From: dominick.grift@gmail.com (grift) Date: Sun, 09 Dec 2012 14:55:19 +0100 Subject: [refpolicy] [PATCH 02/11] Allow sandbox to log violations In-Reply-To: <1355000222-7297-3-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> <1355000222-7297-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355061319.1797.67.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote: > When the sandbox (running in portage_sandbox_t) detects a violation, it will try > to log this into /var/log/sandbox. However, the portage_sandbox_t domain > currently is not allowed to do anything with this logs. As a result, the > violations are not logged. > > Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well > as clean them up (sandbox will remove older violation logs if the process id > of the current violation would result in an existing log file to be > overwritten). I merged this but you need to also do a corresponding file context spec for /var/log/sandbox. please Thanks > Signed-off-by: Sven Vermeulen > --- > portage.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/portage.te b/portage.te > index f9b9ce8..40e16c3 100644 > --- a/portage.te > +++ b/portage.te > @@ -335,6 +335,9 @@ optional_policy(` > allow portage_sandbox_t self:process ptrace; > dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; > > +allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; > +logging_log_filetrans(portage_sandbox_t, portage_log_t, file) > + > portage_compile_domain(portage_sandbox_t) > > auth_use_nsswitch(portage_sandbox_t)