Description of problem: If one tries to setup syslog-ng to use TCP on a reserved port, syslog-ng won't start, giving a "permission denied" error. The /var/log/messages file records the following poicy violation: Aug 20 10:38:51 app03 kernel: audit(1187631531.346:5): avc: denied { name_bind } for pid=4112 comm="syslog-ng" src=514 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Digging into the default policy files, there is a rule to allow name_bind on UDP for the syslogd_t type, but not on TCP. Version-Release number of selected component (if applicable): Seen on RHEL/AS 4.5 - assume it is present in all versions. How reproducible: See below: Steps to Reproduce: 1) Install syslog-ng 2) Run "setsebool use_syslogng=1" 3) create syslog-ng.conf file that tries to setup a listener on a reserved port for TCP connections (for example, TCP on port 514) 4) run "service syslog-ng start" Actual results: syslog-ng should start Expected results: syslog-ng fails to start due to a "permission denied" error Additional info: The easiest way to see this is to configure syslog-ng to only listen for connections on TCP, Port 514. Don't have it listen on any other ports, or connections (i.e. no local pipes, unix-sockets, etc). That way you can try to start up syslog-ng while syslog is still running. That way the normal syslog will still capture and log the selinux audit message. The fundemental problem is that the defalut SELINUX policy files piggy-back syslog-ng on top of the existing syslog policy rules, and the defalut syslog policy rules tried to get smart and say that syslog will never bind on a TCP port. Without a rule that states that syslogd_t can name_bind on the syslogd_port_t using TCP, then the restrictions on reserved_port_t prevent syslog-ng from binding on any privileged port. The default policy simply needs a rule that states that syslogd_t can name_bind on TCP on syslog_port_t.
FIxed in RHEL5