Allow unconfined domains to use syslog capability
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):
dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated).
audit.log contains following AVC:
avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
This commit is contained in:
Nicolas Iooss
Chris PeBenito
parent
f8a0451c7d
commit
4067a18530
|
|
@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
|
||||||
|
|
||||||
# Use most Linux capabilities
|
# Use most Linux capabilities
|
||||||
allow $1 self:capability ~sys_module;
|
allow $1 self:capability ~sys_module;
|
||||||
|
allow $1 self:capability2 syslog;
|
||||||
allow $1 self:fifo_file manage_fifo_file_perms;
|
allow $1 self:fifo_file manage_fifo_file_perms;
|
||||||
|
|
||||||
# Transition to myself, to make get_ordered_context_list happy.
|
# Transition to myself, to make get_ordered_context_list happy.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue