From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 23 Aug 2014 15:59:39 +0200
Subject: [refpolicy] [PATCH 5/8] Label /dev/log symlink at boot time with
systemd
In-Reply-To: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>
References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <1408802382-10212-6-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
systemd creates /dev/log as a symlink to /run/systemd/journal/dev-log
when staring the Journal Socket Unit. Add an interface to logging
module to label this symlink correctly.
Please note this is distinct from what Fedora does in its policy:
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/logging.if?h=rawhide-base&id=f85b52d1c6805e9b0a8bd2a4a4332e66e4b52c00#n611
Here is the unit file responsible for creating the symlink:
http://cgit.freedesktop.org/systemd/systemd/tree/units/systemd-journald-dev-log.socket?id=v215
---
policy/modules/system/init.te | 3 +++
policy/modules/system/logging.if | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b57637504939..a46d0837a85b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -123,6 +123,9 @@ files_pid_filetrans(init_t, init_var_run_t, file)
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+# Create /dev/log symlink to /run/systemd/journal/dev-log
+logging_filetrans_devlog_lnk(init_t)
+
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 21c4f522515b..b378fa73304a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1089,3 +1089,22 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+##
+## Automatic type transition when creating
+## /dev/log symbolic link.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_filetrans_devlog_lnk',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ dev_filetrans($1, devlog_t, lnk_file, "log")
+')
--
2.0.4