Bug 215046

Summary: Targeted SELinux policy prevents syslog-ng from making tcp connections
Product: [Fedora] Fedora Reporter: Paul Sery <pgsery>
Component: syslog-ngAssignee: Jose Pedro Oliveira <jose.p.oliveira.oss>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh, extras-qa, k.georgiou
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-03 22:59:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Sery 2006-11-10 18:24:22 UTC 
Description of problem:

SELinux Targeted policy prevents syslog-ng from opening a TCP socket.

Version-Release number of selected component (if applicable):

syslog-ng-1.6.11.3.fc4
syslog-ng-1.6.11-3.fc5
syslog-ng-1.6.11-3.fc6

How reproducible:

Always

Steps to Reproduce:

1. Install Fedora Core 4/5/6 (SELinux Targeted policy installed by default)
2. Install syslog-ng
3. Modify /etc/syslog-ng/syslog-ng.conf to log remotely using TCP.
   For instance,
   destination d_remote { tcp ("loghost" port (5141)); };
   log { source(s_sys); destination(d_remote); };

   (The port is arbitrary.)

3. Turn syslog off
4. Start syslog-ng
  
Actual results:

syslog-ng fails to start. Setting SELinux to permissive mode allows syslog-ng to
start and logs the problematic AVCs.

Expected results:

syslog-ng starts with SELinux in enforcing mode and events are transmitted to
the remote loghost.

Additional info:

  Adding the following rules to the syslogd.te source type file on FC4 and
craeting a local module on FC5/6 fixes the problem.

allow syslogd_t netif_t:netif { tcp_recv tcp_send };
allow syslogd_t node_t:node { tcp_recv tcp_send };
allow syslogd_t rsh_port_t:tcp_socket { name_connect recv_msg send_msg };
allow syslogd_t self:tcp_socket { getopt read write };
Comment 1 Jose Pedro Oliveira 2006-12-02 20:59:26 UTC 
Sorry for the delay. I will start looking into this today.

jpo

Links about the syslog-ng review and syslog-ng/selinux:

* Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064

* Bug 152185: selinux-policy-targeted and syslog-ng (take 2)
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185

* Review request: syslog-ng (syslog replacement daemon)
  https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html
  https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html

* Review request 2: syslog-ng (syslog replacement daemon)
  https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html
  https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html
Comment 2 Paul Sery 2006-12-02 21:03:45 UTC 
No need to apologize, I appreciate you looking into the problem.

Thanks,
Paul

(In reply to comment #1)
> Sorry for the delay. I will start looking into this today.
> 
> jpo
> 
> Links about the syslog-ng review and syslog-ng/selinux:
> 
> * Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064
> 
> * Bug 152185: selinux-policy-targeted and syslog-ng (take 2)
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185
> 
> * Review request: syslog-ng (syslog replacement daemon)
>   https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html
>   https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html
> 
> * Review request 2: syslog-ng (syslog replacement daemon)
>   https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html
>   https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html
> 
>
Comment 3 Jose Pedro Oliveira 2006-12-03 04:16:05 UTC 
Paul,

The following syslog-ng policy should add support for TCP. Syslog-ng should
now be able to function as a TCP log server and a TCP forwarder.


syslogng.te
-----------
policy_module(syslogng, 0.90)

require {
    type syslogd_t;
    type rsh_port_t;
    type port_t;
    type inaddr_any_node_t;
    type netif_t;
    type lo_node_t;
    type node_t;
};

#
# TCP support
#
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t lo_node_t:node { tcp_recv tcp_send };
allow syslogd_t netif_t:netif { tcp_recv tcp_send };
allow syslogd_t node_t:node { tcp_recv tcp_send };
allow syslogd_t node_t:tcp_socket node_bind;
allow syslogd_t port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t rsh_port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t self:tcp_socket { accept bind connect create getattr getopt
listen read setopt write };
-----------


Syslog-ng configurations
------------------------
...
source s_sys {
    file ("/proc/kmsg" log_prefix("kernel: "));
    unix-stream ("/dev/log");
    internal();
    # udp(ip(0.0.0.0) port(514));
    tcp(ip(0.0.0.0));   # default port: 514
    # tcp(ip(0.0.0.0) port(514));
    # tcp(ip(0.0.0.0) port(10514));
    # tcp(ip(192.168.82.67) port(514));
};
...
#destination d_remote { tcp ("192.168.82.68" port (514)); };
#destination d_remote { tcp ("192.168.82.67" port (5141)); };
#destination d_remote { tcp ("127.0.0.1" port (5141)); };
#log { source(s_sys); destination(d_remote); };
...


The SRPM
  ftp://perl.di.uminho.pt/pub/fedora/syslog-ng-1.6.11-3.90.src.rpm
should build (it now creates a selinux subpackage) and install cleanly in Fedora
Core 6 systems.  In the next few days I will test it further.  Meanwhile if you
could also help test it, it would be great.

tia,
jpo
Comment 4 Paul Sery 2006-12-07 05:35:48 UTC 
The new modules works on my FC6 (w/ current updates) as long as the context of
the /etc/syslog-ng directory is changed to syslogd_t. I'll test it on a FC4, and
RHEL4 machine tomorrow. Thanks!
Comment 5 Jose Pedro Oliveira 2007-01-07 17:27:09 UTC 
Paul,

I still haven't pushed this update because we are trying to have the core
SELinux policies changed (syslog-ng may be system logging in Fedora 7).

More info:
  http://fedoraproject.org/wiki/Releases/7
  http://fedoraproject.org/wiki/Releases/FeatureSyslogNG

jpo
Comment 6 Daniel Walsh 2007-02-05 19:36:31 UTC 
With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working
without this policy patch.
Comment 7 Jose Pedro Oliveira 2007-02-12 21:48:55 UTC 
I will close this ticket as soon as selinux-policy >= 2.4.6-37.fc6 hits the
mirrors. See ticket 

  * Bug 218978: syslog-ng unable to use TCP sockets
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218978

instead. Another ticket that may have some useful information is

  * Bug 219771: syslog-ng: update to version 2.0.x (from 1.6.11)
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219771

jpo
Comment 8 Jose Pedro Oliveira 2007-03-03 22:59:33 UTC 
Problem fixed in selinux-policy-targeted-2.4.6-42.fc6 (right now only in CVS).

Steps to build it:

1) cvs -d :pserver:anonymous.redhat.com:/cvs/dist co selinux-policy
2) cd selinux-policy/FC-6
3) make srpm
4) make i386

*** This bug has been marked as a duplicate of 218978 ***