From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat,  8 Dec 2012 21:56:53 +0100
Subject: [refpolicy] [PATCH 02/11] Allow sandbox to log violations
In-Reply-To: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355000222-7297-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When the sandbox (running in portage_sandbox_t) detects a violation, it will try
to log this into /var/log/sandbox. However, the portage_sandbox_t domain
currently is not allowed to do anything with this logs. As a result, the
violations are not logged.

Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
as clean them up (sandbox will remove older violation logs if the process id
of the current violation would result in an existing log file to be
overwritten).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index f9b9ce8..40e16c3 100644
--- a/portage.te
+++ b/portage.te
@@ -335,6 +335,9 @@ optional_policy(`
 allow portage_sandbox_t self:process ptrace;
 dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
+allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6