Bug 218978 - syslog-ng unable to use TCP sockets
syslog-ng unable to use TCP sockets
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 215046 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-08 15:41 EST by Jose Pedro Oliveira
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-06 12:54:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2006-12-08 15:41:43 EST
Description of problem:
syslog-ng, a sysklogd replacement, is unable to use TCP sockets.  We should be
able to configure syslog-ng:
   i) as TCP log server, and
  ii) to forward log messages to TCP destinations


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-1.fc6
syslog-ng-1.6.11-3.fc6 (available in Fedora Extras)

How reproducible:
Always

Steps to Reproduce:
1. add a TCP message source
   Example:
   ...
   source s_sys {
     file ("/proc/kmsg" log_prefix("kernel: "));
     unix-stream ("/dev/log");
     internal();
     # udp(ip(0.0.0.0) port(514));
     tcp(ip(0.0.0.0));   # default port: 514
     # tcp(ip(0.0.0.0) port(10514));
     # tcp(ip(192.168.82.67) port(514));
   };
   ...

2. add a TCP destination
   Example:

   ...
   destination d_remote { tcp ("192.168.82.68" port (514)); };
   #destination d_remote { tcp ("192.168.82.67" port (5141)); };
   #destination d_remote { tcp ("127.0.0.1" port (5141)); };
   ...

3. add a log statement that uses a TCP source and/or a TCP destination
   
   log { source(s_sys); destination(d_remote); };

Actual results:
syslog-ng fails to start.

Expected results:
Be able to run syslog-ng with TCP sources/destinations.

Additional info:

The following selinux appear to correct all the problems that appear
when using the configurations described above:

syslogng.te
-----------
policy_module(syslogng, 0.90)

require {
    type syslogd_t;
    type rsh_port_t;
    type port_t;
    type inaddr_any_node_t;
    type netif_t;
    type lo_node_t;
    type node_t;
};

#
# TCP support
#
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t lo_node_t:node { tcp_recv tcp_send };
allow syslogd_t netif_t:netif { tcp_recv tcp_send };
allow syslogd_t node_t:node { tcp_recv tcp_send };
allow syslogd_t node_t:tcp_socket node_bind;
allow syslogd_t port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t rsh_port_t:tcp_socket { name_bind name_connect recv_msg send_msg };
allow syslogd_t self:tcp_socket { accept bind connect create getattr getopt
listen read setopt write };
-----------
Comment 1 Jose Pedro Oliveira 2006-12-08 15:53:59 EST
Questions:

1) Creating the above policy for syslog-ng is best way to resolve the described
   problems? Or could the base/reference syslog policy be extended to allow TCP
   connections?

   Note: In the past the targeted policy allowed syslog to use both UDP and TCP
   sockets but about a year and a half ago the TCP support was dropped:

diff -ruN selinux-policy-targeted-1.17.30-2.96/syslogd.te
selinux-policy-targeted-1.23.10-5/syslogd.te
--- selinux-policy-targeted-1.17.30-2.96/syslogd.te     2005-04-07
20:36:53.000000000 +0100
+++ selinux-policy-targeted-1.23.10-5/syslogd.te        2005-04-12
14:43:59.000000000 +0100
@@ -20,7 +20,7 @@
 ')

 # can_network is for the UDP socket
-can_network(syslogd_t)
+can_network_udp(syslogd_t)
 can_ypbind(syslogd_t)

 r_dir_file(syslogd_t, sysfs_t)

----------


2) The syslog-ng-1.6.11 configuration file is placed in the /etc/syslog-ng
   directory.  Is it necessary to change the file context for the configuration
   file/directory?


tia,
jpo
Comment 2 Daniel Walsh 2007-02-05 14:35:49 EST
With the current policy in RHEL5/Rawhide/FC6 syslog-ng seems to be working
without this policy patch.
Comment 3 Jose Pedro Oliveira 2007-02-05 23:10:44 EST
Daniel Walsh,

I still have the following problems with selinux-policy-targeted-2.4.6-27.fc6:

1) restarting syslog-ng after adding 

      destination d_remote { tcp ("192.168.82.67" port (514)); };
      log { source(s_sys); destination(d_remote); };

   to the configuration file and just logging something (logger test) produces:


Feb  6 04:00:23 pateta kernel: audit(1170734423.223:28): avc:  denied  { create
} for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:29): avc:  denied  { setopt
} for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:30): avc:  denied  { bind }
for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:31): avc:  denied  {
node_bind } for  pid=3973 comm="syslog-ng" scontext=root:system_r:syslogd_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.223:32): avc:  denied  { connect
} for  pid=3973 comm="syslog-ng" lport=48224 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.224:33): avc:  denied  { getopt
} for  pid=3974 comm="syslog-ng" laddr=192.168.82.67 lport=48224
faddr=192.168.82.9 fport=514 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket
Feb  6 04:00:23 pateta kernel: audit(1170734423.224:34): avc:  denied  { write }
for  pid=3974 comm="syslog-ng" name="[16862]" dev=sockfs ino=16862
scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:syslogd_t:s0
tclass=tcp_socket
Feb  6 04:00:35 pateta root: teste2


   audit2allow produces
   allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
   allow syslogd_t self:tcp_socket { bind connect create getopt setopt write };


2) adding
     tcp();
   to the source produces at least 

Feb  6 04:07:47 pateta kernel: audit(1170734824.768:35): avc:  denied  { listen
} for  pid=4057 comm="syslog-ng" lport=514 scontext=root:system_r:syslogd_t:s0
tcontext=root:system_r:syslogd_t:s0 tclass=tcp_socket


   audit2allow produces
   allow syslogd_t self:tcp_socket listen;


jpo
Comment 4 Daniel Walsh 2007-02-06 10:00:14 EST
Fixed in selinux-policy-2.4.6-36
Comment 5 Jose Pedro Oliveira 2007-02-07 10:47:13 EST
Daniel Walsh,

I haven't be able to build selinux-policy-2.4.6-36.
Steps to reproduce the problem in a FC-6 system:

1) cvs -d :pserver:anonymous@cvs.fedora.redhat.com:/cvs/dist co selinux-policy
2) cd selinux-policy/FC-6
3) make srpm
   ...
   Wrote: .../selinux-policy/FC-6/selinux-policy-2.4.6-36.fc6.src.rpm
4) make i386
   ...
Compiling targeted base module
/usr/bin/checkmodule -M base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/system/logging.te:67:ERROR 'permission fsetsid is not defined for
class capability' at token ';' on line 412548:

allow auditctl_t self:capability { fsetsid audit_write audit_control };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/base.mod] Error 1
make[1]: Leaving directory
`/home/users/fedora/rpms/BUILD/selinux-policy/FC-6/serefpolicy-2.4.6'
error: Bad exit status from /var/tmp/rpm-tmp.45286 (%install)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.45286 (%install)
make: *** [i386] Error 1
Comment 6 Jose Pedro Oliveira 2007-02-11 09:07:53 EST
(In reply to comment #4)
> Fixed in selinux-policy-2.4.6-36

Where can I find a RPM/SRPM ? 
I'm unable to create one from CVS (see previous comment).

jpo
Comment 7 Jose Pedro Oliveira 2007-02-12 16:18:44 EST
syslong-ng TCP connections appears to be working correctly with
selinux-policy-2.4.6-37.fc6 from CVS.

jpo
Comment 8 Jose Pedro Oliveira 2007-02-17 11:31:17 EST
Dan,

Found a problem in FC-6 with the latest selinux-policy RPMS (2.4.6-37.fc6):

* trying to connect via TCP to a remote log server using a port other than
 514 fails (no problem with tcp connections to the 514 port).

syslog-ng configuration
-----------------------
...
#destination d_remote { tcp ("192.168.82.9" port (514)); };
destination d_remote { tcp ("192.168.82.9" port (1514)); };
log { source(s_sys); destination(d_remote); };
...

syslog-ng error messages
------------------------
Feb 17 16:03:38 pateta syslog-ng[24232]: Connection failed; error='Permission
denied (13)'
Feb 17 16:03:38 pateta syslog-ng[24232]: Initiating connection failed,
reconnecting; time_reopen='10'


strace -p <syslog-ng.pid>
-------------------------
...
setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(6, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
16) = 0
setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(1514),
sin_addr=inet_addr("192.168.82.9")}, 16) = -1 EACCES (Permission denied)
...


