From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 29 Aug 2012 21:28:43 +0200
Subject: [refpolicy] [PATCH v1 2/5] Allow syslogd to create /var/lib/syslog
	and /var/lib/misc/syslog-ng.persist
In-Reply-To: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be>
References: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1346268526-22260-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.

Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.

Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.fc |    4 ++++
 policy/modules/system/logging.te |    2 ++
 2 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..aeaabe1 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -32,6 +32,10 @@ ifdef(`distro_suse', `
 /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+ifdef(`distro_gentoo', `
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+')
+
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0034021..9cebc41 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -439,6 +439,8 @@ files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
+files_rw_var_lib_dirs(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
-- 
1.7.8.6