RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1231869 - rsyslog stops working after restart if SELinux is enabled
Summary: rsyslog stops working after restart if SELinux is enabled
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-15 14:13 UTC by Giovanni Tirloni
Modified: 2015-07-16 08:19 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-16 08:19:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Giovanni Tirloni 2015-06-15 14:13:07 UTC 
Description of problem:

when SELinux is enabled, restarting rsyslog causes logs to stop working. If SELinux is disabled (setenforce 0), rsyslogd started and SELinux enabled again, then everything works.


Version-Release number of selected component (if applicable): RHEL 7.1

How reproducible: Always

Steps to Reproduce:
1. Ensure SELinux is enabled
2. systemctl restart rsyslog
3. logger test

Actual results: Nothing will get logged

Expected results: Logging continues to work


Additional info:

type=AVC msg=audit(1434376948.976:4366): avc:  denied  { read } for  pid=17272 comm="rsyslogd" name="machine-id" dev="tmpfs" ino=10364 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1434376948.976:4366): avc:  denied  { open } for  pid=17272 comm="rsyslogd" path="/etc/machine-id" dev="tmpfs" ino=10364 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Comment 2 Milos Malik 2015-06-15 14:21:38 UTC 
Based on the AVC, the /etc/machine-id is mislabeled. The correct context is:

# matchpathcon /etc/machine-id 
/etc/machine-id	system_u:object_r:machineid_t:s0

Please run following command, which fixes the context:

# restorecon -v /etc/machineid
Comment 3 Giovanni Tirloni 2015-06-15 14:30:34 UTC 
It's weird this is mislabeled because it's a fresh install.

# ls -lZ /etc/machine-id
-rw-r--r--. root root system_u:object_r:var_run_t:s0   /etc/machine-id

# restorecon -v /etc/machine-id
restorecon reset /etc/machine-id context system_u:object_r:var_run_t:s0->system_u:object_r:machineid_t:s0
restorecon set context /etc/machine-id->system_u:object_r:machineid_t:s0 failed:'Read-only file system'

# mount | egrep '(vda1|machine-id)'
/dev/vda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /etc/machine-id type tmpfs (ro,relatime,seclabel,mode=755)

# /usr/sbin/fixfiles -f relabel
Cleaning out /tmp
Warning: Skipping the following R/O filesystems:
/etc/machine-id
Warning: Skipping the following R/O filesystems:
/etc/machine-id
Relabeling / /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /run /sys /sys/fs/cgroup
100.0%
Cleaning up labels on /tmp

# ls -lZ /etc/machine-id
-rw-r--r--. root root system_u:object_r:var_run_t:s0   /etc/machine-id
Comment 4 Giovanni Tirloni 2015-06-15 14:38:42 UTC 
After a reboot, systemd seems to have fixed it:

# ls -lZ /etc/machine-id
-rw-r--r--. root root system_u:object_r:machineid_t:s0 /etc/machine-id


I don't know if this is a general issue or not though.

The other part of this bug report concerns rsyslog not being allowed to connect to the central logging service. I cannot find a boolean/label that would permit that. Could it be considered an enhancement to the rsyslog's SELinux policy?
Comment 5 Milos Malik 2015-06-15 14:59:43 UTC 
Are there any SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 6 Giovanni Tirloni 2015-06-15 15:17:30 UTC 
Excluding the machine-id ones, I see only this:

type=AVC msg=audit(06/15/2015 14:02:29.025:4368) : avc:  denied  { name_connect } for  pid=17276 comm=rs:main Q:Reg dest=2514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 

I've configured rsyslog to connect to a central logging server.
Comment 7 Milos Malik 2015-06-15 15:28:30 UTC 
Based on the rsyslog.conf man page, the 2514 port seems to be a default port for RELP, therefore we need to add it to the list SELinux port definitions:

# seinfo --portcon | grep 514
	portcon tcp 5149 system_u:object_r:cluster_port_t:s0
	portcon udp 5149 system_u:object_r:cluster_port_t:s0
	portcon tcp 514 system_u:object_r:rsh_port_t:s0
	portcon udp 514 system_u:object_r:syslogd_port_t:s0
	portcon tcp 6514 system_u:object_r:syslog_tls_port_t:s0
	portcon udp 6514 system_u:object_r:syslog_tls_port_t:s0
	portcon tcp 16514 system_u:object_r:virt_port_t:s0
	portcon udp 16514 system_u:object_r:virt_port_t:s0
#
Comment 8 Tomas Heinrich 2015-06-15 16:01:38 UTC 
(In reply to Milos Malik from comment #7)
> Based on the rsyslog.conf man page, the 2514 port seems to be a default port
> for RELP, therefore we need to add it to the list SELinux port definitions:

Please don't.

Quoting the man page:

> If you would like to prevent message loss, use RELP:
>        *.* :omrelp:192.168.0.1:2514
>
> Note that a port number was given as there is no standard port for relp.

There indeed is no standard port and we shouldn't add any to the default policy.
Comment 9 Miroslav Grepl 2015-06-16 09:07:10 UTC 
I believe machine-id issue has been fixed in RHEL7.2 with filename transition rules.

Milos,
are you able to reproduce it with a fresh isntall?
Comment 10 Dalibor Pospíšil 2015-06-17 14:01:46 UTC 
As Tomas pointed in c8 out. The port 2514 is not a standard port, it was randomly chosen for example purposes in the documentation. From this point of view this is not a bug and could be closed.

The correct approach, and I use it in my tests, should be:
# semanage port -m -t syslogd_port_t -p tcp 2514
# service rsyslog start
Comment 11 Giovanni Tirloni 2015-06-17 14:03:45 UTC 
That makes sense. Since systemd fixed itself after a reboot and it's reported to be fixed in RHEL7.2 and this is not actually a standard port. For what's worth, I agree this could be closed. Thank you all.
Note You need to log in before you can comment on or make changes to this bug.