syslog-ng non-standard install generating AVC

Karsten Wade kwade at redhat.com
Fri Dec 31 18:50:09 UTC 2004


On Thu, 2004-12-30 at 22:43 -0500, Daniel J Walsh wrote:
> You could add these lines to syslog.te

Will it work to add them to local.te?

> can_exec(syslog_t, { bin_t shell_exec_t } )
> allow syslogd_t etc_runtime_t:file { getattr read };
> allow syslogd_t proc_kmsg_t:file write;
> allow syslogd_t proc_t:file { getattr read };
> allow syslogd_t sbin_t:dir search;
> allow syslogd_t self:capability { chown fowner fsetid sys_admin };

I see these and a few more from using audit2allow.  How did you decide
which to use?  Does can_exec() replace some of the rules?  These ones,
at least:

allow syslogd_t bin_t:file { execute execute_no_trans getattr read };
allow syslogd_t shell_exec_t:file { execute execute_no_trans getattr
read };


> There is some directory in /usr that needs to be relabeled
> syslogd_var_run_t to eliminate the following
> 
> allow syslogd_t usr_t:dir { add_name remove_name write };
> allow syslogd_t usr_t:file { append create getattr read setattr unlink 
> write };

In other words, relabel the directory in /usr so that these rules are
not needed?

thx - Karsten
-- 
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41




More information about the fedora-selinux-list mailing list