From 2eafd6c8cbc18aa52e320663ba6bf63f334c95d9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 23 Nov 2022 09:20:51 +0100
Subject: [PATCH] Allow syslogd read network sysctls

Addresses the following AVC denial:

type=AVC msg=audit(1669156432.404:191): avc:  denied  { read } for  pid=700 comm="rsyslogd" name="disable_ipv6" dev="proc" ino=19523 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0

Resolves: rhbz#2145019
---
 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4e00b7935a..d96d862f7c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -541,6 +541,7 @@ kernel_rw_stream_socket_perms(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
+kernel_read_net_sysctls(syslogd_t)
 kernel_read_netlink_audit_socket(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng