From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 22 Nov 2012 20:21:53 +0100
Subject: [refpolicy] [PATCH 2/7] Allow sandbox to log violations
In-Reply-To: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be>
References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1353612118-9745-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When the sandbox (running in portage_sandbox_t) detects a violation, it will try
to log this into /var/log/sandbox. However, the portage_sandbox_t domain
currently is not allowed to do anything with this logs. As a result, the
violations are not logged.

Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
as clean them up (sandbox will remove older violation logs if the process id
of the current violation would result in an existing log file to be
overwritten).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index 074828c..ebb3139 100644
--- a/portage.te
+++ b/portage.te
@@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
 allow portage_sandbox_t self:process ptrace;
 dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
+allow portage_sandbox_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6