Hi,
In refpolicy's system/logging.fc, there's a rule to label the
file /var/run/syslog-ng.ctl as syslogd_var_run_t. However, newer
syslog-ng versions don't create a file at that path, but a unix domain
socket. That socket is labeled devlog_t via a domtrans.
However, I think that socket shouldn't have that context. It can be
used to control some syslog-ng settings with the syslog-ng-ctl command
line tool, and the many applications which are allowed to log messages
to the syslog (via a devlog_t socket) shouldn't be granted that access.
I'm not sure how to handle this, because a simple fc rule won't do --
there also has to be an appropriate domtrans, and furthermore, I'm not
sure about the interaction between sock_file's and
unix_{dgram,stream}_socket's.
What do you think?
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140811/a9b2747d/attachment.bin
Would a named domtrans do?
On 11 August 2014 11:11:38 PM AEST, Luis Ressel <[email protected]> wrote:
>Hi,
>
>In refpolicy's system/logging.fc, there's a rule to label the
>file /var/run/syslog-ng.ctl as syslogd_var_run_t. However, newer
>syslog-ng versions don't create a file at that path, but a unix domain
>socket. That socket is labeled devlog_t via a domtrans.
>
>However, I think that socket shouldn't have that context. It can be
>used to control some syslog-ng settings with the syslog-ng-ctl command
>line tool, and the many applications which are allowed to log messages
>to the syslog (via a devlog_t socket) shouldn't be granted that access.
>
>I'm not sure how to handle this, because a simple fc rule won't do --
>there also has to be an appropriate domtrans, and furthermore, I'm not
>sure about the interaction between sock_file's and
>unix_{dgram,stream}_socket's.
>
>What do you think?
>
>
>Regards,
>Luis Ressel
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
--
Sent from my Samsung Galaxy Note 2 with K-9 Mail.