The syslog-ng daemon, running in the syslogd_t domain, seems to require this
capability very frequently - most likely for "safe" writing of the system events
to the system log.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/logging.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 696e0c8..dc9fc2a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -356,6 +356,7 @@ optional_policy(`
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 block_suspend;
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
--
1.7.8.6