rsyslog executes the external program in SELinux environment
Issue
- Customer want to execute the external shells / programs for some special rsyslog messages.
Such as counting and processing specific messages, etc. - When SELinux is set as enabled, rsyslog cannot call the external program just with executable permission. Such following /var/log/messages and audit log output:
# cat /var/log/messages
...
Jun 28 12:05:09 test8 rsyslogd[2688]: omprog: failed to execute program '/tmp/test.sh': Permission denied
...
# ausearch -i
type=PROCTITLE msg=audit(06/28/2023 12:05:09.953:206) : proctitle=/usr/sbin/rsyslogd -n
type=SYSCALL msg=audit(06/28/2023 12:05:09.953:206) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x560bb9795670 a1=0x560bb9795690 a2=0x560bb977ea50 a3=0x8 items=0 ppid=2664 pid=2688 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rs:main Q:Reg exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(06/28/2023 12:05:09.953:206) : avc: denied { execute } for pid=2688 comm=rs:main Q:Reg name=test.sh dev="dm-0" ino=978049 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Rsyslog
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
