Bug 728591

Summary: selinux policy restricts rsyslog clients from connecting to port 6514
Product: Red Hat Enterprise Linux 6 Reporter: Thomas Wiest <twiest>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ksrot, mmcgrath
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-107.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:10:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Wiest 2011-08-05 17:56:30 UTC 
Description of problem:
selinux policy restricts rsyslog clients from connecting to port 6514 (which is the syslog over TLS port).


/etc/services has it listed:
syslog-tls      6514/tcp                # Syslog over TLS


Version-Release number of selected component (if applicable):

Currently installed selinux-policy is: 
selinux-policy-3.7.19-106.el6.noarch


How reproducible:
every time


Steps to reproduce:
1. Setup rsyslog to send syslog messages to another server using TLS on port 6514.
2. Notice the denial error in /var/log/audit/audit.log

 
Actual results:
type=AVC msg=audit(1312485538.345:2641866): avc:  denied  { name_connect } for  pid=12748 comm=72733A6D61696E20513A52
6567 dest=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1312485538.345:2641866): arch=c000003e syscall=42 success=no exit=-13 a0=26 a1=7fb264034060 a2
=10 a3=40 items=0 ppid=1 pid=12748 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9860
3 comm=72733A6D61696E20513A526567 exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Expected results:
no denial
Comment 2 Daniel Walsh 2011-08-05 19:07:39 UTC 
semanage port -a -t syslogd_port_t -p tcp 6514
Comment 3 Miroslav Grepl 2011-08-10 07:38:34 UTC 
Fixed in selinux-policy-3.7.19-107.el6
Comment 5 Thomas Wiest 2011-08-18 18:58:42 UTC 
So it seems that the rsyslog server can't bind/listen on port 6514 either.


type=AVC msg=audit(1313677492.492:3068683): avc:  denied  { name_bind } for  pid=11650 comm="rsyslogd" src=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1313677492.492:3068683): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f8eb0000a10 a2=10 a3=3 items=0 ppid=1 pid=11650 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=118418 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Will the fix mentioned above also apply for the server binding to port 6514 or should I file a separate bug?

Thanks :)
Comment 6 Daniel Walsh 2011-08-20 11:04:12 UTC 
Marking port 6514 as a syslogd_port_t will allow syslogd_t to name_connect and name_bind to the port.  

Yes this fix will allow that also.

# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ;
Comment 7 Thomas Wiest 2011-08-22 17:57:09 UTC 
Excellent, thanks!
Comment 8 Karel Srot 2011-09-22 08:33:03 UTC 
I don't understand why did it happen at the first place. This is already in 6.1 policy

.live.[root@s390x-6s-v1 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-93.el6.noarch
.live.[root@s390x-6s-v1 ~]# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ; 
   allow syslogd_t syslogd_port_t : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 
   allow syslogd_t reserved_port_type : tcp_socket name_connect ; 
   allow syslogd_t rpc_port_type : tcp_socket name_bind ; 
   allow syslogd_t rpc_port_type : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 

.live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
syslogd_port_t                 tcp      6514
syslogd_port_t                 udp      514, 6514
Comment 9 Karel Srot 2011-09-22 09:33:32 UTC 
(In reply to comment #8)
> I don't understand why did it happen at the first place. This is already in 6.1
> policy
> 
> .live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
> syslogd_port_t                 tcp      6514
> syslogd_port_t                 udp      514, 6514

Pls ignore previous comment. The machine I used already had newer policy installed before and wasn't properly downgraded.  
I have checked on another machine that -93 policy has just
# semanage port -l | grep syslog
syslogd_port_t                 udp      514
Comment 11 errata-xmlrpc 2011-12-06 10:10:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html