First Last Prev Next    This bug is not in your last search results.
Bug 517065 - selinux prevents rsyslog/syslog-ng to talk to tcp/601 or listen on tcp/601 port
selinux prevents rsyslog/syslog-ng to talk to tcp/601 or listen on tcp/601 port
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-12 10:11 EDT by Peter Bieringer
Modified: 2009-10-22 11:06 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-22 11:06:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Peter Bieringer 2009-08-12 10:11:02 EDT 
Description of problem:
configuring rsyslog to use a reliable tcp connection to port 601 (choosen from /etc/services), selinux prohibits this connection.

Version-Release number of selected component (if applicable):
rsyslog-2.0.6-1.el5
selinux-policy-2.4.6-203.el5
selinux-policy-targeted-2.4.6-203.el5

How reproducible:
Always

Steps to Reproduce:
1. configure /etc/rsyslog.conf for remote tcp output channel on port 601
*.notice;authpriv.*                                    @@syslog:601
2. reload rsyslog
  
Actual results:
type=AVC msg=audit(1250085933.332:384438): avc:  denied  { name_connect } for  pid=27087 comm="rsyslogd" dest=601 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

no packets were leaving the system if selinux is enforced.

Expected results:
Working well, packets are sent to remote syslog via tcp - as seen if selinux is switched to permissive mode.

Additional info:
514/tcp can't be used, because it's reserved for remote shell
Comment 1 Peter Bieringer 2009-08-13 11:02:55 EDT 
Looks like following selinux extension is required for sending to remote syslog:

allow syslogd_t hi_reserved_port_t:tcp_socket name_connect;


Note also, that for acting as tcp listening syslog server, also a policy extension is required:

allow syslogd_t hi_reserved_port_t:tcp_socket name_bind;


And if using syslog-ng from EPEL, an additional missing one was detected:

allow syslogd_t self:process getsched;
Comment 2 Eduard Benes 2009-10-22 10:30:32 EDT 
I believe selinux-policy is the correct component for this bug, not rsyslog (if it is a bug at all).
Comment 3 Daniel Walsh 2009-10-22 11:06:00 EDT 
# semanage port -a -t syslogd_port_t -p tcp 601

http://danwalsh.livejournal.com/9275.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.