From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 11 Apr 2013 10:34:43 +0200
Subject: [refpolicy] [PATCH 13/13] Add setuid/setgid capability to ulogd_t
In-Reply-To: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The ulog daemon, when launched with the "-u" option, will change uid/gid after
it finished its root-required tasks. This is handled in src/ulogd.c. If we do
not allow setuid/setgid, the following errors are displayed and the start-up
fails.

Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245

Reported-by: vespian <vespian@o2.pl>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 ulogd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ulogd.te b/ulogd.te
index c6acbbe..d41c4b1 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
 # Local policy
 #
 
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
 allow ulogd_t self:process setsched;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 allow ulogd_t self:netlink_socket create_socket_perms;
-- 
1.8.1.5