[PATCH] Allow syslog to write to the runtime socket

"Sugar, David" <dsugar@xxxxxxxxxx> · Wed, 4 Dec 2019 16:33:19 +0000

This is realted to my previous patch for logging, I just didn't notice it before.

type=AVC msg=audit(1575426773.635:2469): avc:  denied  { write } for  pid=1213 comm="systemd-journal" name="syslog" dev="tmpfs" ino=22683 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0

Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 73ca3042..eee6bc18 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -427,7 +427,7 @@ files_search_var_lib(syslogd_t)
 
 # manage runtime files
 allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
-allow syslogd_t syslogd_runtime_t:sock_file { create setattr };
+allow syslogd_t syslogd_runtime_t:sock_file { create setattr write };
 allow syslogd_t syslogd_runtime_t:file map;
 manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_pid_filetrans(syslogd_t, syslogd_runtime_t, file)
-- 
2.21.0








