RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix syslogd audits

This commit is contained in:
cgzones 2016-12-04 17:42:52 +01:00
parent db06838142
commit c1fa5e55ab
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/modules/system/logging.te
View File

@ -372,7 +372,7 @@ optional_policy(`
# sys_nice for rsyslog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
dev_read_urand(syslogd_t)
# Allow access to /dev/kmsg for journald
dev_rw_kmsg(syslogd_t)
@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
# systemd-journald permissions
allow syslogd_t self:capability { chown setuid setgid };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
kernel_use_fds(syslogd_t)
kernel_getattr_dgram_sockets(syslogd_t)