Bug 1289184

Summary: rsyslog gssapi functionality gets broken with InputGSSServerPermitPlainTCP
Product: Red Hat Enterprise Linux 6 Reporter: Marek Haicman <mhaicman>
Component: rsyslog7Assignee: Tomas Heinrich <theinric>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 867016 Environment:
Last Closed: 2016-07-27 09:44:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2015-12-07 15:52:32 UTC
+++ This bug was initially created as a clone of Bug #867016 +++

Description of problem:

rsyslogd crashes or hangs or looses log messages in various configurations.
This is a bit complex problem.

rsyslogd can be configured using InputGSSServerPermitPlainTCP on to accept both gssapi and tcp/plain messages. I have tested following 6 scenarios:

1) server accepts gssapi only && client sends gssapi only:
works fine except AVC denials reported as bug 867001

2) server accepts gssapi only && client sends tcp/plain only:
rsyslog crashes, this is reported as bug 862517.

3) server accepts gssapi only && clients sends both gssapi and tcp/plain:
again, rsyslog crashes 

4) server accepts both gssapi and tcp/plain, client sends gssapi messages:
gssapi messages are not delivered

5) server accepts both gssapi and tcp/plain, client sends plain messages only:
plaintext only messages can be delivered with $InputGSSServerPermitPlainTCP on, but the log is flooded with netstream session errors

6)  server accepts both gssapi and tcp/plain, client sends both gssapi and plain messages
nor tcp nor gssapi messages are delivered because of issues in client-server
communication. But tcp/plain messages sent by netcat were delivered.

Comment 2 Peter Vrabec 2016-07-27 09:44:34 UTC
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 6 and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification.