From: dominick.grift@gmail.com (grift) Date: Tue, 27 Nov 2012 13:59:47 +0100 Subject: [refpolicy] [PATCH 2/7] Allow sandbox to log violations In-Reply-To: <1353612118-9745-3-git-send-email-sven.vermeulen@siphos.be> References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be> <1353612118-9745-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1354021187.1888.10.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote: > When the sandbox (running in portage_sandbox_t) detects a violation, it will try > to log this into /var/log/sandbox. However, the portage_sandbox_t domain > currently is not allowed to do anything with this logs. As a result, the > violations are not logged. > > Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well > as clean them up (sandbox will remove older violation logs if the process id > of the current violation would result in an existing log file to be > overwritten). > > Signed-off-by: Sven Vermeulen > --- > portage.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/portage.te b/portage.te > index 074828c..ebb3139 100644 > --- a/portage.te > +++ b/portage.te > @@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld; > allow portage_sandbox_t self:process ptrace; > dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; > > +allow portage_sandbox_t portage_log_t:file manage_file_perms; > +logging_log_filetrans(portage_sandbox_t, portage_log_t, file) > + Would be nice if we would be able to tighten this up just a little bit. Would this work: allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; That would leave out the write permission. Not very useful since sandbox can still delete the whole file but still If it is undesired or if that will not work then i will merge this as is > portage_compile_domain(portage_sandbox_t) > > auth_use_nsswitch(portage_sandbox_t)