If I disable the selinux (setenforce 0), syslog-ng is able to (re)connect
to the remote destination.


jpo
Comment 9 Daniel Walsh 2007-02-20 15:08:56 EST
If you want to connect to a different port you need to tell selinux about it. 
The way you do this is to use semanage


semanage port -a -t syslogd_port_t -p tcp 1514 

semanage port -l 

will list all ports definitions
Comment 10 Jose Pedro Oliveira 2007-02-26 15:44:26 EST
Dan Walsh,

Commands like

 semanage port -a -t syslogd_port_t -p tcp 1514 

don't seem to solve the problem.  Am I doing something wrong?

tia,
jpo


1) Syslog-NG as a TCP server
======================================================================

  Bind to port TCP/1514
  ---------------------
  source s_tcp { tcp(ip(0.0.0.0) port(1514)); };
  destination d_tcp { file("/var/log/syslogtcp"); };
  log { source(s_tcp); destination(d_tcp); };

  Result
  ------
  SELinux is preventing the /sbin/syslog-ng (syslogd_t) from binding to port 1514.

  avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3772
scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514
subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0
  
  audit2allow of the previous AVC
  -------------------------------
  allow syslogd_t port_t:tcp_socket name_bind;

  
  Trying semanage
  ---------------
  semanage port -a -t syslogd_port_t -p tcp 1514

  # semanage port -l | grep syslog
  syslogd_port_t                 tcp      1514
  syslogd_port_t                 udp      514
  
  New result
  ----------
  avc: denied { name_bind } for comm="syslog-ng" egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3813
scontext=root:system_r:syslogd_t:s0 sgid=0 src=1514
subj=root:system_r:syslogd_t:s0 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none) uid=0

  new audit2allow traslation
  --------------------------
  allow syslogd_t syslogd_port_t:tcp_socket name_bind;


2) Syslog-NG as a TCP client (forwarder)
======================================================================
  Configuration
  -------------
  destination d_remote { tcp("192.168.1.6" port(1514)); };
  log { source(s_sys); destination(d_remote); };

  Result
  ------
  SELinux is preventing the /sbin/syslog-ng (syslogd_t) from connecting to port
1514.

  avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4135
scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0
suid=0 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=0

  audit2allow
  -----------
  allow syslogd_t port_t:tcp_socket name_connect;

  trying semanage
  ---------------
  semanage port -a -t syslogd_port_t -p tcp 1514
  
  new result
  ----------
  SELinux is preventing /sbin/syslog-ng (syslogd_t) "name_connect" access to
(syslogd_port_t).

  avc: denied { name_connect } for comm="syslog-ng" dest=1514 egid=0 euid=0
exe="/sbin/syslog-ng" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4267
scontext=root:system_r:syslogd_t:s0 sgid=0 subj=root:system_r:syslogd_t:s0
suid=0 tclass=tcp_socket tcontext=system_u:object_r:syslogd_port_t:s0 tty=(none)
uid=0ยท

  audit2allow
  -----------
  allow syslogd_t syslogd_port_t:tcp_socket name_connect;

Comment 11 Daniel Walsh 2007-02-26 16:03:30 EST
Yes, you are right.  I will need to update the policy.  Currently the policy
only allows udp connections to the syslogd_port_t.  You could add your port to
the rsh_port_t, and it should work, but theoretically this would allow rsh
access to those ports also.  
Comment 12 Jose Pedro Oliveira 2007-03-03 17:53:41 EST
Dan,

 Syslog-ng is now able to use TCP ports other than TCP/514 with
 selinux-policy[-targeted]-2.4.6-42.fc6 (built from CVS).


1) Syslog-ng as a TCP client (forwarder)
======================================================================

  Configuration
  -------------
  destination d_remote { tcp("192.168.1.6" port(2514)); };
  log { source(s_sys); destination(d_remote); };

  It now works after executing the semanage command: 

  semanage port -a -t syslogd_port_t -p tcp 2514


2) Syslog-ng as a TCP server (bind)
======================================================================

  Configuration
  -------------
  source s_tcp { tcp(ip(0.0.0.0) port(1514)); };
  destination d_tcp { file("/var/log/syslogtcp"); };
  log { source(s_tcp); destination(d_tcp); };

  It now works after executing the semanage command: 

  semanage port -a -t syslogd_port_t -p tcp 1514


Thanks,
jpo
Comment 13 Jose Pedro Oliveira 2007-03-03 17:59:36 EST
*** Bug 215046 has been marked as a duplicate of this bug. ***
Comment 14 Jose Pedro Oliveira 2007-03-07 18:58:49 EST
Daniel Walsh,

Just a reminder that
 
  selinux-policy-2.4.6-42.fc6

still hasn't been built and pushed (right now it is only available in CVS).

jpo

Note You need to log in before you can comment on or make changes to this bug.