[refpolicy] [PATCH 02/11] Allow sandbox to log violations

[dominick.grift@gmail.com (grift)]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> When the sandbox (running in portage_sandbox_t) detects a violation, it will try
> to log this into /var/log/sandbox. However, the portage_sandbox_t domain
> currently is not allowed to do anything with this logs. As a result, the
> violations are not logged.
> 
> Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
> as clean them up (sandbox will remove older violation logs if the process id
> of the current violation would result in an existing log file to be
> overwritten).

I merged this but you need to also do a corresponding file context spec
for /var/log/sandbox. please


Thanks


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index f9b9ce8..40e16c3 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -335,6 +335,9 @@ optional_policy(`
>  allow portage_sandbox_t self:process ptrace;
>  dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> +allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
> +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)