Bug 1228918 - selinux denies rsyslog logging to elasticsearch via rsyslog-elasticsearch
Summary: selinux denies rsyslog logging to elasticsearch via rsyslog-elasticsearch
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: elasticsearch
Version: 22
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Zbigniew Jędrzejewski-Szmek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-06 16:26 UTC by david
Modified: 2016-07-19 14:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 14:40:18 UTC
Type: Bug


Attachments (Terms of Use)
/etc/rsyslog.d/elasticsearch.conf (589 bytes, text/plain)
2015-06-06 16:26 UTC, david
no flags Details

Description david 2015-06-06 16:26:55 UTC
Created attachment 1035659 [details]
/etc/rsyslog.d/elasticsearch.conf

Description of problem:
The package rsyslog-elasticsearch is broken out-of-the-box. rsyslog attempting to log to elasticsearch results in the following AVC denials if NIS_ENABLED is off:

Jun  6 10:50:11 geth01 audit: <audit-1400> avc:  denied  { name_connect } for  pid=734 comm=72733A616374696F6E203120717565 dest=9200 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Jun  6 10:50:11 geth01 audit: <audit-1400> avc:  denied  { name_connect } for  pid=734 comm=72733A616374696F6E203120717565 dest=9200 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Jun  6 10:50:11 geth01 audit: <audit-1400> avc:  denied  { name_connect } for  pid=731 comm=72733A616374696F6E203120717565 dest=9200 scontext=system_u:system_r:syslogd_t:s0 

Installation of the package rsyslog-elasticsearch should allow rsyslog to connect to elasticsearch's particular port, without opening rsyslog to all ports, and also without impacting other installed programs.

Version-Release number of selected component (if applicable):
Fedora 22 Server
$ dnf list elasticsearch rsyslog-elasticsearch rsyslog
Last metadata expiration check performed 0:06:09 ago on Sat Jun  6 12:05:59 2015.
Installed Packages
elasticsearch.noarch                                          1.5.2-0.fc22                                  @System
rsyslog.x86_64                                                8.8.0-2.fc22                                  @System
rsyslog-elasticsearch.x86_64                                  8.8.0-2.fc22                                  @System

How reproducible:
Very.

Steps to Reproduce:
1. Install elasticsearch and rsyslog-elasticsearch. I'm using a cluster of 2 machines, but that shouldn't matter.
2. Ensure the SELinux bool nis_enabled is off. This was the case without my intervention.
3. Configure rsylog as per the attached configuration (separate file in /etc/rsyslog.d/)

Actual results:
AVC denials in /var/log/messages, no index created in elasticsearch.

Expected results:
Indices should be created in elasticsearch while messages are logged, AVC should not deny rsyslog's connections, nothing noteworthy should be logged in /var/log/messages.

Note that if rsyslog-elasticsearch is not installed, rsyslog should not be allowed to connect to port 9200 (without nis_enabled being set), regardless of whether elasticsearch is installed.

Additional info:
- I'm using a bare-metal cluster of 2 computers for elasticsearch, both of which should be configured identically, courtesy of ansible. 
- Elasticsearch configuration specified the network name as the host name.
- Elasticsearch configuration specifies a non-default cluster name.
- Elasticsearch uses a few ports other than 9200. I know of 9300, can't find a documented list at the moment.
- I do have the logstash repository from www.elastic.co setup, but should not be using packages from it.

Comment 1 david 2015-06-14 15:54:23 UTC
Should the component on this be selinux-policy?

Comment 2 Fedora Admin XMLRPC Client 2016-02-22 09:33:55 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Fedora End Of Life 2016-07-19 14:40:18 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.