dsc
 4cf9741b67d3133e6b61767bc5687eb5 71021 admin standard 
refpolicy_0.0.20080702-9.diff.gz
 e2b63da3d241e5a4f0479a1143651bdb 2001826 admin standard 
selinux-policy-default_0.0.20080702-9_all.deb
 ef80137e12d5be3ed668c05cb49ac312 2036214 admin extra 
selinux-policy-mls_0.0.20080702-9_all.deb
 3751c3628968553b862d6253f4ebe881 797068 admin optional 
selinux-policy-src_0.0.20080702-9_all.deb
 6acb9fa3412a735dba2bacafa22bd728 702168 admin optional 
selinux-policy-dev_0.0.20080702-9_all.deb
 f84f05d9dccdd9e098b67ee878b8fa34 421052 doc optional 
selinux-policy-doc_0.0.20080702-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI0C7IwrB5/PXHUlYRAj8zAJ9pIBBhiQrexhbjX2nlU7wnG0pS+wCg31H4
Cxy+jtWY3CbXn8Z6h4e5rE0=
=S0fC
-----END PGP SIGNATURE-----

--- End Message ---

Bug#496809: marked as done (selinux-policy-default: logrotate_t needs to test exec syslogd)

Reply via email to