Bug 1017799

Summary: allow rsyslog to name_bind to syslog_tls_port_t
Product: Red Hat Enterprise Linux 7 Reporter: Šimon Lukašík <slukasik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dwalsh, lvrabec, mgrepl, mmalik, theinric
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1017795 Environment:
Last Closed: 2014-06-13 09:36:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Šimon Lukašík 2013-10-10 14:17:52 UTC 
+++ This bug was initially created as a clone of Bug #1017795 +++
Besides Fedora this affects also RHEL7.


Description of problem:
SELinux policy denies rsyslogd to name_bind to syslog_tls_port_t.
This is regression. There was not syslog_tls_port_t but only syslogd_port_t
to which the rsyslog_t may bind.

Please allow!

   allow syslogd_t syslog_tls_port_t : tcp_socket { name_bind name_connect } ; 
   allow syslogd_t syslog_tls_port_t : udp_socket name_bind ;

How reproducible:
determinitic

Steps to Reproduce:
1. Set up rsyslog deamon to listen on tls
2. fire it up
3.

Actual results:
rsyslogd-2077: Could not create tcp listener, ignoring port 6514. [try http://www.rsyslog.com/e/2077 ]

type=SYSCALL msg=audit(1380538009.535:78): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7f5abb2290d0 a2=10 a3=0 items=0 ppid=1 pid=3342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1380538009.535:78): avc:  denied  { name_bind } for  pid=3342 comm="rsyslogd" src=6514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslog_tls_port_t:s0 tclass=tcp_socket
----
type=SYSCALL msg=audit(1380538009.535:79): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7f5abb220e70 a2=1c a3=7fff9ffad9a0 items=0 ppid=1 pid=3342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1380538009.535:79): avc:  denied  { name_bind } for  pid=3342 comm="rsyslogd" src=6514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslog_tls_port_t:s0 tclass=tcp_socket
Comment 3 Lukas Vrabec 2013-10-10 14:57:29 UTC 
[master d3f723e] Allow syslog to bind to tls ports
 1 file changed, 2 insertions(+)

fix add to the repo.
Comment 5 Lukas Vrabec 2013-10-10 15:43:34 UTC 
[master 565210b] Fix logging policy.
 1 file changed, 1 insertion(+), 1 deletion(-)

fixed one rule.
Comment 7 Milos Malik 2013-10-18 15:51:09 UTC 
# sesearch -s syslogd_t -t syslog_tls_port_t -c tcp_socket -A -C -p name_bind
Found 1 semantic av rules:
   allow syslogd_t syslog_tls_port_t : tcp_socket name_bind ; 

# sesearch -s syslogd_t -t syslog_tls_port_t -c udp_socket -A -C -p name_bind
Found 1 semantic av rules:
   allow syslogd_t syslog_tls_port_t : udp_socket name_bind ; 

#

name_connect operation is not allowed. Is it necessary?
Comment 8 Daniel Walsh 2013-10-18 20:50:10 UTC 
42504eb364b73234bd622fe674427bdfb68dc043 fixes this in git
Comment 10 Ludek Smid 2014-06-13 09:36:46 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.