From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 13 Nov 2013 09:15:54 -0500 Subject: [refpolicy] [PATCH 1/1] Allow capabilities for syslog-ng In-Reply-To: <20131021185205.GA21893@siphos.be> References: <20131021185205.GA21893@siphos.be> Message-ID: <5283899A.6000407@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon Oct 21 14:52:05 2013, Sven Vermeulen wrote: > The syslog-ng logger has (build-optional) support for capabilities. If > capabilities support is enabled, running it without setcap/getcap > permissions gives the following upon start: > > * Starting syslog-ng ... > syslog-ng: Error setting capabilities, capability management disabled; > error='Permission denied' [ ok ] > > Granting only setcap (initial AVC seen) does not fully help either: > > * Starting syslog-ng ... > Error managing capability set, cap_set_proc returned an error; > > With setcap and getcap enabled, syslog-ng starts and functions fine. > > See also https://bugs.gentoo.org/show_bug.cgi?id=488718 > > Reported-by: Vincent Brillault > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/logging.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index 59b04c1..d7e857e 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -361,7 +361,7 @@ dontaudit syslogd_t self:capability sys_tty_config; > # setrlimit for syslog-ng > # getsched for syslog-ng > # setsched for rsyslog > -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched }; > +allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched }; > # receive messages to be logged > allow syslogd_t self:unix_dgram_socket create_socket_perms; > allow syslogd_t self:unix_stream_socket create_stream_socket_perms; Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com