[PATCH 1/1] Resolve denial about logging to journal from chkpwd

"Sugar, David" <dsugar@xxxxxxxxxx> · Thu, 21 Mar 2019 18:29:26 +0000

type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
 policy/modules/system/authlogin.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2b7586a2..d0c71285 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -144,6 +144,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	# for journald /dev/log
+	kernel_dgram_send(chkpwd_t)
+')
+
 optional_policy(`
 	# apache leaks file descriptors
 	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
-- 
2.20.1








