119366 – Syslog is not able to log to remote server under SELinux.

Bug 119366 - Syslog is not able to log to remote server under SELinux.

Summary: Syslog is not able to log to remote server under SELinux.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:	triage\|leonardjo\|closed\|rawhide
Depends On:
Blocks:	122683
TreeView+	depends on / blocked

Reported:	2004-03-29 21:55 UTC by Konstantin Ryabitsev
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.11.3-2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-05-10 17:45:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Konstantin Ryabitsev 2004-03-29 21:55:02 UTC

Description of problem:
SELinux enforcement disables remote server logging for syslog,
creating the following entries in messages:

Mar 29 13:25:56 hagrid kernel: audit(1080584756.667:0): avc:  denied 
{ name_bind } for  pid=3162 exe=/sbin/syslogd src=832
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:port_t
tclass=udp_socket

It looks like the default policy should allow this, as remote logging
is used quite often.

Version-Release number of selected component (if applicable):
sysklogd-1.4.1-14

Comment 1 Konstantin Ryabitsev 2004-03-30 20:36:18 UTC

Adding the following to
/etc/security/selinux/src/policy/domains/program/syslogd.te fixes the
issue and allows both sending logs to remote server and accepting
remote logs.

# Allow name_bind for remote logging
allow syslogd_t port_t:{ tcp_socket udp_socket } name_bind;

tcp_socket can be used by syslog_ng, afair.

Comment 2 Daniel Walsh 2004-05-06 17:50:15 UTC

Fixed in policy-1.11.3-2.src.rpm

Note You need to log in before you can comment on or make changes to this bug.