Bug 215046
Summary: | Targeted SELinux policy prevents syslog-ng from making tcp connections | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Sery <pgsery> |
Component: | syslog-ng | Assignee: | Jose Pedro Oliveira <jose.p.oliveira.oss> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | dwalsh, extras-qa, k.georgiou |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-03 22:59:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul Sery
2006-11-10 18:24:22 UTC
Sorry for the delay. I will start looking into this today. jpo Links about the syslog-ng review and syslog-ng/selinux: * Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064 * Bug 152185: selinux-policy-targeted and syslog-ng (take 2) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185 * Review request: syslog-ng (syslog replacement daemon) https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html * Review request 2: syslog-ng (syslog replacement daemon) https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html No need to apologize, I appreciate you looking into the problem. Thanks, Paul (In reply to comment #1) > Sorry for the delay. I will start looking into this today. > > jpo > > Links about the syslog-ng review and syslog-ng/selinux: > > * Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064 > > * Bug 152185: selinux-policy-targeted and syslog-ng (take 2) > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185 > > * Review request: syslog-ng (syslog replacement daemon) > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html > > * Review request 2: syslog-ng (syslog replacement daemon) > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html > https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html > > Paul, The following syslog-ng policy should add support for TCP. Syslog-ng should now be able to function as a TCP log server and a TCP forwarder. syslogng.te ----------- policy_module(syslogng, 0.90) require { type syslogd_t; type rsh_port_t; type port_t; type inaddr_any_node_t; type netif_t; type lo_node_t; type node_t; }; # # TCP support # allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t lo_node_t:node { tcp_recv tcp_send }; allow syslogd_t netif_t:netif { tcp_recv tcp_send }; allow syslogd_t node_t:node { tcp_recv tcp_send }; allow syslogd_t node_t:tcp_socket node_bind; allow syslogd_t port_t:tcp_socket { name_bind name_connect recv_msg send_msg }; allow syslogd_t rsh_port_t:tcp_socket { name_bind name_connect recv_msg send_msg }; allow syslogd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; ----------- Syslog-ng configurations ------------------------ ... source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0)); # default port: 514 # tcp(ip(0.0.0.0) port(514)); # tcp(ip(0.0.0.0) port(10514)); # tcp(ip(192.168.82.67) port(514)); }; ... #destination d_remote { tcp ("192.168.82.68" port (514)); }; #destination d_remote { tcp ("192.168.82.67" port (5141)); }; #destination d_remote { tcp ("127.0.0.1" port (5141)); }; #log { source(s_sys); destination(d_remote); }; ... The SRPM ftp://perl.di.uminho.pt/pub/fedora/syslog-ng-1.6.11-3.90.src.rpm should build (it now creates a selinux subpackage) and install cleanly in Fedora Core 6 systems. In the next few days I will test it further. Meanwhile if you could also help test it, it would be great. tia, jpo The new modules works on my FC6 (w/ current updates) as long as the context of the /etc/syslog-ng directory is changed to syslogd_t. I'll test it on a FC4, and RHEL4 machine tomorrow. Thanks! Paul, I still haven't pushed this update because we are trying to have the core SELinux policies changed (syslog-ng may be system logging in Fedora 7). More info: http://fedoraproject.org/wiki/Releases/7 http://fedoraproject.org/wiki/Releases/FeatureSyslogNG jpo With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working without this policy patch. I will close this ticket as soon as selinux-policy >= 2.4.6-37.fc6 hits the mirrors. See ticket * Bug 218978: syslog-ng unable to use TCP sockets https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218978 instead. Another ticket that may have some useful information is * Bug 219771: syslog-ng: update to version 2.0.x (from 1.6.11) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219771 jpo Problem fixed in selinux-policy-targeted-2.4.6-42.fc6 (right now only in CVS). Steps to build it: 1) cvs -d :pserver:anonymous.redhat.com:/cvs/dist co selinux-policy 2) cd selinux-policy/FC-6 3) make srpm 4) make i386 *** This bug has been marked as a duplicate of 218978 *** |