From: aranea@aixah.de (Luis Ressel) Date: Mon, 11 Aug 2014 15:11:38 +0200 Subject: [refpolicy] syslog-ng.ctl Message-ID: <20140811151138.1ecc35ef@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, In refpolicy's system/logging.fc, there's a rule to label the file /var/run/syslog-ng.ctl as syslogd_var_run_t. However, newer syslog-ng versions don't create a file at that path, but a unix domain socket. That socket is labeled devlog_t via a domtrans. However, I think that socket shouldn't have that context. It can be used to control some syslog-ng settings with the syslog-ng-ctl command line tool, and the many applications which are allowed to log messages to the syslog (via a devlog_t socket) shouldn't be granted that access. I'm not sure how to handle this, because a simple fc rule won't do -- there also has to be an appropriate domtrans, and furthermore, I'm not sure about the interaction between sock_file's and unix_{dgram,stream}_socket's. What do you think? Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140811/a9b2747d/attachment.bin