From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Aug 2011 16:31:09 +0200 Subject: [refpolicy] [PATCH 1/1] Allow userdomains to send syslog messages In-Reply-To: <4E5507B8.3080609@tresys.com> References: <20110823105722.GA2352@siphos.be> <4E54F828.8020200@tresys.com> <20110824131507.GA25303@localhost.localdomain> <4E54FF76.2040804@tresys.com> <20110824135105.GB25303@localhost.localdomain> <4E5507B8.3080609@tresys.com> Message-ID: <20110824143108.GC25303@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 24, 2011 at 10:16:24AM -0400, Christopher J. PeBenito wrote: > On 08/24/11 09:51, Dominick Grift wrote: > > On Wed, Aug 24, 2011 at 09:41:10AM -0400, Christopher J. PeBenito wrote: > >> On 08/24/11 09:15, Dominick Grift wrote: > >>> On Wed, Aug 24, 2011 at 09:10:00AM -0400, Christopher J. PeBenito wrote: > >>>> On 08/23/11 06:57, Sven Vermeulen wrote: > > ... snip ... > >>> I do, the git-daemon run by users can be configured to use syslog. I allowed this by default in my git policy. Would you prefer a boolean "git_session_daemon_can_syslog" instead of allowing it by default? > >> > >> Thats a different domain. I'm speaking of unpriv user domains user_t, > >> staff_t, etc. > > > > Until a git (session) daemon domain is implemented it runs in the unprivileged user domain. > > Ok. I don't see this as a good reason to allow this. A user running a > daemon should be logging to their home directory. Agreed, but what if the administrator decides to run it as an unprivileged user and still wants to it to syslog. It seems actually very sane to me. Running git-daemon as a system service requires inetd and it runs as root. Running inetd just to export a repository might be a bit much. If you can achieve what you want by running it as a unpriv user then why not. So in light of that it may be sensible to allow administrators to tune the policy to allow Git session daemon to syslog. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110824/780a8f2c/attachment.bin