2010-04-16 06:29:10

by gizmo

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] allow syslog-ng to setrlimit

syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.


Signed-off-by: Chris Richards <[email protected]>
---
policy/modules/system/logging.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1b05b64..5004241 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -342,7 +342,8 @@ optional_policy(`
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
-allow syslogd_t self:process { signal_perms setpgid };
+# setrlimit for syslog-ng
+allow syslogd_t self:process { signal_perms setpgid setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
--
1.6.4.4


2010-04-24 12:03:02

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] allow syslog-ng to setrlimit

On Fri, 2010-04-16 at 06:29 +0000, Chris Richards wrote:
> syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.

Merged.

> Signed-off-by: Chris Richards <[email protected]>
> ---
> policy/modules/system/logging.te | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 1b05b64..5004241 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -342,7 +342,8 @@ optional_policy(`
> allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
> dontaudit syslogd_t self:capability sys_tty_config;
> # setpgid for metalog
> -allow syslogd_t self:process { signal_perms setpgid };
> +# setrlimit for syslog-ng
> +allow syslogd_t self:process { signal_perms setpgid setrlimit };
> # receive messages to be logged
> allow syslogd_t self:unix_dgram_socket create_socket_perms;
> allow syslogd_t self:unix_stream_socket create_stream_socket_perms;


--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243