Allow unconfined domains to use syslog capability

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
This commit is contained in:
Nicolas Iooss 2014-06-09 14:38:45 +02:00 committed by Chris PeBenito
parent f8a0451c7d
commit 4067a18530
1 changed files with 1 additions and 0 deletions

View File

@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
# Use most Linux capabilities
allow $1 self:capability ~sys_module;
allow $1 self:capability2 syslog;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.