Bug 218978

Summary: syslog-ng unable to use TCP sockets
Product: [Fedora] Fedora Reporter: Jose Pedro Oliveira <jose.p.oliveira.oss>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: pgsery, pvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-06 17:54:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jose Pedro Oliveira 2006-12-08 20:41:43 UTC 
Description of problem:
syslog-ng, a sysklogd replacement, is unable to use TCP sockets.  We should be
able to configure syslog-ng:
   i) as TCP log server, and
  ii) to forward log messages to TCP destinations


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-1.fc6
syslog-ng-1.6.11-3.fc6 (available in Fedora Extras)

How reproducible:
Always

Steps to Reproduce:
1. add a TCP message source
   Example:
   ...
   source s_sys {
     file ("/proc/kmsg" log_prefix("kernel: "));
     unix-stream ("/dev/log");
     internal();
     # udp(ip(0.0.0.0) port(514));
     tcp(ip(0.0.0.0));   # default port: 514
     # tcp(ip(0.0.0.0) port(10514));
     # tcp(ip(192.168.82.67) port(514));
   };
   ...

2. add a TCP destination
   Example:

   ...
   destination d_remote { tcp ("192.168.82.68" port (514)); };
   #destination d_remote { tcp ("192.168.82.67" port (5141)); };
   #destination d_remote { tcp ("127.0.0.1" port (5141)); };
   ...

3. add a log statement that uses a TCP source and/or a TCP destination
   
   log { source(s_sys); destination(d_remote); };

Actual results:
syslog-ng fails to start.

Expected results:
Be able to run syslog-ng with TCP sources/destinations.

Additional info:

The following selinux appear to correct all the problems that appear
when using the configurations described above:

syslogng.te
-----------
policy_module(syslogng, 0.90)

require {
    type syslogd_t;
    type rsh_port_t;
    type port_t;
    type inaddr_any_node_t;
    type netif_t;
    type lo_node_t;
    type node_t;
};

#
# TCP support
#
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t lo_node_t:node { tcp_recv tcp_send };
allow syslogd_t netif_t:netif { tcp_recv tcp_send };
allow syslogd_t node_t:node { tcp_recv tcp_send };
allow syslogd_t node_t:tcp_socket node_bind;
allow syslogd_t port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t rsh_port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t self:tcp_socket { accept bind connect create getattr getopt
listen read setopt write };
-----------
Comment 1 Jose Pedro Oliveira 2006-12-08 20:53:59 UTC 
Questions:

1) Creating the above policy for syslog-ng is best way to resolve the described
   problems? Or could the base/reference syslog policy be extended to allow TCP
   connections?

   Note: In the past the targeted policy allowed syslog to use both UDP and TCP
   sockets but about a year and a half ago the TCP support was dropped:

diff -ruN selinux-policy-targeted-1.17.30-2.96/syslogd.te
selinux-policy-targeted-1.23.10-5/syslogd.te
--- selinux-policy-targeted-1.17.30-2.96/syslogd.te     2005-04-07
20:36:53.000000000 +0100
+++ selinux-policy-targeted-1.23.10-5/syslogd.te        2005-04-12
14:43:59.000000000 +0100
@@ -20,7 +20,7 @@
 ')

 # can_network is for the UDP socket
-can_network(syslogd_t)
+can_network_udp(syslogd_t)
 can_ypbind(syslogd_t)

 r_dir_file(syslogd_t, sysfs_t)

----------


2) The syslog-ng-1.6.11 configuration file is placed in the /etc/syslog-ng
   directory.  Is it necessary to change the file context for the configuration
   file/directory?


tia,
jpo
Comment 2 Daniel Walsh 2007-02-05 19:35:49 UTC 
With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working
without this policy patch.
Comment 3 Jose Pedro Oliveira 2007-02-06 04:10:44 UTC 
Daniel Walsh,

I still have the following problems with selinux-policy-targeted-2.4.6-27.fc6:

1) restarting syslog-ng after adding 

      destination d_remote { tcp ("192.168.82.67" port (514)); };
      log { source(s_sys); destination(d_remote); };

   to the configuration file and just logging something (logger test) produces:


