From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 25 Aug 2014 08:32:11 -0400
Subject: [refpolicy] [PATCH 3/8] Label systemd-journald files and
	directories
In-Reply-To: <53F8B61D.1090401@m4x.org>
References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>	<1408802382-10212-4-git-send-email-nicolas.iooss@m4x.org>	<20140823142925.GA2492@e145.network2>
	<53F8B61D.1090401@m4x.org>
Message-ID: <53FB2CCB.7060005@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/23/2014 11:41 AM, Nicolas Iooss wrote:
> 2014-08-23 16:29 GMT+02:00 Dominick Grift wrote:
>> On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote:
>>> ---
>>>  policy/modules/system/logging.fc | 8 ++++++++
>>>  1 file changed, 8 insertions(+)
>>>
>>> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
>>> index 374fb53ee0fd..fc3c0854f5a7 100644
>>> --- a/policy/modules/system/logging.fc
>>> +++ b/policy/modules/system/logging.fc
>>> @@ -1,4 +1,5 @@
>>>  /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>>> +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>>>  
>>
>> The solution I chose for my personal policy is to just keep the links
>> device_t. In my opinion it keeps things a bit simpler.

I agree.

>> I may be overlooking an compelling argument to label the link with
>> a private type.

I can't think of any examples of that for system controlled objects.


> The reasons which explain why I did this are:
> 
> (a) refpolicy already supports reading devlog_t symlinks [1].

It a vestige of the NSA example policy.  Since we don't label the
symlink devlog_t anymore, we should remove the rules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com