From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 4 Oct 2012 20:16:01 +0200
Subject: [refpolicy] [PATCH 1/1] Allow block_suspend for system logger
Message-ID: <20121004181601.GA29657@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The syslog-ng daemon, running in the syslogd_t domain, seems to require this
capability very frequently - most likely for "safe" writing of the system events
to the system log.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 696e0c8..dc9fc2a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -356,6 +356,7 @@ optional_policy(`
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 block_suspend;
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
-- 
1.7.8.6