From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 23 Aug 2014 15:59:39 +0200
Subject: [refpolicy] [PATCH 5/8] Label /dev/log symlink at boot time with
	systemd
In-Reply-To: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>
References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <1408802382-10212-6-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

systemd creates /dev/log as a symlink to /run/systemd/journal/dev-log
when staring the Journal Socket Unit.  Add an interface to logging
module to label this symlink correctly.

Please note this is distinct from what Fedora does in its policy:
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/logging.if?h=rawhide-base&id=f85b52d1c6805e9b0a8bd2a4a4332e66e4b52c00#n611

Here is the unit file responsible for creating the symlink:
http://cgit.freedesktop.org/systemd/systemd/tree/units/systemd-journald-dev-log.socket?id=v215
---
 policy/modules/system/init.te    |  3 +++
 policy/modules/system/logging.if | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b57637504939..a46d0837a85b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -123,6 +123,9 @@ files_pid_filetrans(init_t, init_var_run_t, file)
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
+# Create /dev/log symlink to /run/systemd/journal/dev-log
+logging_filetrans_devlog_lnk(init_t)
+
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 21c4f522515b..b378fa73304a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1089,3 +1089,22 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	Automatic type transition when creating
+##	/dev/log symbolic link.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_filetrans_devlog_lnk',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	dev_filetrans($1, devlog_t, lnk_file, "log")
+')
-- 
2.0.4