Hide Forgot
Description of problem: selinux policy restricts rsyslog clients from connecting to port 6514 (which is the syslog over TLS port). /etc/services has it listed: syslog-tls 6514/tcp # Syslog over TLS Version-Release number of selected component (if applicable): Currently installed selinux-policy is: selinux-policy-3.7.19-106.el6.noarch How reproducible: every time Steps to reproduce: 1. Setup rsyslog to send syslog messages to another server using TLS on port 6514. 2. Notice the denial error in /var/log/audit/audit.log Actual results: type=AVC msg=audit(1312485538.345:2641866): avc: denied { name_connect } for pid=12748 comm=72733A6D61696E20513A52 6567 dest=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1312485538.345:2641866): arch=c000003e syscall=42 success=no exit=-13 a0=26 a1=7fb264034060 a2 =10 a3=40 items=0 ppid=1 pid=12748 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9860 3 comm=72733A6D61696E20513A526567 exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Expected results: no denial
semanage port -a -t syslogd_port_t -p tcp 6514
Fixed in selinux-policy-3.7.19-107.el6
So it seems that the rsyslog server can't bind/listen on port 6514 either. type=AVC msg=audit(1313677492.492:3068683): avc: denied { name_bind } for pid=11650 comm="rsyslogd" src=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1313677492.492:3068683): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f8eb0000a10 a2=10 a3=3 items=0 ppid=1 pid=11650 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=118418 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Will the fix mentioned above also apply for the server binding to port 6514 or should I file a separate bug? Thanks :)
Marking port 6514 as a syslogd_port_t will allow syslogd_t to name_connect and name_bind to the port. Yes this fix will allow that also. # sesearch -A -s syslogd_t -t syslogd_port_t Found 9 semantic av rules: allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ;
Excellent, thanks!
I don't understand why did it happen at the first place. This is already in 6.1 policy .live.[root@s390x-6s-v1 ~]# rpm -q selinux-policy selinux-policy-3.7.19-93.el6.noarch .live.[root@s390x-6s-v1 ~]# sesearch -A -s syslogd_t -t syslogd_port_t Found 9 semantic av rules: allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ; allow syslogd_t syslogd_port_t : udp_socket name_bind ; allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; allow syslogd_t reserved_port_type : tcp_socket name_connect ; allow syslogd_t rpc_port_type : tcp_socket name_bind ; allow syslogd_t rpc_port_type : udp_socket name_bind ; allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; .live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514
(In reply to comment #8) > I don't understand why did it happen at the first place. This is already in 6.1 > policy > > .live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog > syslogd_port_t tcp 6514 > syslogd_port_t udp 514, 6514 Pls ignore previous comment. The machine I used already had newer policy installed before and wasn't properly downgraded. I have checked on another machine that -93 policy has just # semanage port -l | grep syslog syslogd_port_t udp 514
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html