The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]
Granting only setcap (initial AVC seen) does not fully help either:
* Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
With setcap and getcap enabled, syslog-ng starts and functions fine.
See also https://bugs.gentoo.org/show_bug.cgi?id=488718
Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent syslog-ng implementation uses a threading library that requires the getsched permission.
See also https://bugs.gentoo.org/show_bug.cgi?id=405425
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
