commit: 3f53590de965cda81024db69cc574633de1693e0
Author: Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 09:08:43 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f53590d
logging: allow systemd-journal to write messages to the audit socket
Fixes:
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/logging.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39664307..820fc8d3 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -524,7 +524,7 @@ ifdef(`init_systemd',`
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
- allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt
write };
+ allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt
write nlmsg_write };
# remove /run/log/journal when switching to permanent storage
allow syslogd_t var_log_t:dir rmdir;
