On 3/21/19 2:29 PM, Sugar, David wrote:
type=AVC msg=audit(1553029357.588:513): avc: denied { sendto } for pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/system/authlogin.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2b7586a2..d0c71285 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -144,6 +144,11 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`init_systemd',`
+ # for journald /dev/log
+ kernel_dgram_send(chkpwd_t)
+')
+
optional_policy(`
# apache leaks file descriptors
apache_dontaudit_rw_tcp_sockets(chkpwd_t)
Merged.
--
Chris PeBenito
