From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Mon,  9 Jun 2014 14:38:45 +0200
Subject: [refpolicy] [PATCH] Allow unconfined domains to use syslog
	capability
Message-ID: <1402317525-29391-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
---
 policy/modules/system/unconfined.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..2b85a6e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:capability ~sys_module;
+	allow $1 self:capability2 syslog;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
-- 
2.0.0