SELinux and rsyslog

A colleague was recently doing some detailed investigation around rsyslog and was curious how it worked over TCP port 514, given that it was labelled as rsh_port_t and not syslogd_port_t.

[[email protected] ~]# sudo semanage port -l | grep 'syslogd_port_t\|rsh_port_t'
rsh_port_t                     tcp      514
syslogd_port_t                 tcp      6514, 601
syslogd_port_t                 udp      514, 6514, 601

If we take a look at the dontaudit rules in the SELinux policy, we can see that the context transition is allowed to rsh_port_t and that name_bind is permitted for both TCP and UDP sockets.

[[email protected] ~]# sudo sesearch --dontaudit -t rsh_port_t | grep syslog
   dontaudit syslogd_t port_type : tcp_socket name_bind ;
   dontaudit syslogd_t port_type : udp_socket name_bind ;
   dontaudit syslogd_t rsh_port_t : tcp_socket name_bind ;
   dontaudit syslogd_t rsh_port_t : udp_socket name_bind ;

This article is my 9th oldest. It is 124 words long