From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Fri, 23 May 2014 18:22:18 +0200
Subject: [refpolicy] [PATCH] Allow kern_unconfined domains to use syslog
	capability
Message-ID: <1400862138-4079-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2

Moreover, policy/modules/kernel/kernel.if defines
kernel_read_ring_buffer interface as:

  allow $1 self:capability2 syslog;
  allow $1 kernel_t:system syslog_read;

As domains with kern_unconfined attribute already have all
kernel_t:system permissions, this patch allows such domains to use
CAP_SYSLOG.
---
 policy/modules/kernel/kernel.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index c7cd4e4..f436490 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -417,6 +417,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *;
 
 allow kern_unconfined sysctl_type:{ dir file } *;
 
+allow kern_unconfined self:capability2 syslog;
 allow kern_unconfined kernel_t:system *;
 
 allow kern_unconfined unlabeled_t:dir_file_class_set *;
-- 
1.9.2