fix syslogd audits

1 files changed, 5 insertions, 1 deletions

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 96ffbcd0..a9fbf1b0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,7 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+dev_read_urand(syslogd_t)
 # Allow access to /dev/kmsg for journald
 dev_rw_kmsg(syslogd_t)
 
@@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
+	# systemd-journald permissions
+
 	allow syslogd_t self:capability { chown setuid setgid };
+	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
 
 	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)