From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 17 Apr 2013 18:46:08 +0200
Subject: [refpolicy] [PATCH 13/13] Add setuid/setgid capability to
 ulogd_t
In-Reply-To: <1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be>
References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
	<1365669283-22005-14-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1366217168.2803.48.camel@x220.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> The ulog daemon, when launched with the "-u" option, will change uid/gid after
> it finished its root-required tasks. This is handled in src/ulogd.c. If we do
> not allow setuid/setgid, the following errors are displayed and the start-up
> fails.
> 
> Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
> Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245
> 
> Reported-by: vespian <vespian@o2.pl>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

Merged, thanks
> ---
>  ulogd.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ulogd.te b/ulogd.te
> index c6acbbe..d41c4b1 100644
> --- a/ulogd.te
> +++ b/ulogd.te
> @@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
>  # Local policy
>  #
>  
> -allow ulogd_t self:capability { net_admin sys_nice };
> +allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
>  allow ulogd_t self:process setsched;
>  allow ulogd_t self:netlink_nflog_socket create_socket_perms;
>  allow ulogd_t self:netlink_socket create_socket_perms;