diff options
author | cgzones <cgzones@googlemail.com> | 2016-12-04 17:42:52 +0100 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2016-12-08 12:36:39 +0800 |
commit | 8a244682cdb051e2a700155c49e9217baee65b0e (patch) | |
tree | bb977b05dfdc269ed1eadd6cdf80e28226f0658d | |
parent | portage: add signal and FEATURES=test perms (diff) | |
download | hardened-refpolicy-8a244682cdb051e2a700155c49e9217baee65b0e.tar.gz hardened-refpolicy-8a244682cdb051e2a700155c49e9217baee65b0e.tar.bz2 hardened-refpolicy-8a244682cdb051e2a700155c49e9217baee65b0e.zip |
fix syslogd audits
-rw-r--r-- | policy/modules/system/logging.te | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 96ffbcd0..a9fbf1b0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -372,7 +372,7 @@ optional_policy(` # sys_nice for rsyslog # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace }; # setpgid for metalog # setrlimit for syslog-ng # getsched for syslog-ng @@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_urand(syslogd_t) # Allow access to /dev/kmsg for journald dev_rw_kmsg(syslogd_t) @@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`init_systemd',` + # systemd-journald permissions + allow syslogd_t self:capability { chown setuid setgid }; + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; kernel_use_fds(syslogd_t) kernel_getattr_dgram_sockets(syslogd_t) |