Add support for rsyslog
Allow sys_nice capability, setsched, allow to search in /var/spool and syslog_t domain to read network state files in /proc squash! Add support for rsyslog
This commit is contained in:
parent
bb00509804
commit
7955d0b246
@ -353,13 +353,15 @@ optional_policy(`
|
||||
|
||||
# chown fsetid for syslog-ng
|
||||
# sys_admin for the integrated klog of syslog-ng and metalog
|
||||
# sys_nice for rsyslog
|
||||
# cjp: why net_admin!
|
||||
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
|
||||
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
# setpgid for metalog
|
||||
# setrlimit for syslog-ng
|
||||
# getsched for syslog-ng
|
||||
allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
|
||||
# setsched for rsyslog
|
||||
allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
|
||||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
# create/append log files.
|
||||
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
files_search_spool(syslogd_t)
|
||||
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(syslogd_t)
|
||||
kernel_read_network_state(syslogd_t)
|
||||
kernel_read_kernel_sysctls(syslogd_t)
|
||||
kernel_read_proc_symlinks(syslogd_t)
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
|
Loading…
Reference in New Issue
Block a user