From 76b4418f937fd1dbaa1061fa5f83f11ea046dc40 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Thu, 10 Sep 2020 16:35:43 -0700

Subject: [PATCH 3/7] Adding "Port and SELinux" section to README.

(cherry picked from commit 5f144bc74edbcd80a53a2fe84aa464f7ea9f44ef)

---

 README.md | 16 +++++++++++++---

 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md

index 0eafde8..db29dc5 100644

--- a/README.md

+++ b/README.md

@@ -19,6 +19,7 @@

     * [Standalone configuration](#standalone-configuration)

     * [Client configuration](#client-configuration)

     * [Server configuration](#server-configuration)

+  * [Port and SELinux](#port-and-selinux)

   * [Providers](#providers)

   * [Tests](#tests)

   * [Implementation Details](#implementation-details)

@@ -111,10 +112,10 @@ This is a schematic logging configuration to show log messages from input_nameA

 - `ovirt` type - `ovirt` input supports oVirt specific inputs.

    For the details, visit [oVirt Support](../../design_docs/rsyslog_ovirt_support.md).

-- `remote` type - `remote` input supports receiving logs from the remote logging system over the network. This input type makes rsyslog a server.

+- `remote` type - `remote` input supports receiving logs from the remote logging system over the network.

   **available options**

-  - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped.

-  - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item.

+  - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. See also [Port and SELinux](#port-and-selinux).

+  - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item. See also [Port and SELinux](#port-and-selinux).

   - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`.

   - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`.

   - `permitted_clients`: List of hostnames, IP addresses, fingerprints(sha1), and wildcard DNS domains which will be allowed by the `logging` server to connect and send logs over TLS. Default to `['*.{{ logging_domain }}']`

@@ -591,6 +592,15 @@ The following playbook generates the same logging configuration files.

         outputs: [remote_files_output0, remote_files_output1]

 ```

+### Port and SELinux

+

+SELinux is only configured to allow sending and receiving on the following ports by default:

+```

+syslogd_port_t        tcp   514, 20514

+syslogd_port_t        udp   514, 20514

+```

+If other ports need to be configured, you can use [linux-system-roles/selinux](https://github.com/linux-system-roles/selinux) to manage SELinux contexts.

+

 ## Providers

 [Rsyslog](roles/rsyslog) - This documentation contains rsyslog specific information.

-- 

2.26.2