From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 29 Aug 2012 21:41:27 +0200 Subject: [refpolicy] [PATCH v1 2/5] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist In-Reply-To: <1346268526-22260-3-git-send-email-sven.vermeulen@siphos.be> References: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be> <1346268526-22260-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1346269287.15262.6.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-29 at 21:28 +0200, Sven Vermeulen wrote: > If the /var/lib/syslog directory does not exist, then syslog-ng (running in > syslogd_t) will attempt to create the directory. > > Allow the syslogd_t domain to create the directory, and use an automatic file > transition towards syslogd_var_lib_t. > > Also, the syslog-ng daemon uses a persistence file in > /var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As > /var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write > its files as syslogd_var_lib_t therein. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/logging.fc | 4 ++++ > policy/modules/system/logging.te | 2 ++ > 2 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc > index 02f4c97..aeaabe1 100644 > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -32,6 +32,10 @@ ifdef(`distro_suse', ` > /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) > ') > > +ifdef(`distro_gentoo', ` > +/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) > +') no need for ifdef. > /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) > /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) > /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index 0034021..9cebc41 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -439,6 +439,8 @@ files_read_etc_runtime_files(syslogd_t) > # /initrd is not umounted before minilog starts > files_dontaudit_search_isid_type_dirs(syslogd_t) > files_read_kernel_symbol_table(syslogd_t) > +files_rw_var_lib_dirs(syslogd_t) above is redundant allowed below with files_var_lib_filetrans() > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) only file transition on dirs. be conservative. > fs_getattr_all_fs(syslogd_t) > fs_search_auto_mountpoints(syslogd_t)