From: russell@coker.com.au (Russell Coker) Date: Thu, 14 Aug 2014 17:06:51 +1000 Subject: [refpolicy] syslog-ng.ctl In-Reply-To: <20140811151138.1ecc35ef@gentp.lnet> References: <20140811151138.1ecc35ef@gentp.lnet> Message-ID: <0745ba81-ae59-4000-9576-2ba2d0b7faeb@email.android.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Would a named domtrans do? On 11 August 2014 11:11:38 PM AEST, Luis Ressel wrote: >Hi, > >In refpolicy's system/logging.fc, there's a rule to label the >file /var/run/syslog-ng.ctl as syslogd_var_run_t. However, newer >syslog-ng versions don't create a file at that path, but a unix domain >socket. That socket is labeled devlog_t via a domtrans. > >However, I think that socket shouldn't have that context. It can be >used to control some syslog-ng settings with the syslog-ng-ctl command >line tool, and the many applications which are allowed to log messages >to the syslog (via a devlog_t socket) shouldn't be granted that access. > >I'm not sure how to handle this, because a simple fc rule won't do -- >there also has to be an appropriate domtrans, and furthermore, I'm not >sure about the interaction between sock_file's and >unix_{dgram,stream}_socket's. > >What do you think? > > >Regards, >Luis Ressel > > >------------------------------------------------------------------------ > >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy -- Sent from my Samsung Galaxy Note 2 with K-9 Mail.