From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 17 Apr 2013 18:46:08 +0200 Subject: [refpolicy] [PATCH 13/13] Add setuid/setgid capability to ulogd_t In-Reply-To: <1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> <1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1366217168.2803.48.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote: > The ulog daemon, when launched with the "-u" option, will change uid/gid after > it finished its root-required tasks. This is handled in src/ulogd.c. If we do > not allow setuid/setgid, the following errors are displayed and the start-up > fails. > > Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID > Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245 > > Reported-by: vespian > Signed-off-by: Sven Vermeulen Merged, thanks > --- > ulogd.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ulogd.te b/ulogd.te > index c6acbbe..d41c4b1 100644 > --- a/ulogd.te > +++ b/ulogd.te > @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t) > # Local policy > # > > -allow ulogd_t self:capability { net_admin sys_nice }; > +allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; > allow ulogd_t self:process setsched; > allow ulogd_t self:netlink_nflog_socket create_socket_perms; > allow ulogd_t self:netlink_socket create_socket_perms;