From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 29 Aug 2012 21:59:25 +0200
Subject: [refpolicy] [PATCH v1 2/5] Allow syslogd to create
 /var/lib/syslog and /var/lib/misc/syslog-ng.persist
In-Reply-To: <1346269287.15262.6.camel@d30.localdomain>
References: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be>
	<1346268526-22260-3-git-send-email-sven.vermeulen@siphos.be>
	<1346269287.15262.6.camel@d30.localdomain>
Message-ID: <20120829195924.GB22738@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Aug 29, 2012 at 09:41:27PM +0200, Dominick Grift wrote:
> > +ifdef(`distro_gentoo', `
> > +/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
> > +')
> 
> no need for ifdef.

ACK.

> > +files_rw_var_lib_dirs(syslogd_t)
> 
> above is redundant allowed below with files_var_lib_filetrans()

ACK.

> > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
> 
> only file transition on dirs. be conservative.

The file class transition is for the /var/lib/misc/syslog-ng.persist file.
Since /var/lib/misc is var_lib_t, we need a file transition here for
syslog-ng.persist to become syslogd_var_lib_t.

Perhaps it is safer to make named file transitions (perhaps even for both),
like so:

#v+
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file, "syslog-ng.persist")
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file, "syslog-ng.persist-")
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, dir, "syslog")
#v-

On the other hand, I don't see syslog doing any other writes that would need
me limiting this. Although more precise, I don't know if it is better to
riddle the policy with named file transitions if they aren't needed.

Thanks for the feedback on the others, greatly appreciated!

Wkr,
	Sven Vermeulen