From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 11 Apr 2013 10:34:43 +0200 Subject: [refpolicy] [PATCH 13/13] Add setuid/setgid capability to ulogd_t In-Reply-To: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The ulog daemon, when launched with the "-u" option, will change uid/gid after it finished its root-required tasks. This is handled in src/ulogd.c. If we do not allow setuid/setgid, the following errors are displayed and the start-up fails. Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245 Reported-by: vespian Signed-off-by: Sven Vermeulen --- ulogd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ulogd.te b/ulogd.te index c6acbbe..d41c4b1 100644 --- a/ulogd.te +++ b/ulogd.te @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t) # Local policy # -allow ulogd_t self:capability { net_admin sys_nice }; +allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; allow ulogd_t self:process setsched; allow ulogd_t self:netlink_nflog_socket create_socket_perms; allow ulogd_t self:netlink_socket create_socket_perms; -- 1.8.1.5