2019-12-04 16:34:40

by Sugar, David

Subject: [PATCH] Allow syslog to write to the runtime socket

This is realted to my previous patch for logging, I just didn't notice it before.

type=AVC msg=audit(1575426773.635:2469): avc: denied { write } for pid=1213 comm="systemd-journal" name="syslog" dev="tmpfs" ino=22683 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/logging.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 73ca3042..eee6bc18 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -427,7 +427,7 @@ files_search_var_lib(syslogd_t)

# manage runtime files
allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
-allow syslogd_t syslogd_runtime_t:sock_file { create setattr };
+allow syslogd_t syslogd_runtime_t:sock_file { create setattr write };
allow syslogd_t syslogd_runtime_t:file map;
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
files_pid_filetrans(syslogd_t, syslogd_runtime_t, file)
--
2.21.0