Syslog-ng policy

Submit your RBAC policies or suggest policy improvements

Syslog-ng policy

Postby ypirc » Fri Aug 24, 2012 11:41 am

Hello all,

I've successfully had my subjects and policy running for awhile without any issues. However recently I began noticing an issue when trying to introduce syslog-ng into the policy. Sometimes it seems to work and sometimes it does not. When it does not work it appears that the policy is not picking up the subject I have defined for it at all. As you can see in the error message below it is only showing (root:U:/) when it should be (root:U:/sbin/syslog-ng) I think this might have something to do with the fact that syslog-ng has a "supervising" process. Any help on this matter is appreciated. Thanks,

grsec error:
grsec: (root:U:/) denied socket(inet,stream,ip) by /sbin/syslog-ng[syslog-ng:3188] uid/euid:0/0 gid/egid:0/0, parent /sbin/syslog-ng[syslog-ng:3187] uid/euid:0/0 gid/egid:0/0

process list:
root 3187 1 0 Aug16 ? 00:00:00 supervising syslog-ng
root 3188 3187 0 Aug16 ? 00:48:56 /sbin/syslog-ng

grsec policy:

role root uG
...
role_allow_ip 0.0.0.0/0
---

subject /sbin/syslog-ng ho {
user_transition_allow root
group_transition_allow root
/ h
/chroot h
/chroot/dev/log rw
/chroot/etc/hosts r
/chroot/var/log rwcd
/dev h
/dev/log w
/etc h
/etc/group r
/etc/localtime
/etc/passwd r
/etc/syslog-ng/syslog-ng.conf r
/lib64 rx
/lib/syslog-ng rx
/proc h
/proc/kmsg r
/proc/sys
/var h
/var/log cw
/var/run/nscd/socket rw
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 stream dgram ip tcp udp
connect <ip>/32:514 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:514 stream tcp
}
ypirc
 
Posts: 3
Joined: Fri Aug 24, 2012 10:50 am

Re: Syslog-ng policy

Postby spender » Fri Aug 24, 2012 12:20 pm

Which kernel is this? Are you using any inheritance rules in your policy?

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Syslog-ng policy

Postby ypirc » Fri Aug 24, 2012 12:27 pm

Slightly old 2.6.28-grsec. We had driver issues with 2.6.3x. I do indeed have inheritance rules...do you suppose that is the issue?

Matching inheritance rule from the init.d subject:

/sbin rxi
ypirc
 
Posts: 3
Joined: Fri Aug 24, 2012 10:50 am

Re: Syslog-ng policy

Postby spender » Fri Aug 24, 2012 1:15 pm

That's more than slightly old -- that's 4 years old! I'd strongly suggest that you try to resolve whatever driver issues you experienced and use one of our supported kernel versions. (Old) grsecurity or not, it's simply not safe to be running a kernel that old.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Syslog-ng policy

Postby ypirc » Fri Aug 24, 2012 2:02 pm

Thanks a lot for the response spender! You're the man :D We are working on some policy consolidation using include statements so once I have that complete I will work on the upgrade :)

Thanks again!
ypirc
 
Posts: 3
Joined: Fri Aug 24, 2012 10:50 am


Return to RBAC policy development