https://bugzilla.balabit.com/show_bug.cgi?id=95 --- Comment #4 from Balazs Scheidler <bazsi@balabit.hu> 2010-10-15 21:02:27 --- here's the ubuntu patch that I was talking about. it may have been integrated to the upstream kernel already: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515623 This seems to have been integrated into upstream kernel as well: Author: Kees Cook <kees.cook@canonical.com> 2010-02-04 00:36:43 Committer: James Morris <jmorris@namei.org> 2010-02-04 04:20:12 Parent: 0719aaf5ead7555b7b7a4a080ebf2826a871384e (selinux: allow MLS->non-MLS and vice versa upon policy reload) Child: d78ca3cd733d8a2c3dcd88471beb1a15d973eed8 (syslog: use defined constants instead of raw numbers) Branch: remotes/linus/master Follows: v2.6.33-rc4 Precedes: v2.6.34-rc1 syslog: distinguish between /proc/kmsg and syscalls This allows the LSM to distinguish between syslog functions originating from /proc/kmsg access and direct syscalls. By default, the commoncaps will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg file descriptor. For example the kernel syslog reader can now drop privileges after opening /proc/kmsg, instead of staying privileged with CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged behavior. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> it seems to have been integrated into 2.6.34, so 2.6.35 definitely has the fix. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.