Bug 1615999 - Need rsyslog policy for /var files, elasticsearch, kubernetes
Summary: Need rsyslog policy for /var files, elasticsearch, kubernetes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1615995 1615996
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-14 17:03 UTC by Rich Megginson
Modified: 2018-09-11 16:56 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.1-42.fc28
Clone Of: 1615996
Environment:
Last Closed: 2018-09-11 16:56:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Rich Megginson 2018-08-14 17:03:55 UTC 
+++ This bug was initially created as a clone of Bug #1615996 +++

+++ This bug was initially created as a clone of Bug #1615995 +++

Description of problem:
New features for rsyslog for reading from symlinked files, using client cert auth with Elasticsearch, and using Kubernetes, requires the following additional policies:

require {
	type syslogd_t;
	type unreserved_port_t;
	class tcp_socket name_connect;
}

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t unreserved_port_t:tcp_socket name_connect;

This allows rsyslog to communicate over http port 9200 with Elasticsearch.

require {
	type syslogd_t;
	type http_port_t;
	class tcp_socket name_connect;
}

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow syslogd_t http_port_t:tcp_socket name_connect;

This allows rsyslog to communicate with Kubernetes over port 443.

require {
	type syslogd_t;
	type cert_t;
	class dir write;
	class file write;
}

#============= syslogd_t ==============
allow syslogd_t cert_t:dir write;
allow syslogd_t cert_t:file write;

This allows rsyslog read/write access to the NSS system cert db.

require {
	type syslogd_t;
	type var_t;
	class dir read;
}

#============= syslogd_t ==============

#!!!! WARNING: 'var_t' is a base type.
allow syslogd_t var_t:dir read;

This allows rsyslog to read from the '/var' directory.

require {
    type syslogd_t;
    type container_var_lib_t;
    class dir { search getattr };
    class file { getattr ioctl open read };
}

#============= syslogd_t ==============
allow syslogd_t container_var_lib_t:dir { search getattr };
allow syslogd_t container_var_lib_t:file { getattr ioctl open read };

This allows rsyslog to have the necessary access to /var/lib/docker/containers

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Fedora Update System 2018-09-06 21:57:24 UTC 
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 2 Fedora Update System 2018-09-07 17:12:52 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 3 Fedora Update System 2018-09-11 16:56:13 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.