From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 21 Oct 2013 20:52:05 +0200
Subject: [refpolicy] [PATCH 1/1] Allow capabilities for syslog-ng
Message-ID: <20131021185205.GA21893@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..d7e857e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -361,7 +361,7 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 # getsched for syslog-ng
 # setsched for rsyslog
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-- 
1.8.1.5