From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 19 Mar 2010 10:13:07 -0400
Subject: [refpolicy] Fwd: Re: system_logging.patch
In-Reply-To: <4BA36C8E.3050801@redhat.com>
References: <4BA25F04.7030105@redhat.com>
	<201003181615.22542.sgrubb@redhat.com>
	<1269000897.5623.83.camel@gorn.columbia.tresys.com>
	<4BA36C8E.3050801@redhat.com>
Message-ID: <1269007987.5623.181.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2010-03-19 at 08:22 -0400, Daniel J Walsh wrote:
> On 03/19/2010 08:14 AM, Christopher J. PeBenito wrote:
> > On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote:
> >    
> >> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote:
> >>      
> >>>>   New log context
> >>>>   Allow setting audit tty
> >>>>   Fixing interfaces
> >>>>          
> >>> Why are the sockets being set to system high?  Same thing for the pid
> >>> file?  They don't have sensitive data.
> >>>        
> >> /var/run/audispd_events and the pid file is the only thing I recognize as being
> >> from the audit system. The audit system and everything related to it must be
> >> at system high.
> >>      
> > Again, why?  The socket and pid file do not have sensitive data.  The
> > daemon and the log files have the sensitive data.
> >
> >    
> So your saying the ability to connect to the socket is going to be 
> blocked on the connecto based on the level of the process on the other 
> end of the socket.
>
> setroubleshoot_t:SystemLow is not going to be able to connectto 
> auditd_t:SystemHigh no matter what the socket and pid file are labeled.

I'm not sure what you're trying to argue.  The connectto is of course
going to be checked if a connect gets past the MAC write check on the
sock_file.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150