nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules
History
Nicolas Iooss 4067a18530 Allow unconfined domains to use syslog capability 
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
 		2014-06-09 09:28:33 -04:00
..
admin Hide getattr denials upon sudo invocation 2014-04-04 16:07:43 -04:00
apps
contrib@1b67699d50 Update contrib. 2014-05-27 10:03:56 -04:00
kernel Module version bump for dropbox port from Sven Vermeulen. 2014-06-09 08:42:26 -04:00
roles Module version bump for deprecated interface usage removal from Nicolas Iooss. 2014-05-27 09:23:29 -04:00
services Module version bump for shutdown transitions from Luis Ressel. 2014-06-09 08:21:33 -04:00
system Allow unconfined domains to use syslog capability 2014-06-09 09:28:33 -04:00