Bug 1231869
| Summary: | rsyslog stops working after restart if SELinux is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Giovanni Tirloni <gtirloni> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Stanislav Zidek <szidek> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | dapospis, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, szidek, theinric |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-16 08:19:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Based on the AVC, the /etc/machine-id is mislabeled. The correct context is: # matchpathcon /etc/machine-id /etc/machine-id system_u:object_r:machineid_t:s0 Please run following command, which fixes the context: # restorecon -v /etc/machineid It's weird this is mislabeled because it's a fresh install. # ls -lZ /etc/machine-id -rw-r--r--. root root system_u:object_r:var_run_t:s0 /etc/machine-id # restorecon -v /etc/machine-id restorecon reset /etc/machine-id context system_u:object_r:var_run_t:s0->system_u:object_r:machineid_t:s0 restorecon set context /etc/machine-id->system_u:object_r:machineid_t:s0 failed:'Read-only file system' # mount | egrep '(vda1|machine-id)' /dev/vda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /etc/machine-id type tmpfs (ro,relatime,seclabel,mode=755) # /usr/sbin/fixfiles -f relabel Cleaning out /tmp Warning: Skipping the following R/O filesystems: /etc/machine-id Warning: Skipping the following R/O filesystems: /etc/machine-id Relabeling / /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /run /sys /sys/fs/cgroup 100.0% Cleaning up labels on /tmp # ls -lZ /etc/machine-id -rw-r--r--. root root system_u:object_r:var_run_t:s0 /etc/machine-id After a reboot, systemd seems to have fixed it: # ls -lZ /etc/machine-id -rw-r--r--. root root system_u:object_r:machineid_t:s0 /etc/machine-id I don't know if this is a general issue or not though. The other part of this bug report concerns rsyslog not being allowed to connect to the central logging service. I cannot find a boolean/label that would permit that. Could it be considered an enhancement to the rsyslog's SELinux policy? Are there any SELinux denials? # ausearch -m avc -m user_avc -m selinux_err -i -ts today Excluding the machine-id ones, I see only this:
type=AVC msg=audit(06/15/2015 14:02:29.025:4368) : avc: denied { name_connect } for pid=17276 comm=rs:main Q:Reg dest=2514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
I've configured rsyslog to connect to a central logging server.
Based on the rsyslog.conf man page, the 2514 port seems to be a default port for RELP, therefore we need to add it to the list SELinux port definitions: # seinfo --portcon | grep 514 portcon tcp 5149 system_u:object_r:cluster_port_t:s0 portcon udp 5149 system_u:object_r:cluster_port_t:s0 portcon tcp 514 system_u:object_r:rsh_port_t:s0 portcon udp 514 system_u:object_r:syslogd_port_t:s0 portcon tcp 6514 system_u:object_r:syslog_tls_port_t:s0 portcon udp 6514 system_u:object_r:syslog_tls_port_t:s0 portcon tcp 16514 system_u:object_r:virt_port_t:s0 portcon udp 16514 system_u:object_r:virt_port_t:s0 # (In reply to Milos Malik from comment #7) > Based on the rsyslog.conf man page, the 2514 port seems to be a default port > for RELP, therefore we need to add it to the list SELinux port definitions: Please don't. Quoting the man page: > If you would like to prevent message loss, use RELP: > *.* :omrelp:192.168.0.1:2514 > > Note that a port number was given as there is no standard port for relp. There indeed is no standard port and we shouldn't add any to the default policy. I believe machine-id issue has been fixed in RHEL7.2 with filename transition rules. Milos, are you able to reproduce it with a fresh isntall? As Tomas pointed in c8 out. The port 2514 is not a standard port, it was randomly chosen for example purposes in the documentation. From this point of view this is not a bug and could be closed. The correct approach, and I use it in my tests, should be: # semanage port -m -t syslogd_port_t -p tcp 2514 # service rsyslog start That makes sense. Since systemd fixed itself after a reboot and it's reported to be fixed in RHEL7.2 and this is not actually a standard port. For what's worth, I agree this could be closed. Thank you all. |
Description of problem: when SELinux is enabled, restarting rsyslog causes logs to stop working. If SELinux is disabled (setenforce 0), rsyslogd started and SELinux enabled again, then everything works. Version-Release number of selected component (if applicable): RHEL 7.1 How reproducible: Always Steps to Reproduce: 1. Ensure SELinux is enabled 2. systemctl restart rsyslog 3. logger test Actual results: Nothing will get logged Expected results: Logging continues to work Additional info: type=AVC msg=audit(1434376948.976:4366): avc: denied { read } for pid=17272 comm="rsyslogd" name="machine-id" dev="tmpfs" ino=10364 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1434376948.976:4366): avc: denied { open } for pid=17272 comm="rsyslogd" path="/etc/machine-id" dev="tmpfs" ino=10364 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file