From fef5dcf3afafe595d39a2c0c0dba780ea373a5e7 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Aug 26 2009 14:05:36 +0000
Subject: Remove excessive permissions in logging_send_syslog_msg().  Ticket #14.


---

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index e93c344..0c2f221 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -438,8 +438,8 @@ interface(`logging_send_syslog_msg',`
 		type syslogd_t, devlog_t;
 	')
 
-	allow $1 devlog_t:lnk_file read;
-	allow $1 devlog_t:sock_file rw_sock_file_perms;
+	allow $1 devlog_t:lnk_file read_lnk_file_perms;
+	allow $1 devlog_t:sock_file write_sock_file_perms;
 
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
@@ -447,8 +447,9 @@ interface(`logging_send_syslog_msg',`
 	allow $1 self:unix_dgram_socket create_socket_perms;
 	allow $1 self:unix_stream_socket create_socket_perms;
 
-	# cjp: this should most likely be removed:
-	term_use_console($1)
+	# If syslog is down, the glibc syslog() function
+	# will write to the console.
+	term_write_console($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 04455e0..3e7ce07 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.14.0)
+policy_module(logging, 1.14.1)
 
 ########################################
 #