From 37f81bbc8011612ccf9e65a1ffc9cc0d878fe575 Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Wed, 13 Sep 2023 15:32:31 +0200
Subject: [PATCH] Fix the recently introduced "logging_syslog_can_network"
 tunable policy, by including TCP/IP socket creation permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
---
 policy/modules/system/logging.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9bf9d0d81..e0249aa83 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -408,8 +408,6 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
-allow syslogd_t self:udp_socket create_socket_perms;
-allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 allow syslogd_t syslog_conf_t:dir list_dir_perms;
@@ -583,6 +581,8 @@ ifdef(`distro_ubuntu',`
 
 tunable_policy(`logging_syslog_can_network',`
 	allow syslogd_t self:capability { net_admin };
+	allow syslogd_t self:tcp_socket create_stream_socket_perms;
+	allow syslogd_t self:udp_socket create_socket_perms;
 
 	corenet_all_recvfrom_netlabel(syslogd_t)
 	corenet_udp_sendrecv_generic_if(syslogd_t)