From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 27 Nov 2012 21:05:57 +0100
Subject: [refpolicy] [PATCH 2/7] Allow sandbox to log violations
In-Reply-To: <1354021187.1888.10.camel@localhost>
References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be>
	<1353612118-9745-3-git-send-email-sven.vermeulen@siphos.be>
	<1354021187.1888.10.camel@localhost>
Message-ID: <CAPzO=NwPdvpAVFv7ThCkDEkY0rYXwkNupWLQcgfvcT_wrr0uWQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Nov 27, 2012 at 1:59 PM, grift <dominick.grift@gmail.com> wrote:

> > +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> > +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> > +
>
> Would be nice if we would be able to tighten this up just a little bit.
>
> Would this work:
> allow portage_sandbox_t portage_log_t:file { create_file_perms
> delete_file_perms setattr_file_perms append_file_perms };
>
> That would leave out the write permission. Not very useful since sandbox
> can still delete the whole file but still
>

That works as well apparently (auditallow'ed the write and didn't saw it in
the logs). I'll try with those privileges here in our repository and send
it up again later with those changes.

Wkr,
  Sven Vermeulen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121127/5f3507ae/attachment.html