On Tue, 2007-02-20 at 12:28 -0500, Daniel J Walsh wrote:

> audit needs fsetid
> 
> syslog needs to be able to create a tcp_socket for off machine logging.

Changelog

@@ -1,3 +1,5 @@
+- Patch for capability fix for auditd and networking fix for syslogd from
+  Dan Walsh.
 - Patch to remove redundant mls_trusted_object() call from Dan Walsh.
 - Patch for misc fixes to nis ypxfr policy from Dan Walsh.
 - Patch to allow apmd to telinit from Dan Walsh.

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.5.1)
+policy_module(logging,1.5.2)
 
 ########################################
 #
@@ -104,7 +104,7 @@ ifdef(`targeted_policy',`
 # Auditd local policy
 #
 
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setpgid setsched };
 allow auditd_t self:file { getattr read write };
@@ -271,6 +271,7 @@ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
+allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -324,6 +325,7 @@ corenet_udp_bind_syslogd_port(syslogd_t)
 corenet_tcp_sendrecv_all_if(syslogd_t)
 corenet_tcp_sendrecv_all_nodes(syslogd_t)
 corenet_tcp_sendrecv_all_ports(syslogd_t)
+corenet_tcp_bind_all_nodes(syslogd_t)
 corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)