Bug 253585 - Default SELINUX Policy prevents syslog-ng from using TCP on reserved ports
Default SELINUX Policy prevents syslog-ng from using TCP on reserved ports
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-08-20 14:04 EDT by Eric Karlson
Modified: 2008-05-07 11:07 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-07 11:07:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Karlson 2007-08-20 14:04:57 EDT
Description of problem:
If one tries to setup syslog-ng to use TCP on a reserved port, syslog-ng won't
start, giving a "permission denied" error.  The /var/log/messages file records
the following poicy violation:

Aug 20 10:38:51 app03 kernel: audit(1187631531.346:5): avc:  denied  { name_bind
} for  pid=4112 comm="syslog-ng" src=514 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket

Digging into the default policy files, there is a rule to allow name_bind on UDP
for the syslogd_t type, but not on TCP.

Version-Release number of selected component (if applicable):
Seen on  RHEL/AS 4.5 - assume it is present in all versions.

How reproducible:
See below:

Steps to Reproduce:
1) Install syslog-ng
2) Run "setsebool use_syslogng=1"
3) create syslog-ng.conf file that tries to setup a listener on a reserved port
for TCP connections (for example, TCP on port 514)
4) run "service syslog-ng start"
Actual results:
syslog-ng should start

Expected results:
syslog-ng fails to start due to a "permission denied" error

Additional info:
The easiest way to see this is to configure syslog-ng to only listen for
connections on TCP, Port 514.  Don't have it listen on any other ports, or
connections (i.e. no local pipes, unix-sockets, etc).  That way you can try to
start up syslog-ng while syslog is still running.  That way the normal syslog
will still capture and log the selinux audit message.

The fundemental problem is that the defalut SELINUX policy files piggy-back
syslog-ng on top of the existing syslog policy rules, and the defalut syslog
policy rules tried to get smart and say that syslog will never bind on a TCP
port.  Without a rule that states that syslogd_t can name_bind on the
syslogd_port_t using TCP, then the restrictions on reserved_port_t prevent
syslog-ng from binding on any privileged port.

The default policy simply needs a rule that states that syslogd_t can name_bind
on TCP on syslog_port_t.
Comment 1 Daniel Walsh 2008-05-07 11:07:40 EDT
FIxed in RHEL5

Note You need to log in before you can comment on or make changes to this bug.