Description of problem:
New features for rsyslog for reading from symlinked files, using client cert auth with Elasticsearch, and using Kubernetes, requires the following additional policies:
require {
type syslogd_t;
type unreserved_port_t;
class tcp_socket name_connect;
}
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t unreserved_port_t:tcp_socket name_connect;
This allows rsyslog to communicate over http port 9200 with Elasticsearch.
require {
type syslogd_t;
type http_port_t;
class tcp_socket name_connect;
}
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t http_port_t:tcp_socket name_connect;
This allows rsyslog to communicate with Kubernetes over port 443.
require {
type syslogd_t;
type cert_t;
class dir write;
class file write;
}
#============= syslogd_t ==============
allow syslogd_t cert_t:dir write;
allow syslogd_t cert_t:file write;
This allows rsyslog read/write access to the NSS system cert db.
require {
type syslogd_t;
type var_t;
class dir read;
}
#============= syslogd_t ==============
#!!!! WARNING: 'var_t' is a base type.
allow syslogd_t var_t:dir read;
This allows rsyslog to read from the '/var' directory.
require {
type syslogd_t;
type container_var_lib_t;
class dir { search getattr };
class file { getattr ioctl open read };
}
#============= syslogd_t ==============
allow syslogd_t container_var_lib_t:dir { search getattr };
allow syslogd_t container_var_lib_t:file { getattr ioctl open read };
This allows rsyslog to have the necessary access to /var/lib/docker/containers
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
I realize we're cutting it close for rhel 7.6, but if we don't have these rules for rhel 7.6, some of the new rsyslog features/bug fixes won't work.
Do we tell customers to download policy from this bz and apply it manually?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3111