Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229599 - syslogd_disable_trans=1 labels /dev/log as device_t
Summary: syslogd_disable_trans=1 labels /dev/log as device_t
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-21 23:07 UTC by Steve Friedman
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-22 17:27:24 UTC

Attachments (Terms of Use)

Description Steve Friedman 2007-02-21 23:07:47 UTC
Description of problem:
It appeared as if bug 222195 was abandoned by the syslog-ng maintainer (since it
was an selinux problem) and not picked up by the selinux maintainer.  Thus, I'm
creating a new bug (and 222195 should be closed).

Running syslog-ng and selinux-policy-targeted with syslogd_disable_trans=1
causes /dev/log to be labeled as device_t and not devlog_t.

Version-Release number of selected component (if applicable):
This is a fresh updated install, so the versions as of today are:

How reproducible:
Every time.

Steps to Reproduce:
1. Install syslog-ng and selinux-policy-targeted
2. /sbin/setsebool syslogd_disable_trans on
3. Reboot machine
Actual results:
ls -lZ /dev/log returns:

Expected results:
Running /sbin/restorecon /dev/log, then ls -lZ /dev/log returns:
Likewise, if syslogd_disable_trans=0, ls -lZ /dev/log returns

Additional info:

Comment 1 Daniel Walsh 2007-02-22 17:27:24 UTC
Yes this is one of the risks of disable_trans.  In the future we want to remove
disable_trans and add a run_unconfined boolean.  Disableing trans on syslog will
cause most of the other confined domains to blow up since the /dev/log will be
mislabeled.  If there are missing rules required to get syslog to run in
enforcing mode, you can use audit2allow to generate custom policy.

Note You need to log in before you can comment on or make changes to this bug.