Re: syslog-ng non-standard install generating AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote:
> You could add these lines to syslog.te

Will it work to add them to local.te?

> can_exec(syslog_t, { bin_t shell_exec_t } )
> allow syslogd_t etc_runtime_t:file { getattr read };
> allow syslogd_t proc_kmsg_t:file write;
> allow syslogd_t proc_t:file { getattr read };
> allow syslogd_t sbin_t:dir search;
> allow syslogd_t self:capability { chown fowner fsetid sys_admin };

I see these and a few more from using audit2allow.  How did you decide
which to use?  Does can_exec() replace some of the rules?  These ones,
at least:

allow syslogd_t bin_t:file { execute execute_no_trans getattr read };
allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr
read };


> There is some directory in /usr that needs to be relabeled
> syslogd_var_run_t to eliminate the following
> 
> allow syslogd_t usr_t:dir { add_name remove_name write };
> allow syslogd_t usr_t:file { append create getattr read setattr unlink 
> write };

In other words, relabel the directory in /usr so that these rules are
not needed?

thx - Karsten
-- 
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux