RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 728591 - selinux policy restricts rsyslog clients from connecting to port 6514
Summary: selinux policy restricts rsyslog clients from connecting to port 6514
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-05 17:56 UTC by Thomas Wiest
Modified: 2011-12-06 10:10 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:10:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Thomas Wiest 2011-08-05 17:56:30 UTC 
Description of problem:
selinux policy restricts rsyslog clients from connecting to port 6514 (which is the syslog over TLS port).


/etc/services has it listed:
syslog-tls      6514/tcp                # Syslog over TLS


Version-Release number of selected component (if applicable):

Currently installed selinux-policy is: 
selinux-policy-3.7.19-106.el6.noarch


How reproducible:
every time


Steps to reproduce:
1. Setup rsyslog to send syslog messages to another server using TLS on port 6514.
2. Notice the denial error in /var/log/audit/audit.log

 
Actual results:
type=AVC msg=audit(1312485538.345:2641866): avc:  denied  { name_connect } for  pid=12748 comm=72733A6D61696E20513A52
6567 dest=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1312485538.345:2641866): arch=c000003e syscall=42 success=no exit=-13 a0=26 a1=7fb264034060 a2
=10 a3=40 items=0 ppid=1 pid=12748 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9860
3 comm=72733A6D61696E20513A526567 exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Expected results:
no denial
Comment 2 Daniel Walsh 2011-08-05 19:07:39 UTC 
semanage port -a -t syslogd_port_t -p tcp 6514
Comment 3 Miroslav Grepl 2011-08-10 07:38:34 UTC 
Fixed in selinux-policy-3.7.19-107.el6
Comment 5 Thomas Wiest 2011-08-18 18:58:42 UTC 
So it seems that the rsyslog server can't bind/listen on port 6514 either.


type=AVC msg=audit(1313677492.492:3068683): avc:  denied  { name_bind } for  pid=11650 comm="rsyslogd" src=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1313677492.492:3068683): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f8eb0000a10 a2=10 a3=3 items=0 ppid=1 pid=11650 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=118418 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Will the fix mentioned above also apply for the server binding to port 6514 or should I file a separate bug?

Thanks :)
Comment 6 Daniel Walsh 2011-08-20 11:04:12 UTC 
Marking port 6514 as a syslogd_port_t will allow syslogd_t to name_connect and name_bind to the port.  

Yes this fix will allow that also.

# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ;
Comment 7 Thomas Wiest 2011-08-22 17:57:09 UTC 
Excellent, thanks!
Comment 8 Karel Srot 2011-09-22 08:33:03 UTC 
I don't understand why did it happen at the first place. This is already in 6.1 policy

.live.[root@s390x-6s-v1 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-93.el6.noarch
.live.[root@s390x-6s-v1 ~]# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ; 
   allow syslogd_t syslogd_port_t : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 
   allow syslogd_t reserved_port_type : tcp_socket name_connect ; 
   allow syslogd_t rpc_port_type : tcp_socket name_bind ; 
   allow syslogd_t rpc_port_type : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 

.live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
syslogd_port_t                 tcp      6514
syslogd_port_t                 udp      514, 6514
Comment 9 Karel Srot 2011-09-22 09:33:32 UTC 
(In reply to comment #8)
> I don't understand why did it happen at the first place. This is already in 6.1
> policy
> 
> .live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
> syslogd_port_t                 tcp      6514
> syslogd_port_t                 udp      514, 6514

Pls ignore previous comment. The machine I used already had newer policy installed before and wasn't properly downgraded.  
I have checked on another machine that -93 policy has just
# semanage port -l | grep syslog
syslogd_port_t                 udp      514
Comment 11 errata-xmlrpc 2011-12-06 10:10:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.