Bug 728591 - selinux policy restricts rsyslog clients from connecting to port 6514
Summary: selinux policy restricts rsyslog clients from connecting to port 6514
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-05 17:56 UTC by Thomas Wiest
Modified: 2011-12-06 10:10 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:10:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Thomas Wiest 2011-08-05 17:56:30 UTC
Description of problem:
selinux policy restricts rsyslog clients from connecting to port 6514 (which is the syslog over TLS port).


/etc/services has it listed:
syslog-tls      6514/tcp                # Syslog over TLS


Version-Release number of selected component (if applicable):

Currently installed selinux-policy is: 
selinux-policy-3.7.19-106.el6.noarch


How reproducible:
every time


Steps to reproduce:
1. Setup rsyslog to send syslog messages to another server using TLS on port 6514.
2. Notice the denial error in /var/log/audit/audit.log

 
Actual results:
type=AVC msg=audit(1312485538.345:2641866): avc:  denied  { name_connect } for  pid=12748 comm=72733A6D61696E20513A52
6567 dest=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1312485538.345:2641866): arch=c000003e syscall=42 success=no exit=-13 a0=26 a1=7fb264034060 a2
=10 a3=40 items=0 ppid=1 pid=12748 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9860
3 comm=72733A6D61696E20513A526567 exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Expected results:
no denial

Comment 2 Daniel Walsh 2011-08-05 19:07:39 UTC
semanage port -a -t syslogd_port_t -p tcp 6514

Comment 3 Miroslav Grepl 2011-08-10 07:38:34 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 5 Thomas Wiest 2011-08-18 18:58:42 UTC
So it seems that the rsyslog server can't bind/listen on port 6514 either.


type=AVC msg=audit(1313677492.492:3068683): avc:  denied  { name_bind } for  pid=11650 comm="rsyslogd" src=6514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1313677492.492:3068683): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f8eb0000a10 a2=10 a3=3 items=0 ppid=1 pid=11650 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=118418 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)


Will the fix mentioned above also apply for the server binding to port 6514 or should I file a separate bug?

Thanks :)

Comment 6 Daniel Walsh 2011-08-20 11:04:12 UTC
Marking port 6514 as a syslogd_port_t will allow syslogd_t to name_connect and name_bind to the port.  

Yes this fix will allow that also.

# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ;

Comment 7 Thomas Wiest 2011-08-22 17:57:09 UTC
Excellent, thanks!

Comment 8 Karel Srot 2011-09-22 08:33:03 UTC
I don't understand why did it happen at the first place. This is already in 6.1 policy

.live.[root@s390x-6s-v1 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-93.el6.noarch
.live.[root@s390x-6s-v1 ~]# sesearch -A -s syslogd_t -t syslogd_port_t
Found 9 semantic av rules:
   allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect } ; 
   allow syslogd_t syslogd_port_t : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 
   allow syslogd_t reserved_port_type : tcp_socket name_connect ; 
   allow syslogd_t rpc_port_type : tcp_socket name_bind ; 
   allow syslogd_t rpc_port_type : udp_socket name_bind ; 
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 

.live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
syslogd_port_t                 tcp      6514
syslogd_port_t                 udp      514, 6514

Comment 9 Karel Srot 2011-09-22 09:33:32 UTC
(In reply to comment #8)
> I don't understand why did it happen at the first place. This is already in 6.1
> policy
> 
> .live.[root@s390x-6s-v1 ~]# semanage port -l | grep syslog
> syslogd_port_t                 tcp      6514
> syslogd_port_t                 udp      514, 6514

Pls ignore previous comment. The machine I used already had newer policy installed before and wasn't properly downgraded.  
I have checked on another machine that -93 policy has just
# semanage port -l | grep syslog
syslogd_port_t                 udp      514

Comment 11 errata-xmlrpc 2011-12-06 10:10:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.