Description of problem: configuring rsyslog to use a reliable tcp connection to port 601 (choosen from /etc/services), selinux prohibits this connection. Version-Release number of selected component (if applicable): rsyslog-2.0.6-1.el5 selinux-policy-2.4.6-203.el5 selinux-policy-targeted-2.4.6-203.el5 How reproducible: Always Steps to Reproduce: 1. configure /etc/rsyslog.conf for remote tcp output channel on port 601 *.notice;authpriv.* @@syslog:601 2. reload rsyslog Actual results: type=AVC msg=audit(1250085933.332:384438): avc: denied { name_connect } for pid=27087 comm="rsyslogd" dest=601 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket no packets were leaving the system if selinux is enforced. Expected results: Working well, packets are sent to remote syslog via tcp - as seen if selinux is switched to permissive mode. Additional info: 514/tcp can't be used, because it's reserved for remote shell
Looks like following selinux extension is required for sending to remote syslog: allow syslogd_t hi_reserved_port_t:tcp_socket name_connect; Note also, that for acting as tcp listening syslog server, also a policy extension is required: allow syslogd_t hi_reserved_port_t:tcp_socket name_bind; And if using syslog-ng from EPEL, an additional missing one was detected: allow syslogd_t self:process getsched;
I believe selinux-policy is the correct component for this bug, not rsyslog (if it is a bug at all).
# semanage port -a -t syslogd_port_t -p tcp 601 http://danwalsh.livejournal.com/9275.html