From 4067a18530579ba33f7a8cee307ae2be83f6b740 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Mon, 9 Jun 2014 14:38:45 +0200 Subject: [PATCH] Allow unconfined domains to use syslog capability When an unconfined_t root user runs dmesg, the kernel complains with this message in its logs (when SELinux is in enforcing mode): dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated). audit.log contains following AVC: avc: denied { syslog } for pid=16289 comm="dmesg" capability=34 scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2 --- policy/modules/system/unconfined.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 5ca20a97d..2b85a6e2a 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',` # Use most Linux capabilities allow $1 self:capability ~sys_module; + allow $1 self:capability2 syslog; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy.