Bug 218978
Summary: | syslog-ng unable to use TCP sockets | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jose Pedro Oliveira <jose.p.oliveira.oss> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | pgsery, pvrabec |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-06 17:54:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jose Pedro Oliveira
2006-12-08 20:41:43 UTC
Questions: 1) Creating the above policy for syslog-ng is best way to resolve the described problems? Or could the base/reference syslog policy be extended to allow TCP connections? Note: In the past the targeted policy allowed syslog to use both UDP and TCP sockets but about a year and a half ago the TCP support was dropped: diff -ruN selinux-policy-targeted-1.17.30-2.96/syslogd.te selinux-policy-targeted-1.23.10-5/syslogd.te --- selinux-policy-targeted-1.17.30-2.96/syslogd.te 2005-04-07 20:36:53.000000000 +0100 +++ selinux-policy-targeted-1.23.10-5/syslogd.te 2005-04-12 14:43:59.000000000 +0100 @@ -20,7 +20,7 @@ ') # can_network is for the UDP socket -can_network(syslogd_t) +can_network_udp(syslogd_t) can_ypbind(syslogd_t) r_dir_file(syslogd_t, sysfs_t) ---------- 2) The syslog-ng-1.6.11 configuration file is placed in the /etc/syslog-ng directory. Is it necessary to change the file context for the configuration file/directory? tia, jpo With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working without this policy patch. Daniel Walsh, I still have the following problems with selinux-policy-targeted-2.4.6-27.fc6: 1) restarting syslog-ng after adding destination d_remote { tcp ("192.168.82.67" port (514)); }; log { source(s_sys); destination(d_remote); }; to the configuration file and just logging something (logger test) produces: Feb 6 04:00:23 pateta kernel: audit(1170734423.223:28): avc: denied { create } for pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.223:29): avc: denied { setopt } for pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.223:30): avc: denied { bind } for pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.223:31): avc: denied { node_bind } for pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.223:32): avc: denied { connect } for pid=3973 comm="syslog-ng" lport=48224 scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.224:33): avc: denied { getopt } for pid=3974 comm="syslog-ng" laddr=192.168.82.67 lport=48224 faddr=192.168.82.9 fport=514 scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:23 pateta kernel: audit(1170734423.224:34): avc: denied { write } for pid=3974 comm="syslog-ng" name="[16862]" dev=sockfs ino=16862 scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket Feb 6 04:00:35 pateta root: teste2 audit2allow produces allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t self:tcp_socket { bind connect create getopt setopt write }; 2) adding tcp(); to the source produces at least Feb 6 04:07:47 pateta kernel: audit(1170734824.768:35): avc: denied { listen } for pid=4057 comm="syslog-ng" lport=514 scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket audit2allow produces allow syslogd_t self:tcp_socket listen; jpo Fixed in selinux-policy-2.4.6-36 Daniel Walsh, I haven't be able to build selinux-policy-2.4.6-36. Steps to reproduce the problem in a FC-6 system: 1) cvs -d :pserver:anonymous.redhat.com:/cvs/dist co selinux-policy 2) cd selinux-policy/FC-6 3) make srpm ... Wrote: .../selinux-policy/FC-6/selinux-policy-2.4.6-36.fc6.src.rpm 4) make i386 ... Compiling targeted base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/system/logging.te:67:ERROR 'permission fsetsid is not defined for class capability' at token ';' on line 412548: allow auditctl_t self:capability { fsetsid audit_write audit_control }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/base.mod] Error 1 make[1]: Leaving directory `/home/users/fedora/rpms/BUILD/selinux-policy/FC-6/serefpolicy-2.4.6' error: Bad exit status from /var/tmp/rpm-tmp.45286 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.45286 (%install) make: *** [i386] Error 1 (In reply to comment #4) > Fixed in selinux-policy-2.4.6-36 Where can I find a RPM/SRPM ? I'm unable to create one from CVS (see previous comment). jpo syslong-ng TCP connections appears to be working correctly with selinux-policy-2.4.6-37.fc6 from CVS. jpo Dan, Found a problem in FC-6 with the latest selinux-policy RPMS (2.4.6-37.fc6): * trying to connect via TCP to a remote log server using a port other than 514 fails (no problem with tcp connections to the 514 port). syslog-ng configuration ----------------------- ... #destination d_remote { tcp ("192.168.82.9" port (514)); }; destination d_remote { tcp ("192.168.82.9" port (1514)); }; log { source(s_sys); destination(d_remote); }; ... syslog-ng error messages ------------------------ Feb 17 16:03:38 pateta syslog-ng[24232]: Connection failed; error='Permission denied (13)' Feb 17 16:03:38 pateta syslog-ng[24232]: Initiating connection failed, reconnecting; time_reopen='10' strace -p <syslog-ng.pid> ------------------------- ... setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 bind(6, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0 connect(6, {sa_family=AF_INET, sin_port=htons(1514), sin_addr=inet_addr("192.168.82.9")}, 16) = -1 EACCES (Permission denied) ... If I disable the selinux (setenforce 0), syslog-ng is able to (re)connect to the remote destination. jpo If you want to connect to a different port you need to tell selinux about it. The way you do this is to use semanage semanage port -a -t syslogd_port_t -p tcp 1514 semanage port -l will list all ports definitions Dan Walsh, Commands like semanage port -a -t syslogd_port_t -p tcp 1514 don't seem to solve the problem. Am I doing something wrong? tia, jpo 1) Syslog-NG as a TCP server ====================================================================== Bind to port TCP/1514 --------------------- source s_tcp { tcp(ip(0.0.0.0) port(1514)); }; destination d_tcp { file("/var/log/syslogtcp"); }; log { source(s_tcp); destination(d_tcp); }; Result ------ SELinux is preventing the /sbin/syslog-ng (syslogd_t) from binding to port 1514. avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0 exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3772 scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514 subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0 audit2allow of the previous AVC ------------------------------- allow syslogd_t port_t:tcp_socket name_bind; Trying semanage --------------- semanage port -a -t syslogd_port_t -p tcp 1514 # semanage port -l | grep syslog syslogd_port_t tcp 1514 syslogd_port_t udp 514 New result ---------- avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0 exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3813 scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514 subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none) uid=0 new audit2allow traslation -------------------------- allow syslogd_t syslogd_port_t:tcp_socket name_bind; 2) Syslog-NG as a TCP client (forwarder) ====================================================================== Configuration ------------- destination d_remote { tcp("192.168.1.6" port(1514)); }; log { source(s_sys); destination(d_remote); }; Result ------ SELinux is preventing the /sbin/syslog-ng (syslogd_t) from connecting to port 1514. avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0 exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4135 scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0 audit2allow ----------- allow syslogd_t port_t:tcp_socket name_connect; trying semanage --------------- semanage port -a -t syslogd_port_t -p tcp 1514 new result ---------- SELinux is preventing /sbin/syslog-ng (syslogd_t) "name_connect" access to (syslogd_port_t). avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0 exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4267 scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none) uid=0ยท audit2allow ----------- allow syslogd_t syslogd_port_t:tcp_socket name_connect; Yes, you are right. I will need to update the policy. Currently the policy only allows udp connections to the syslogd_port_t. You could add your port to the rsh_port_t, and it should work, but theoretically this would allow rsh access to those ports also. Dan, Syslog-ng is now able to use TCP ports other than TCP/514 with selinux-policy[-targeted]-2.4.6-42.fc6 (built from CVS). 1) Syslog-ng as a TCP client (forwarder) ====================================================================== Configuration ------------- destination d_remote { tcp("192.168.1.6" port(2514)); }; log { source(s_sys); destination(d_remote); }; It now works after executing the semanage command: semanage port -a -t syslogd_port_t -p tcp 2514 2) Syslog-ng as a TCP server (bind) ====================================================================== Configuration ------------- source s_tcp { tcp(ip(0.0.0.0) port(1514)); }; destination d_tcp { file("/var/log/syslogtcp"); }; log { source(s_tcp); destination(d_tcp); }; It now works after executing the semanage command: semanage port -a -t syslogd_port_t -p tcp 1514 Thanks, jpo *** Bug 215046 has been marked as a duplicate of this bug. *** Daniel Walsh, Just a reminder that selinux-policy-2.4.6-42.fc6 still hasn't been built and pushed (right now it is only available in CVS). jpo |