On Thu, 2008-07-17 at 11:55 -0400, Daniel J Walsh wrote: > Shouldn't all of kernel/system be required, with the exception of > unconfined? That is true. You cannot unconditionally require something from a higher layer. The patch that i included has a style error in the sysstat module however. logging_send_syslog_msg() should be under locallogin_use_fds() i believe. Attached is a patch for sysstat to resolve this issue.
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te =================================================================== --- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te (revision 2761) +++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te (working copy) @@ -58,6 +58,8 @@ locallogin_use_fds(sysstat_t) +logging_send_syslog_msg(sysstat_t) + miscfiles_read_localization(sysstat_t) sysadm_dontaudit_list_home_dirs(sysstat_t) @@ -65,7 +67,3 @@ optional_policy(` cron_system_entry(sysstat_t,sysstat_exec_t) ') - -optional_policy(` - logging_send_syslog_msg(sysstat_t) -')
Attachment:
signature.asc
Description: This is a digitally signed message part
