Karsten Wade wrote:
On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote:
You could add these lines to syslog.te
Will it work to add them to local.te?
Yes
Yes, Seeing the execute priv, I relized what it is trying to do. So just adding can_exec is usuallycan_exec(syslog_t, { bin_t shell_exec_t } )
allow syslogd_t etc_runtime_t:file { getattr read };
allow syslogd_t proc_kmsg_t:file write;
allow syslogd_t proc_t:file { getattr read };
allow syslogd_t sbin_t:dir search;
allow syslogd_t self:capability { chown fowner fsetid sys_admin };
I see these and a few more from using audit2allow. How did you decide which to use? Does can_exec() replace some of the rules? These ones, at least:
allow syslogd_t bin_t:file { execute execute_no_trans getattr read }; allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr read };
better than trying to explicitely give individual privs. Also some times audit2allow will tell
you some process wants read privs, invariably it will ask for getattr as soon as I grant read, so we usually
give both privs right away.
Yes, not knowing which directory this is, but say their is a /usr/syslog directory,There is some directory in /usr that needs to be relabeled syslogd_var_run_t to eliminate the following
allow syslogd_t usr_t:dir { add_name remove_name write };
allow syslogd_t usr_t:file { append create getattr read setattr unlink write };
In other words, relabel the directory in /usr so that these rules are
not needed?
relabel it via chcon
chcon -R -t syslogd_var_run_t /usr/syslog
You would also want to add an entry under file contexts for
/usr/syslog(/.*)? system_u:object_r:syslogd_var_run_t
in either in policy/file_contexts/program/syslog.fc or in policy/file_contexts/misc/misc.fc
thx - Karsten
