Fix the recently introduced "logging_syslog_can_network"

tunable policy, by including TCP/IP socket creation permissions. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/logging.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
2023-09-13 15:32:31 +02:00 · 2023-09-13 15:32:31 +02:00 · 37f81bbc80
parent c032204af3
commit 37f81bbc80
1 changed files with 2 additions and 2 deletions
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -408,8 +408,6 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
-allow syslogd_t self:udp_socket create_socket_perms;
-allow syslogd_t self:tcp_socket create_stream_socket_perms;

 allow syslogd_t syslog_conf_t:file read_file_perms;
 allow syslogd_t syslog_conf_t:dir list_dir_perms;
@ -583,6 +581,8 @@ ifdef(`distro_ubuntu',`

 tunable_policy(`logging_syslog_can_network',`
 	allow syslogd_t self:capability { net_admin };
+	allow syslogd_t self:tcp_socket create_stream_socket_perms;
+	allow syslogd_t self:udp_socket create_socket_perms;

 	corenet_all_recvfrom_netlabel(syslogd_t)
 	corenet_udp_sendrecv_generic_if(syslogd_t)