Description of problem: SELinux Targeted policy prevents syslog-ng from opening a TCP socket. Version-Release number of selected component (if applicable): syslog-ng-1.6.11.3.fc4 syslog-ng-1.6.11-3.fc5 syslog-ng-1.6.11-3.fc6 How reproducible: Always Steps to Reproduce: 1. Install Fedora Core 4/5/6 (SELinux Targeted policy installed by default) 2. Install syslog-ng 3. Modify /etc/syslog-ng/syslog-ng.conf to log remotely using TCP. For instance, destination d_remote { tcp ("loghost" port (5141)); }; log { source(s_sys); destination(d_remote); }; (The port is arbitrary.) 3. Turn syslog off 4. Start syslog-ng Actual results: syslog-ng fails to start. Setting SELinux to permissive mode allows syslog-ng to start and logs the problematic AVCs. Expected results: syslog-ng starts with SELinux in enforcing mode and events are transmitted to the remote loghost. Additional info: Adding the following rules to the syslogd.te source type file on FC4 and craeting a local module on FC5/6 fixes the problem. allow syslogd_t netif_t:netif { tcp_recv tcp_send }; allow syslogd_t node_t:node { tcp_recv tcp_send }; allow syslogd_t rsh_port_t:tcp_socket { name_connect recv_msg send_msg }; allow syslogd_t self:tcp_socket { getopt read write };
Sorry for the delay. I will start looking into this today. jpo Links about the syslog-ng review and syslog-ng/selinux: * Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064 * Bug 152185: selinux-policy-targeted and syslog-ng (take 2) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185 * Review request: syslog-ng (syslog replacement daemon) https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html * Review request 2: syslog-ng (syslog replacement daemon) https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html
No need to apologize, I appreciate you looking into the problem. Thanks, Paul (In reply to comment #1) > Sorry for the delay. I will start looking into this today. > > jpo > > Links about the syslog-ng review and syslog-ng/selinux: > > * Bug 141064: selinux-policy-targeted prevents syslog-ng from using /proc/kmsg > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064 > > * Bug 152185: selinux-policy-targeted and syslog-ng (take 2) > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152185 > > * Review request: syslog-ng (syslog replacement daemon) > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00188.html > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00258.html > > * Review request 2: syslog-ng (syslog replacement daemon) > https://www.redhat.com/archives/fedora-extras-list/2005-May/msg00966.html > https://www.redhat.com/archives/fedora-extras-list/2005-June/msg00833.html > >
Paul, The following syslog-ng policy should add support for TCP. Syslog-ng should now be able to function as a TCP log server and a TCP forwarder. syslogng.te ----------- policy_module(syslogng, 0.90) require { type syslogd_t; type rsh_port_t; type port_t; type inaddr_any_node_t; type netif_t; type lo_node_t; type node_t; }; # # TCP support # allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t lo_node_t:node { tcp_recv tcp_send }; allow syslogd_t netif_t:netif { tcp_recv tcp_send }; allow syslogd_t node_t:node { tcp_recv tcp_send }; allow syslogd_t node_t:tcp_socket node_bind; allow syslogd_t port_t:tcp_socket { name_bind name_connect recv_msg send_msg }; allow syslogd_t rsh_port_t:tcp_socket { name_bind name_connect recv_msg send_msg }; allow syslogd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; ----------- Syslog-ng configurations ------------------------ ... source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0)); # default port: 514 # tcp(ip(0.0.0.0) port(514)); # tcp(ip(0.0.0.0) port(10514)); # tcp(ip(192.168.82.67) port(514)); }; ... #destination d_remote { tcp ("192.168.82.68" port (514)); }; #destination d_remote { tcp ("192.168.82.67" port (5141)); }; #destination d_remote { tcp ("127.0.0.1" port (5141)); }; #log { source(s_sys); destination(d_remote); }; ... The SRPM ftp://perl.di.uminho.pt/pub/fedora/syslog-ng-1.6.11-3.90.src.rpm should build (it now creates a selinux subpackage) and install cleanly in Fedora Core 6 systems. In the next few days I will test it further. Meanwhile if you could also help test it, it would be great. tia, jpo
The new modules works on my FC6 (w/ current updates) as long as the context of the /etc/syslog-ng directory is changed to syslogd_t. I'll test it on a FC4, and RHEL4 machine tomorrow. Thanks!
Paul, I still haven't pushed this update because we are trying to have the core SELinux policies changed (syslog-ng may be system logging in Fedora 7). More info: http://fedoraproject.org/wiki/Releases/7 http://fedoraproject.org/wiki/Releases/FeatureSyslogNG jpo
With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working without this policy patch.
I will close this ticket as soon as selinux-policy >= 2.4.6-37.fc6 hits the mirrors. See ticket * Bug 218978: syslog-ng unable to use TCP sockets https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218978 instead. Another ticket that may have some useful information is * Bug 219771: syslog-ng: update to version 2.0.x (from 1.6.11) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219771 jpo
Problem fixed in selinux-policy-targeted-2.4.6-42.fc6 (right now only in CVS). Steps to build it: 1) cvs -d :pserver:anonymous.redhat.com:/cvs/dist co selinux-policy 2) cd selinux-policy/FC-6 3) make srpm 4) make i386 *** This bug has been marked as a duplicate of 218978 ***