[selinux-policy: 1658/3172] On Tue, 2007-02-20 at 12:28 -0500, Daniel J Walsh wrote: > audit needs fsetid > > syslog needs to be

Thu Oct 7 21:28:23 UTC 2010

commit 5c45eaede1bbbdc6e96e67d38aaca0ffeba413e6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 23 20:19:29 2007 +0000

    On Tue, 2007-02-20 at 12:28 -0500, Daniel J Walsh wrote:
    > audit needs fsetid
    >
    > syslog needs to be able to create a tcp_socket for off machine logging.

 Changelog                        |    2 ++
 policy/modules/system/logging.te |    6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)
---

diff --git a/Changelog b/Changelog
index f6af041..94a2841 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Patch for capability fix for auditd and networking fix for syslogd from
+  Dan Walsh.
 - Patch to remove redundant mls_trusted_object() call from Dan Walsh.
 - Patch for misc fixes to nis ypxfr policy from Dan Walsh.
 - Patch to allow apmd to telinit from Dan Walsh.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 74aeece..a7fb6a6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.5.1)
+policy_module(logging,1.5.2)
 
 ########################################
 #
@@ -104,7 +104,7 @@ ifdef(`targeted_policy',`
 # Auditd local policy
 #
 
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setpgid setsched };
 allow auditd_t self:file { getattr read write };
@@ -271,6 +271,7 @@ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
+allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -324,6 +325,7 @@ corenet_udp_bind_syslogd_port(syslogd_t)
 corenet_tcp_sendrecv_all_if(syslogd_t)
 corenet_tcp_sendrecv_all_nodes(syslogd_t)
 corenet_tcp_sendrecv_all_ports(syslogd_t)
+corenet_tcp_bind_all_nodes(syslogd_t)
 corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 
