From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 23 Aug 2014 17:41:17 +0200 Subject: [refpolicy] [PATCH 3/8] Label systemd-journald files and directories In-Reply-To: <20140823142925.GA2492@e145.network2> References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org> <1408802382-10212-4-git-send-email-nicolas.iooss@m4x.org> <20140823142925.GA2492@e145.network2> Message-ID: <53F8B61D.1090401@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-08-23 16:29 GMT+02:00 Dominick Grift wrote: > On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote: >> --- >> policy/modules/system/logging.fc | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc >> index 374fb53ee0fd..fc3c0854f5a7 100644 >> --- a/policy/modules/system/logging.fc >> +++ b/policy/modules/system/logging.fc >> @@ -1,4 +1,5 @@ >> /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) >> +/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh) >> > > The solution I chose for my personal policy is to just keep the links > device_t. In my opinion it keeps things a bit simpler. > > I may be overlooking an compelling argument to label the link with > a private type. The reasons which explain why I did this are: (a) refpolicy already supports reading devlog_t symlinks [1]. (b) I believed "device_t" was to be understood as meaning "things which are not yet precisely labeled in /dev". (c) I believed only few domains were allowed to read device_t:lnk_files. Even if (a) is an established fact, (b) is in fact false, as every symlink in /dev but /dev/log is labeled as device_t. (c) is also false, as the set of domains returned by "sesearch -A -t device_t -c lnk_file -p read" includes all of the domains returned by the same search with devlog_t on my system. Moreover I agree with your argument "it keeps things a bit simple", as keeping /dev/log labeled as device_t makes patch 5/8 useless. So I'll wait for other comments on this patchset and then submit a v2. Thanks for your review, Nicolas [1] https://github.com/TresysTechnology/refpolicy/blob/4451a6c4976cdb19425b80d66ae30c7a5ea15b8f/policy/modules/system/logging.if#L536