Signed-off-by: Chris Richards <[email protected]>
---
policy/modules/system/logging.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b5e845a..1b797d9 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -61,6 +61,8 @@ ifdef(`distro_redhat',`
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng\.ctl -s gen_context(system_u_object_r:devlog_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
--
1.6.4.4
On Tue, 2010-02-23 at 05:20 +0000, Chris Richards wrote:
> Signed-off-by: Chris Richards <[email protected]>
> ---
> policy/modules/system/logging.fc | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index b5e845a..1b797d9 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -61,6 +61,8 @@ ifdef(`distro_redhat',`
> /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
> /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> +/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> +/var/run/syslog-ng\.ctl -s gen_context(system_u_object_r:devlog_t,s0)
It doesn't seem correct to label this control socket devlog_t, which is
supposed to be for receiving messages to be logged.
> /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/23/2010 12:14 PM, Christopher J. PeBenito wrote:
>> +/var/run/syslog-ng\.ctl -s gen_context(system_u_object_r:devlog_t,s0)
>>
> It doesn't seem correct to label this control socket devlog_t, which is
> supposed to be for receiving messages to be logged.
>
>
I'm inclined to agree, but all I was really trying to do here was get
the file contexts in line with what the policy was already doing so that
restorecon wouldn't bork everything.
I'll go back and take a look at this a bit more.