RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow capabilities for syslog-ng 

The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2013-10-21 20:52:05 +02:00 committed by Chris PeBenito
parent 2142e6e0cc
commit b00d94fb72
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/system/logging.te
View File

@ -361,7 +361,7 @@ dontaudit syslogd_t self:capability sys_tty_config;
# setrlimit for syslog-ng
# getsched for syslog-ng
# setsched for rsyslog
allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;