Feb  6 04:00:23 pateta kernel: audit(1170734423.223:28): avc:  denied  { create
} for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:29): avc:  denied  { setopt
} for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:30): avc:  denied  { bind }
for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:31): avc:  denied  {
node_bind } for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:32): avc:  denied  { connect
} for  pid=3973 comm="syslog-ng" lport=48224 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.224:33): avc:  denied  { getopt
} for  pid=3974 comm="syslog-ng" laddr=192.168.82.67 lport=48224
faddr=192.168.82.9 fport=514 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.224:34): avc:  denied  { write }
for  pid=3974 comm="syslog-ng" name="[16862]" dev=sockfs ino=16862
scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0
tclass=tcp_socket
Feb  6 04:00:35 pateta root: teste2


   audit2allow produces
   allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
   allow syslogd_t self:tcp_socket { bind connect create getopt setopt write };


2) adding
     tcp();
   to the source produces at least 

Feb  6 04:07:47 pateta kernel: audit(1170734824.768:35): avc:  denied  { listen
} for  pid=4057 comm="syslog-ng" lport=514 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket


   audit2allow produces
   allow syslogd_t self:tcp_socket listen;


jpo
Comment 4 Daniel Walsh 2007-02-06 15:00:14 UTC 
Fixed in selinux-policy-2.4.6-36
Comment 5 Jose Pedro Oliveira 2007-02-07 15:47:13 UTC 
Daniel Walsh,

I haven't be able to build selinux-policy-2.4.6-36.
Steps to reproduce the problem in a FC-6 system:

1) cvs -d :pserver:anonymous.redhat.com:/cvs/dist co selinux-policy
2) cd selinux-policy/FC-6
3) make srpm
   ...
   Wrote: .../selinux-policy/FC-6/selinux-policy-2.4.6-36.fc6.src.rpm
4) make i386
   ...
Compiling targeted base module
/usr/bin/checkmodule -M base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/system/logging.te:67:ERROR 'permission fsetsid is not defined for
class capability' at token ';' on line 412548:

allow auditctl_t self:capability { fsetsid audit_write audit_control };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/base.mod] Error 1
make[1]: Leaving directory
`/home/users/fedora/rpms/BUILD/selinux-policy/FC-6/serefpolicy-2.4.6'
error: Bad exit status from /var/tmp/rpm-tmp.45286 (%install)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.45286 (%install)
make: *** [i386] Error 1
Comment 6 Jose Pedro Oliveira 2007-02-11 14:07:53 UTC 
(In reply to comment #4)
> Fixed in selinux-policy-2.4.6-36

Where can I find a RPM/SRPM ? 
I'm unable to create one from CVS (see previous comment).

jpo
Comment 7 Jose Pedro Oliveira 2007-02-12 21:18:44 UTC 
syslong-ng TCP connections appears to be working correctly with
selinux-policy-2.4.6-37.fc6 from CVS.

jpo
Comment 8 Jose Pedro Oliveira 2007-02-17 16:31:17 UTC 
Dan,

Found a problem in FC-6 with the latest selinux-policy RPMS (2.4.6-37.fc6):

* trying to connect via TCP to a remote log server using a port other than
 514 fails (no problem with tcp connections to the 514 port).

syslog-ng configuration
-----------------------
...
#destination d_remote { tcp ("192.168.82.9" port (514)); };
destination d_remote { tcp ("192.168.82.9" port (1514)); };
log { source(s_sys); destination(d_remote); };
...

syslog-ng error messages
------------------------
Feb 17 16:03:38 pateta syslog-ng[24232]: Connection failed; error='Permission
denied (13)'
Feb 17 16:03:38 pateta syslog-ng[24232]: Initiating connection failed,
reconnecting; time_reopen='10'


strace -p <syslog-ng.pid>
-------------------------
...
setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(6, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
16) = 0
setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(1514),
sin_addr=inet_addr("192.168.82.9")}, 16) = -1 EACCES (Permission denied)
...


If I disable the selinux (setenforce 0), syslog-ng is able to (re)connect
to the remote destination.


jpo
Comment 9 Daniel Walsh 2007-02-20 20:08:56 UTC 
If you want to connect to a different port you need to tell selinux about it. 
The way you do this is to use semanage


semanage port -a -t syslogd_port_t -p tcp 1514 

semanage port -l 

will list all ports definitions
Comment 10 Jose Pedro Oliveira 2007-02-26 20:44:26 UTC 
Dan Walsh,

Commands like

 semanage port -a -t syslogd_port_t -p tcp 1514 

don't seem to solve the problem.  Am I doing something wrong?

tia,
jpo


1) Syslog-NG as a TCP server
======================================================================

  Bind to port TCP/1514
  ---------------------
  source s_tcp { tcp(ip(0.0.0.0) port(1514)); };
  destination d_tcp { file("/var/log/syslogtcp"); };
  log { source(s_tcp); destination(d_tcp); };

  Result
  ------
  SELinux is preventing the /sbin/syslog-ng (syslogd_t) from binding to port 1514.

  avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3772
scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514
subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0
  
  audit2allow of the previous AVC
  -------------------------------
  allow syslogd_t port_t:tcp_socket name_bind;

  
  Trying semanage
  ---------------
  semanage port -a -t syslogd_port_t -p tcp 1514

  # semanage port -l | grep syslog
  syslogd_port_t                 tcp      1514
  syslogd_port_t                 udp      514
  
  New result
  ----------
  avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3813
scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514
subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none) uid=0

  new audit2allow traslation
  --------------------------
  allow syslogd_t syslogd_port_t:tcp_socket name_bind;


2) Syslog-NG as a TCP client (forwarder)
======================================================================
  Configuration
  -------------
  destination d_remote { tcp("192.168.1.6" port(1514)); };
  log { source(s_sys); destination(d_remote); };

  Result
  ------
  SELinux is preventing the /sbin/syslog-ng (syslogd_t) from connecting to port
1514.

  avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4135
scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0
suid=0 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0

  audit2allow
  -----------
  allow syslogd_t port_t:tcp_socket name_connect;

  trying semanage
  ---------------
  semanage port -a -t syslogd_port_t -p tcp 1514
  
  new result
  ----------
  SELinux is preventing /sbin/syslog-ng (syslogd_t) "name_connect" access to
(syslogd_port_t).

  avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4267
scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0
suid=0 tclass=tcp_socket tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none)
uid=0ยท

  audit2allow
  -----------
  allow syslogd_t syslogd_port_t:tcp_socket name_connect;
Comment 11 Daniel Walsh 2007-02-26 21:03:30 UTC 
Yes, you are right.  I will need to update the policy.  Currently the policy
only allows udp connections to the syslogd_port_t.  You could add your port to
the rsh_port_t, and it should work, but theoretically this would allow rsh
access to those ports also.
Comment 12 Jose Pedro Oliveira 2007-03-03 22:53:41 UTC 
Dan,

 Syslog-ng is now able to use TCP ports other than TCP/514 with
 selinux-policy[-targeted]-2.4.6-42.fc6 (built from CVS).


1) Syslog-ng as a TCP client (forwarder)
======================================================================

  Configuration
  -------------
  destination d_remote { tcp("192.168.1.6" port(2514)); };
  log { source(s_sys); destination(d_remote); };

  It now works after executing the semanage command: 

  semanage port -a -t syslogd_port_t -p tcp 2514


2) Syslog-ng as a TCP server (bind)
======================================================================

  Configuration
  -------------
  source s_tcp { tcp(ip(0.0.0.0) port(1514)); };
  destination d_tcp { file("/var/log/syslogtcp"); };
  log { source(s_tcp); destination(d_tcp); };

  It now works after executing the semanage command: 

  semanage port -a -t syslogd_port_t -p tcp 1514


Thanks,
jpo
Comment 13 Jose Pedro Oliveira 2007-03-03 22:59:36 UTC 
*** Bug 215046 has been marked as a duplicate of this bug. ***
Comment 14 Jose Pedro Oliveira 2007-03-07 23:58:49 UTC 
Daniel Walsh,

Just a reminder that
 
  selinux-policy-2.4.6-42.fc6

still hasn't been built and pushed (right now it is only available in CVS).

jpo