From: dac.override@gmail.com (Dominick Grift) Date: Sat, 23 Aug 2014 18:52:26 +0200 Subject: [refpolicy] [PATCH 3/8] Label systemd-journald files and directories In-Reply-To: <53F8B61D.1090401@m4x.org> References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org> <1408802382-10212-4-git-send-email-nicolas.iooss@m4x.org> <20140823142925.GA2492@e145.network2> <53F8B61D.1090401@m4x.org> Message-ID: <20140823165225.GA4391@e145.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Aug 23, 2014 at 05:41:17PM +0200, Nicolas Iooss wrote: > 2014-08-23 16:29 GMT+02:00 Dominick Grift wrote: > > On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote: > >> --- > >> policy/modules/system/logging.fc | 8 ++++++++ > >> 1 file changed, 8 insertions(+) > >> > >> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc > >> index 374fb53ee0fd..fc3c0854f5a7 100644 > >> --- a/policy/modules/system/logging.fc > >> +++ b/policy/modules/system/logging.fc > >> @@ -1,4 +1,5 @@ > >> /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) > >> +/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh) > >> > > > > The solution I chose for my personal policy is to just keep the links > > device_t. In my opinion it keeps things a bit simpler. > > > > I may be overlooking an compelling argument to label the link with > > a private type. > > The reasons which explain why I did this are: > > (a) refpolicy already supports reading devlog_t symlinks [1]. > (b) I believed "device_t" was to be understood as meaning "things which > are not yet precisely labeled in /dev". > (c) I believed only few domains were allowed to read device_t:lnk_files. Yes, in my policy I did something that I am not really proud of In refpolicy (I believe) anyone associated with domain (which is pretty much any process) can traverse device_t dirs. However in my policy the devices_search() macro uses a "dirs search" classmapping, which really extends "dir search" with "lnk_file read" So in practice any domain is allowed to traverse device_t dirs, and is additionally allowed to read device_t symlinks A bit overkill, and should probably revisit that if only for the sake of efficiency (In fact i will add that to my TODO list right now) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140823/63f52474/attachment.bin