commit: 8a244682cdb051e2a700155c49e9217baee65b0e
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec 4 16:42:52 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:36:39 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a244682
fix syslogd audits
policy/modules/system/logging.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 96ffbcd..a9fbf1b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,7 @@ optional_policy(`
# sys_nice for rsyslog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config
net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_urand(syslogd_t)
# Allow access to /dev/kmsg for journald
dev_rw_kmsg(syslogd_t)
@@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
+ # systemd-journald permissions
+
allow syslogd_t self:capability { chown setuid setgid };
+ allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt
write };
kernel_use_fds(syslogd_t)
kernel_getattr_dgram_sockets(syslogd_t)
