From: russell@coker.com.au (Russell Coker)
Date: Thu, 14 Aug 2014 17:06:51 +1000
Subject: [refpolicy] syslog-ng.ctl
In-Reply-To: <20140811151138.1ecc35ef@gentp.lnet>
References: <20140811151138.1ecc35ef@gentp.lnet>
Message-ID: <0745ba81-ae59-4000-9576-2ba2d0b7faeb@email.android.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Would a named domtrans do?

On 11 August 2014 11:11:38 PM AEST, Luis Ressel <aranea@aixah.de> wrote:
>Hi,
>
>In refpolicy's system/logging.fc, there's a rule to label the
>file /var/run/syslog-ng.ctl as syslogd_var_run_t. However, newer
>syslog-ng versions don't create a file at that path, but a unix domain
>socket. That socket is labeled devlog_t via a domtrans.
>
>However, I think that socket shouldn't have that context. It can be
>used to control some syslog-ng settings with the syslog-ng-ctl command
>line tool, and the many applications which are allowed to log messages
>to the syslog (via a devlog_t socket) shouldn't be granted that access.
>
>I'm not sure how to handle this, because a simple fc rule won't do --
>there also has to be an appropriate domtrans, and furthermore, I'm not
>sure about the interaction between sock_file's and
>unix_{dgram,stream}_socket's.
>
>What do you think?
>
>
>Regards,
>Luis Ressel
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Sent from my Samsung Galaxy Note 2 with K-9 Mail.