From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu,  6 Sep 2012 19:35:36 +0200
Subject: [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog
	and /var/lib/misc/syslog-ng.persist
In-Reply-To: <1346952938-9358-1-git-send-email-sven.vermeulen@siphos.be>
References: <1346952938-9358-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1346952938-9358-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.

Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.

Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.fc |    2 ++
 policy/modules/system/logging.te |    1 +
 2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..f5b3f34 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,6 +24,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -32,6 +33,7 @@ ifdef(`distro_suse', `
 /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0034021..2eca67c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -439,6 +439,7 @@ files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
-- 
1.7.8.6