Bug 1615999

Summary: Need rsyslog policy for /var files, elasticsearch, kubernetes
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, lvrabec, mgrepl, mmalik, nhosoi, nkinder, plautrba, pmoore, qe-baseos-security, ssekidde, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-42.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1615996 Environment:
Last Closed: 2018-09-11 16:56:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1615995, 1615996    
Bug Blocks:    

Description Rich Megginson 2018-08-14 17:03:55 UTC 
+++ This bug was initially created as a clone of Bug #1615996 +++

+++ This bug was initially created as a clone of Bug #1615995 +++

Description of problem:
New features for rsyslog for reading from symlinked files, using client cert auth with Elasticsearch, and using Kubernetes, requires the following additional policies:

require {
	type syslogd_t;
	type unreserved_port_t;
	class tcp_socket name_connect;
}

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t unreserved_port_t:tcp_socket name_connect;

This allows rsyslog to communicate over http port 9200 with Elasticsearch.

require {
	type syslogd_t;
	type http_port_t;
	class tcp_socket name_connect;
}

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t http_port_t:tcp_socket name_connect;

This allows rsyslog to communicate with Kubernetes over port 443.

require {
	type syslogd_t;
	type cert_t;
	class dir write;
	class file write;
}

#============= syslogd_t ==============
allow syslogd_t cert_t:dir write;
allow syslogd_t cert_t:file write;

This allows rsyslog read/write access to the NSS system cert db.

require {
	type syslogd_t;
	type var_t;
	class dir read;
}

#============= syslogd_t ==============

#!!!! WARNING: 'var_t' is a base type.
allow syslogd_t var_t:dir read;

This allows rsyslog to read from the '/var' directory.

require {
    type syslogd_t;
    type container_var_lib_t;
    class dir { search getattr };
    class file { getattr ioctl open read };
}

#============= syslogd_t ==============
allow syslogd_t container_var_lib_t:dir { search getattr };
allow syslogd_t container_var_lib_t:file { getattr ioctl open read };

This allows rsyslog to have the necessary access to /var/lib/docker/containers

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Fedora Update System 2018-09-06 21:57:24 UTC 
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 2 Fedora Update System 2018-09-07 17:12:52 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 3 Fedora Update System 2018-09-11 16:56:13 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.