All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] Allow unconfined domains to use syslog capability
@ 2014-06-09 12:38 Nicolas Iooss
  2014-06-09 15:02 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Iooss @ 2014-06-09 12:38 UTC (permalink / raw)
  To: refpolicy

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
---
 policy/modules/system/unconfined.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..2b85a6e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:capability ~sys_module;
+	allow $1 self:capability2 syslog;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
-- 
2.0.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] Allow unconfined domains to use syslog capability
  2014-06-09 12:38 [refpolicy] [PATCH] Allow unconfined domains to use syslog capability Nicolas Iooss
@ 2014-06-09 15:02 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-06-09 15:02 UTC (permalink / raw)
  To: refpolicy

On 06/09/2014 08:38 AM, Nicolas Iooss wrote:
> When an unconfined_t root user runs dmesg, the kernel complains with
> this message in its logs (when SELinux is in enforcing mode):
> 
>   dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
>   CAP_SYSLOG (deprecated).
> 
> audit.log contains following AVC:
> 
>   avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
>   scontext=unconfined_u:unconfined_r:unconfined_t
>   tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
> ---
>  policy/modules/system/unconfined.if | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 5ca20a9..2b85a6e 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
>  
>  	# Use most Linux capabilities
>  	allow $1 self:capability ~sys_module;
> +	allow $1 self:capability2 syslog;
>  	allow $1 self:fifo_file manage_fifo_file_perms;
>  
>  	# Transition to myself, to make get_ordered_context_list happy.
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-06-09 15:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-09 12:38 [refpolicy] [PATCH] Allow unconfined domains to use syslog capability Nicolas Iooss
2014-06-09 15:02 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.