From 76b4418f937fd1dbaa1061fa5f83f11ea046dc40 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 10 Sep 2020 16:35:43 -0700
Subject: [PATCH 3/7] Adding "Port and SELinux" section to README.
(cherry picked from commit 5f144bc74edbcd80a53a2fe84aa464f7ea9f44ef)
---
README.md | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 0eafde8..db29dc5 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@
* [Standalone configuration](#standalone-configuration)
* [Client configuration](#client-configuration)
* [Server configuration](#server-configuration)
+ * [Port and SELinux](#port-and-selinux)
* [Providers](#providers)
* [Tests](#tests)
* [Implementation Details](#implementation-details)
@@ -111,10 +112,10 @@ This is a schematic logging configuration to show log messages from input_nameA
- `ovirt` type - `ovirt` input supports oVirt specific inputs.<br>
For the details, visit [oVirt Support](../../design_docs/rsyslog_ovirt_support.md).
-- `remote` type - `remote` input supports receiving logs from the remote logging system over the network. This input type makes rsyslog a server.<br>
+- `remote` type - `remote` input supports receiving logs from the remote logging system over the network.<br>
**available options**
- - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped.
- - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item.
+ - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. See also [Port and SELinux](#port-and-selinux).
+ - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item. See also [Port and SELinux](#port-and-selinux).
- `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`.
- `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`.
- `permitted_clients`: List of hostnames, IP addresses, fingerprints(sha1), and wildcard DNS domains which will be allowed by the `logging` server to connect and send logs over TLS. Default to `['*.{{ logging_domain }}']`
@@ -591,6 +592,15 @@ The following playbook generates the same logging configuration files.
outputs: [remote_files_output0, remote_files_output1]
```
+### Port and SELinux
+
+SELinux is only configured to allow sending and receiving on the following ports by default:
+```
+syslogd_port_t tcp 514, 20514
+syslogd_port_t udp 514, 20514
+```
+If other ports need to be configured, you can use [linux-system-roles/selinux](https://github.com/linux-system-roles/selinux) to manage SELinux contexts.
+
## Providers
[Rsyslog](roles/rsyslog) - This documentation contains rsyslog specific information.
--
2.26.2