diff options
-rw-r--r-- | policy/modules/system/logging.te | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 96ffbcd05..a9fbf1b0b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -372,7 +372,7 @@ optional_policy(` # sys_nice for rsyslog # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace }; # setpgid for metalog # setrlimit for syslog-ng # getsched for syslog-ng @@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_urand(syslogd_t) # Allow access to /dev/kmsg for journald dev_rw_kmsg(syslogd_t) @@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`init_systemd',` + # systemd-journald permissions + allow syslogd_t self:capability { chown setuid setgid }; + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; kernel_use_fds(syslogd_t) kernel_getattr_dgram_sockets(syslogd_t) |