2

I currently have SELinux enabled and have been able to configure apache to allow access to /home/src/web with a chcon command granting the 'httpd_sys_content_t' type. But now I am trying to serve the rsyslogd.conf file from the same directory, but every time I start rsyslogd I see an entry in my audit log saying that rsyslogd was denied access. My question is, is it possible to grant two applications the ability to access the same directory, while still keeping SELinux enabled?

Current perms on /home/src:

drwxr-xr-x. src      src      unconfined_u:object_r:httpd_sys_content_t:s0 src

Audit log message:

type=AVC msg=audit(1349113476.272:1154): avc:  denied  { search } for  pid=9975 comm="rsyslogd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1349113476.272:1154): arch=c000003e syscall=2 success=no exit=-13 a0=7f9ef0c027f5 a1=0 a2=1b6 a3=0 items=0 ppid=9974 pid=9975 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=30 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

-- Edit --

Came across this post, which is sort of what I am trying to accomplish. However when I viewed the list of allowed sebool params, the only relating to syslog was: syslogd_disable_trans (SELinux Service Protection), seems like I can maintain the current SELinux 'type' on the /home/src/ dir, but set the bool on syslogd_disable_trans to false. I wonder if there is a better approach?

Community
  • 1
Mike Purcell
  • 1,688
  • 7
  • 30
  • 53
  • 1
    I see that you've already found a workable solution, but be aware that `chcon` changes are temporary and won't survive a filesystem relabel. You'll want to add a pattern via `semanage fcontext -a -t ` (use `semanage fcontext -l` for a starting point) and then do a `restorecon` on the file to apply the new context. – jgoldschrafe Oct 02 '12 at 01:02
  • @jgoldschrafe: Policy packages that are installed will persist through a filesystem relabel? – Mike Purcell Oct 02 '12 at 21:09
  • Your policy package will persist fine, but you didn't specify what labels your policy permits. :) Better safe than sorry. – jgoldschrafe Oct 03 '12 at 01:21

2 Answers2

0

As I am still learning SELinux I tried to not implement custom SELinux policy package's but in this case it seemed I had no choice. So I followed the original answer to this post, and was able to get rsyslog to play nice with /home/src/web.

Community
  • 1
Mike Purcell
  • 1,688
  • 7
  • 30
  • 53
0

Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the httpd_sys_content_t type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the desired files are labeled with the public_content_t or public_content_rw_t type.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Configuration_examples-Sharing_files_between_services.html

Albert T. Wong
  • 369
  • 1
  • 3
  • 8