CAP_SYSLOG is (hopefully) being split out from CAP_SYS_ADMIN. This
patch adds capability2:syslog to the access vectors, and adds the
perm to a few domains which look like they'll need it.
This patch is just advisory right now - please do not apply until/unless
the corresponding kernel patch is accepted :)
Signed-off-by: Serge E. Hallyn <[email protected]>
Cc: refpolicy at oss.tresys.com
Cc: "Christopher J. PeBenito" <[email protected]>
Cc: Eric Paris <[email protected]>
Cc: Stephen Smalley <[email protected]>
---
policy/flask/access_vectors | 1 +
policy/modules/admin/dmesg.te | 1 +
policy/modules/system/init.te | 2 ++
policy/modules/system/logging.te | 2 ++
4 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6760c95..6e7af2c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -428,6 +428,7 @@ class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
+ syslog # used to be part of sys_admin
}
#
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 36033f7..edc6aa6 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -16,6 +16,7 @@ init_system_domain(dmesg_t, dmesg_exec_t)
#
allow dmesg_t self:capability sys_admin;
+allow dmesg_t self:capability2 syslog;
dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6f5dc89..f9ae18e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -203,6 +203,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability2 syslog;
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -445,6 +446,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_redhat',`
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
+ allow initrc_t self:capability2 syslog;
allow initrc_t self:process setfscreate;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f6ba06c..7eb6bd8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -268,6 +268,7 @@ sysnet_dns_name_resolve(audisp_remote_t)
#
allow klogd_t self:capability sys_admin;
+allow klogd_t self:capability2 syslog;
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
allow klogd_t self:process signal_perms;
@@ -330,6 +331,7 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability2 syslog;
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
# setrlimit for syslog-ng
--
1.6.0.6