Bug 1410505

Summary: RELP port for rsyslog
Product: [Fedora] Fedora Reporter: Ugo Bellavance <ubellavance>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 26CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, rsroka, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-251.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1411400 (view as bug list) Environment:
Last Closed: 2017-05-09 21:21:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1411400    

Description Ugo Bellavance 2017-01-05 15:55:35 UTC 
Description of problem: a port should be added to the SELinux policy for rsyslog's RELP protocol.  There is no official default but 20514 is the most common.


Version-Release number of selected component (if applicable):

I've been told by RH staff to create a bug for that so that it ends up in RHEL.
Comment 2 Radovan Sroka 2017-01-09 12:03:43 UTC 
Yes I do agree with that. Another common port is 10514 for tls connections, do we have policy for it?
Comment 3 Ugo Bellavance 2017-01-09 12:23:25 UTC 
It looks like 6514 is the port for TLS connections in the policy (RHEL7):

# semanage port -l | grep sysl
syslog_tls_port_t              tcp      6514
syslog_tls_port_t              udp      6514
syslogd_port_t                 tcp      601
syslogd_port_t                 udp      514, 601
Comment 4 Radovan Sroka 2017-01-09 14:19:23 UTC 
Upstream uses both of these ports in tutorials on its web

http://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
http://www.rsyslog.com/doc/v8-stable/tutorials/tls.html

I suggest add 10514 and 20514 into fedora selinux-policy.
Comment 5 Ugo Bellavance 2017-01-09 14:20:57 UTC 
+1
Comment 6 Lukas Vrabec 2017-01-09 15:38:32 UTC 
Fixed. Issue will be fixed in next selinux-policy build.
Moving to POST
Comment 7 Ugo Bellavance 2017-01-09 15:39:23 UTC 
I there any chance this will eventually make it in RHEL 7?
Comment 8 Ugo Bellavance 2017-01-09 15:51:13 UTC 
Thanks!
Comment 9 Fedora End Of Life 2017-02-28 10:53:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 10 Fedora Update System 2017-04-19 20:38:33 UTC 
selinux-policy-3.13.1-251.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98
Comment 11 Fedora Update System 2017-04-20 20:23:23 UTC 
selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98
Comment 12 Fedora Update System 2017-05-09 21:21:12 UTC 
selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.