From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 19 Mar 2010 10:18:00 -0400 Subject: [refpolicy] Fwd: Re: system_logging.patch In-Reply-To: <1269007987.5623.181.camel@gorn.columbia.tresys.com> References: <4BA25F04.7030105@redhat.com> <201003181615.22542.sgrubb@redhat.com> <1269000897.5623.83.camel@gorn.columbia.tresys.com> <4BA36C8E.3050801@redhat.com> <1269007987.5623.181.camel@gorn.columbia.tresys.com> Message-ID: <4BA38798.1040002@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/19/2010 10:13 AM, Christopher J. PeBenito wrote: > On Fri, 2010-03-19 at 08:22 -0400, Daniel J Walsh wrote: > >> On 03/19/2010 08:14 AM, Christopher J. PeBenito wrote: >> >>> On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote: >>> >>> >>>> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote: >>>> >>>> >>>>>> New log context >>>>>> Allow setting audit tty >>>>>> Fixing interfaces >>>>>> >>>>>> >>>>> Why are the sockets being set to system high? Same thing for the pid >>>>> file? They don't have sensitive data. >>>>> >>>>> >>>> /var/run/audispd_events and the pid file is the only thing I recognize as being >>>> from the audit system. The audit system and everything related to it must be >>>> at system high. >>>> >>>> >>> Again, why? The socket and pid file do not have sensitive data. The >>> daemon and the log files have the sensitive data. >>> >>> >>> >> So your saying the ability to connect to the socket is going to be >> blocked on the connecto based on the level of the process on the other >> end of the socket. >> >> setroubleshoot_t:SystemLow is not going to be able to connectto >> auditd_t:SystemHigh no matter what the socket and pid file are labeled. >> > I'm not sure what you're trying to argue. The connectto is of course > going to be checked if a connect gets past the MAC write check on the > sock_file. > > I am agreeing with you, by saying the connectto check will block no matter what the socket permission is. But on Steve's point of view. We would have to jump through hoops to get auditd to create the pid file and socket at SystemLow, Since it runs at SystemHigh.