From 2f84a77d229f3782078042aca3f118a412e28e12 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@gentoo.org>
Date: Wed, 17 Feb 2010 20:33:53 -0500
Subject: [PATCH] Syslog fixes from Gentoo.

---
 policy/modules/kernel/terminal.if | 19 +++++++++++++++++++
 policy/modules/kernel/terminal.te |  2 +-
 policy/modules/system/logging.if  |  1 +
 policy/modules/system/logging.te  |  5 +++--
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 1362bbd5..56ddd993 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -239,6 +239,25 @@ interface(`term_read_console',`
 	allow $1 console_device_t:chr_file read_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read from the console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_dontaudit_read_console',`
+	gen_require(`
+		type console_device_t;
+	')
+
+	dontaudit $1 console_device_t:chr_file read_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read from and write to the console.
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index ba856619..c2803dfa 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal, 1.7.1)
+policy_module(terminal, 1.7.2)
 
 ########################################
 #
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0c2f2213..4eab8b50 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -450,6 +450,7 @@ interface(`logging_send_syslog_msg',`
 	# If syslog is down, the glibc syslog() function
 	# will write to the console.
 	term_write_console($1)
+	term_dontaudit_read_console($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7d16587a..f6ba06cc 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.15.0)
+policy_module(logging, 1.15.1)
 
 ########################################
 #
@@ -332,7 +332,8 @@ optional_policy(`
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
-allow syslogd_t self:process { signal_perms setpgid };
+# setrlimit for syslog-ng
+allow syslogd_t self:process { signal_perms setpgid setrlimit };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;