Description of problem:
If one tries to setup syslog-ng to use TCP on a reserved port, syslog-ng won't
start, giving a "permission denied" error.  The /var/log/messages file records
the following poicy violation:

Aug 20 10:38:51 app03 kernel: audit(1187631531.346:5): avc:  denied  { name_bind
} for  pid=4112 comm="syslog-ng" src=514 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket

Digging into the default policy files, there is a rule to allow name_bind on UDP
for the syslogd_t type, but not on TCP.

Version-Release number of selected component (if applicable):
Seen on  RHEL/AS 4.5 - assume it is present in all versions.

How reproducible:
See below:

Steps to Reproduce:
1) Install syslog-ng
2) Run "setsebool use_syslogng=1"
3) create syslog-ng.conf file that tries to setup a listener on a reserved port
for TCP connections (for example, TCP on port 514)
4) run "service syslog-ng start"
  
Actual results:
syslog-ng should start

Expected results:
syslog-ng fails to start due to a "permission denied" error

Additional info:
The easiest way to see this is to configure syslog-ng to only listen for
connections on TCP, Port 514.  Don't have it listen on any other ports, or
connections (i.e. no local pipes, unix-sockets, etc).  That way you can try to
start up syslog-ng while syslog is still running.  That way the normal syslog
will still capture and log the selinux audit message.

The fundemental problem is that the defalut SELINUX policy files piggy-back
syslog-ng on top of the existing syslog policy rules, and the defalut syslog
policy rules tried to get smart and say that syslog will never bind on a TCP
port.  Without a rule that states that syslogd_t can name_bind on the
syslogd_port_t using TCP, then the restrictions on reserved_port_t prevent
syslog-ng from binding on any privileged port.

The default policy simply needs a rule that states that syslogd_t can name_bind
on TCP on syslog_port_t.