@@ -, +, @@ 
- ulogd handling NFLOG log sources
- add missing capabilities to the process
- allow for reading ngroups_max /proc entries
---
 policy/modules/contrib/ulogd.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/policy/modules/contrib/ulogd.te	
+++ a/policy/modules/contrib/ulogd.te	
@@ -26,12 +26,17 @@ logging_log_file(ulogd_var_log_t)
 # Local policy
 #
 
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin sys_nice dac_override setuid setgid};
 allow ulogd_t self:process setsched;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 allow ulogd_t self:netlink_socket create_socket_perms;
 allow ulogd_t self:tcp_socket create_stream_socket_perms;
 
+#Allow /proc/sys/kernel/ngroups_max reading:
+kernel_read_kernel_sysctls(ulogd_t);
+#Allow operation on NFLOG objects:
+allow ulogd_t self:netlink_socket create_socket_perms;
+
 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
 
 list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
--