Bug 2127403

Summary: [RFE] Introduce libcap-ng inside rsyslog
Product: [Fedora] Fedora Reporter: Attila Lakatos <alakatos>
Component: rsyslogAssignee: Attila Lakatos <alakatos>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: medium    
Version: rawhideCC: alakatos, jlieskov, jvymazal, lkundrak, mah.darade, rsroka, tosykora, zfridric
Target Milestone: ---Keywords: RFE, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rsyslog-8.2210.0-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2127404 (view as bug list) Environment:
Last Closed: 2022-11-28 08:09:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2127404    

Description Attila Lakatos 2022-09-16 08:25:18 UTC 
Description of the problem:

Actually, rsyslogd is running with full set of capabilities. Whilst it's possible for rsyslog to drop privileges by impersonating as another user and/or group after startup, there are some modules that explicitly require root user rights. Thus, it's necessary to drop the capabilities to only the necessary set, to minimize security exposure in case there was ever a mistake in a networking plugin or some other input resource. The change should be done directly in the code with libcap-ng as rsyslog has many optional modules and some of them require additional capabilities.
Comment 1 Fedora Update System 2022-11-28 08:05:31 UTC 
FEDORA-2022-9ecb6fb031 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9ecb6fb031
Comment 2 Fedora Update System 2022-11-28 08:09:19 UTC 
FEDORA-2022-9ecb6fb031 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.