Syslog-ng policy
Posted: Fri Aug 24, 2012 11:41 amHello all,
I've successfully had my subjects and policy running for awhile without any issues. However recently I began noticing an issue when trying to introduce syslog-ng into the policy. Sometimes it seems to work and sometimes it does not. When it does not work it appears that the policy is not picking up the subject I have defined for it at all. As you can see in the error message below it is only showing (root:U:/) when it should be (root:U:/sbin/syslog-ng) I think this might have something to do with the fact that syslog-ng has a "supervising" process. Any help on this matter is appreciated. Thanks,
grsec error:
grsec: (root:U:/) denied socket(inet,stream,ip) by /sbin/syslog-ng[syslog-ng:3188] uid/euid:0/0 gid/egid:0/0, parent /sbin/syslog-ng[syslog-ng:3187] uid/euid:0/0 gid/egid:0/0
process list:
root 3187 1 0 Aug16 ? 00:00:00 supervising syslog-ng
root 3188 3187 0 Aug16 ? 00:48:56 /sbin/syslog-ng
grsec policy:
role root uG
...
role_allow_ip 0.0.0.0/0
---
subject /sbin/syslog-ng ho {
user_transition_allow root
group_transition_allow root
/ h
/chroot h
/chroot/dev/log rw
/chroot/etc/hosts r
/chroot/var/log rwcd
/dev h
/dev/log w
/etc h
/etc/group r
/etc/localtime
/etc/passwd r
/etc/syslog-ng/syslog-ng.conf r
/lib64 rx
/lib/syslog-ng rx
/proc h
/proc/kmsg r
/proc/sys
/var h
/var/log cw
/var/run/nscd/socket rw
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 stream dgram ip tcp udp
connect <ip>/32:514 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:514 stream tcp
}
I've successfully had my subjects and policy running for awhile without any issues. However recently I began noticing an issue when trying to introduce syslog-ng into the policy. Sometimes it seems to work and sometimes it does not. When it does not work it appears that the policy is not picking up the subject I have defined for it at all. As you can see in the error message below it is only showing (root:U:/) when it should be (root:U:/sbin/syslog-ng) I think this might have something to do with the fact that syslog-ng has a "supervising" process. Any help on this matter is appreciated. Thanks,
grsec error:
grsec: (root:U:/) denied socket(inet,stream,ip) by /sbin/syslog-ng[syslog-ng:3188] uid/euid:0/0 gid/egid:0/0, parent /sbin/syslog-ng[syslog-ng:3187] uid/euid:0/0 gid/egid:0/0
process list:
root 3187 1 0 Aug16 ? 00:00:00 supervising syslog-ng
root 3188 3187 0 Aug16 ? 00:48:56 /sbin/syslog-ng
grsec policy:
role root uG
...
role_allow_ip 0.0.0.0/0
---
subject /sbin/syslog-ng ho {
user_transition_allow root
group_transition_allow root
/ h
/chroot h
/chroot/dev/log rw
/chroot/etc/hosts r
/chroot/var/log rwcd
/dev h
/dev/log w
/etc h
/etc/group r
/etc/localtime
/etc/passwd r
/etc/syslog-ng/syslog-ng.conf r
/lib64 rx
/lib/syslog-ng rx
/proc h
/proc/kmsg r
/proc/sys
/var h
/var/log cw
/var/run/nscd/socket rw
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 stream dgram ip tcp udp
connect <ip>/32:514 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:514 stream tcp
}
We are working on some policy consolidation using include statements so once I have that complete I will work on the upgrade 