From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 29 Aug 2012 22:10:10 +0200 Subject: [refpolicy] [PATCH v1 2/5] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist In-Reply-To: <20120829195924.GB22738@siphos.be> References: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be> <1346268526-22260-3-git-send-email-sven.vermeulen@siphos.be> <1346269287.15262.6.camel@d30.localdomain> <20120829195924.GB22738@siphos.be> Message-ID: <1346271010.15262.12.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-29 at 21:59 +0200, Sven Vermeulen wrote: > On Wed, Aug 29, 2012 at 09:41:27PM +0200, Dominick Grift wrote: > > > +ifdef(`distro_gentoo', ` > > > +/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) > > > +') > > > > no need for ifdef. > > ACK. > > > > +files_rw_var_lib_dirs(syslogd_t) > > > > above is redundant allowed below with files_var_lib_filetrans() > > ACK. > > > > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) > > > > only file transition on dirs. be conservative. > > The file class transition is for the /var/lib/misc/syslog-ng.persist file. > Since /var/lib/misc is var_lib_t, we need a file transition here for > syslog-ng.persist to become syslogd_var_lib_t. > > Perhaps it is safer to make named file transitions (perhaps even for both), > like so: > > #v+ > files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file, "syslog-ng.persist") > files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file, "syslog-ng.persist-") > files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, dir, "syslog") > #v- > > On the other hand, I don't see syslog doing any other writes that would need > me limiting this. Although more precise, I don't know if it is better to > riddle the policy with named file transitions if they aren't needed. > > Thanks for the feedback on the others, greatly appreciated! > No need for named file transitions. if it create both files and dirs in var_lib_t directories then you indeed need a filetrans for both files and dirs. I assumed that it only created dirs in var_lib_t dirs > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy