Re: syslog-ng non-standard install generating AVC
On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote:
You could add these lines to syslog.te
Will it work to add them to local.te?
can_exec(syslog_t, { bin_t shell_exec_t } )
allow syslogd_t etc_runtime_t:file { getattr read };
allow syslogd_t proc_kmsg_t:file write;
allow syslogd_t proc_t:file { getattr read };
allow syslogd_t sbin_t:dir search;
allow syslogd_t self:capability { chown fowner fsetid sys_admin };
I see these and a few more from using audit2allow. How did you decide
which to use? Does can_exec() replace some of the rules? These ones,
at least:
allow syslogd_t bin_t:file { execute execute_no_trans getattr read };
allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr
read };
There is some directory in /usr that needs to be relabeled
syslogd_var_run_t to eliminate the following
allow syslogd_t usr_t:dir { add_name remove_name write };
allow syslogd_t usr_t:file { append create getattr read setattr unlink
write };
In other words, relabel the directory in /usr so that these rules are
not needed?
thx - Karsten
--
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41