From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 24 Aug 2011 09:10:00 -0400
Subject: [refpolicy] [PATCH 1/1] Allow userdomains to send syslog
	messages
In-Reply-To: <20110823105722.GA2352@siphos.be>
References: <20110823105722.GA2352@siphos.be>
Message-ID: <4E54F828.8020200@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/23/11 06:57, Sven Vermeulen wrote:
> Some applications that run within the user domain send messages to the syslog
> daemon (for instance through the syslog() function). This patch allows the
> userdomain to write to the devlog_t socket and interact properly with the
> syslog daemon.

Do you have some examples?  My initial reaction is definitely not
merged, as I don't want users to be able to flood the system logs.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/userdomain.if |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index c6d3cc8..17abfcf 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -965,6 +965,8 @@ template(`userdom_unpriv_user_template', `
>  	# cjp: why?
>  	files_read_kernel_symbol_table($1_t)
>  
> +	logging_send_syslog_msg($1_t)
> +
>  	ifndef(`enable_mls',`
>  		fs_exec_noxattr($1_t)
>  


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com