From: dominick.grift@gmail.com (grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/7] Allow sandbox to log violations
Date: Tue, 27 Nov 2012 13:59:47 +0100 [thread overview]
Message-ID: <1354021187.1888.10.camel@localhost> (raw)
In-Reply-To: <1353612118-9745-3-git-send-email-sven.vermeulen@siphos.be>
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> When the sandbox (running in portage_sandbox_t) detects a violation, it will try
> to log this into /var/log/sandbox. However, the portage_sandbox_t domain
> currently is not allowed to do anything with this logs. As a result, the
> violations are not logged.
>
> Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
> as clean them up (sandbox will remove older violation logs if the process id
> of the current violation would result in an existing log file to be
> overwritten).
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> portage.te | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 074828c..ebb3139 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
> allow portage_sandbox_t self:process ptrace;
> dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> +
Would be nice if we would be able to tighten this up just a little bit.
Would this work:
allow portage_sandbox_t portage_log_t:file { create_file_perms
delete_file_perms setattr_file_perms append_file_perms };
That would leave out the write permission. Not very useful since sandbox
can still delete the whole file but still
If it is undesired or if that will not work then i will merge this as is
> portage_compile_domain(portage_sandbox_t)
>
> auth_use_nsswitch(portage_sandbox_t)
next prev parent reply other threads:[~2012-11-27 12:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-22 19:21 [refpolicy] [PATCH 0/7] Updates on contrib Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section Sven Vermeulen
2012-11-27 12:53 ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 2/7] Allow sandbox to log violations Sven Vermeulen
2012-11-27 12:59 ` grift [this message]
2012-11-27 20:05 ` Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 3/7] Fix typo in clockspeed comment Sven Vermeulen
2012-11-27 13:33 ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 4/7] Support openvpn status file Sven Vermeulen
2012-11-27 13:35 ` grift
2012-11-27 13:36 ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 5/7] Asterisk voicemail messages are generated from tmp Sven Vermeulen
2012-11-27 13:37 ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 6/7] Make rtkit calls optional Sven Vermeulen
2012-11-27 13:39 ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 7/7] Gentoo installs dovecot certs in /etc/ssl/dovecot Sven Vermeulen
2012-11-27 13:40 ` grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1354021187.1888.10.camel@localhost \
--to=dominick.grift@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.