From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 31 Oct 2012 15:46:17 +0100 Subject: [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files In-Reply-To: <509135F9.4040202@tresys.com> References: <20121029191656.GA14388@siphos.be> <509135F9.4040202@tresys.com> Message-ID: <1351694777.4200.26.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-10-31 at 10:30 -0400, Christopher J. PeBenito wrote: > On 10/29/12 15:16, Sven Vermeulen wrote: > > The system logger is responsible for writing log events in various log files. > > Some of these log files are not labeled as var_log_t, but have their domains' > > specific logging type set. One of these is cron_log_t. > > > > Allow syslogd_t to write to the cron log files, and introduce a file transition > > when the file is just created. > > While we already have syslogd doing this for inn logs, your patch makes me question this. Do we really want this? It seems that we would want all of the syslog logs to be var_log_t. If a service does logging itself, it would need a private log type, but if its logging to syslog, the logs should probably still come out var_log_t. Why? What is your argument for this? I could think of one argument to use private types. This will help the administrator of the service. We can now give him access to only the service logs as opposed to all generic logs > > Signed-off-by: Sven Vermeulen > > --- > > policy/modules/system/logging.te | 7 +++++++ > > 1 files changed, 7 insertions(+), 0 deletions(-) > > > > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > > index 696e0c8..b16ddac 100644 > > --- a/policy/modules/system/logging.te > > +++ b/policy/modules/system/logging.te > > @@ -490,6 +490,13 @@ optional_policy(` > > ') > > > > optional_policy(` > > + cron_create_log_files(syslogd_t) > > + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") > > + cron_setattr_log_files(syslogd_t) > > + cron_write_log_files(syslogd_t) > > +') > > + > > +optional_policy(` > > inn_manage_log(syslogd_t) > > ') >