* [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files
@ 2012-10-29 19:16 Sven Vermeulen
2012-10-31 14:30 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Sven Vermeulen @ 2012-10-29 19:16 UTC (permalink / raw)
To: refpolicy
The system logger is responsible for writing log events in various log files.
Some of these log files are not labeled as var_log_t, but have their domains'
specific logging type set. One of these is cron_log_t.
Allow syslogd_t to write to the cron log files, and introduce a file transition
when the file is just created.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/logging.te | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 696e0c8..b16ddac 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -490,6 +490,13 @@ optional_policy(`
')
optional_policy(`
+ cron_create_log_files(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+ cron_setattr_log_files(syslogd_t)
+ cron_write_log_files(syslogd_t)
+')
+
+optional_policy(`
inn_manage_log(syslogd_t)
')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files
2012-10-29 19:16 [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files Sven Vermeulen
@ 2012-10-31 14:30 ` Christopher J. PeBenito
2012-10-31 14:46 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2012-10-31 14:30 UTC (permalink / raw)
To: refpolicy
On 10/29/12 15:16, Sven Vermeulen wrote:
> The system logger is responsible for writing log events in various log files.
> Some of these log files are not labeled as var_log_t, but have their domains'
> specific logging type set. One of these is cron_log_t.
>
> Allow syslogd_t to write to the cron log files, and introduce a file transition
> when the file is just created.
While we already have syslogd doing this for inn logs, your patch makes me question this. Do we really want this? It seems that we would want all of the syslog logs to be var_log_t. If a service does logging itself, it would need a private log type, but if its logging to syslog, the logs should probably still come out var_log_t.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/system/logging.te | 7 +++++++
> 1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 696e0c8..b16ddac 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -490,6 +490,13 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_create_log_files(syslogd_t)
> + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
> + cron_setattr_log_files(syslogd_t)
> + cron_write_log_files(syslogd_t)
> +')
> +
> +optional_policy(`
> inn_manage_log(syslogd_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files
2012-10-31 14:30 ` Christopher J. PeBenito
@ 2012-10-31 14:46 ` Dominick Grift
2012-10-31 17:58 ` Sven Vermeulen
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2012-10-31 14:46 UTC (permalink / raw)
To: refpolicy
On Wed, 2012-10-31 at 10:30 -0400, Christopher J. PeBenito wrote:
> On 10/29/12 15:16, Sven Vermeulen wrote:
> > The system logger is responsible for writing log events in various log files.
> > Some of these log files are not labeled as var_log_t, but have their domains'
> > specific logging type set. One of these is cron_log_t.
> >
> > Allow syslogd_t to write to the cron log files, and introduce a file transition
> > when the file is just created.
>
> While we already have syslogd doing this for inn logs, your patch makes me question this. Do we really want this? It seems that we would want all of the syslog logs to be var_log_t. If a service does logging itself, it would need a private log type, but if its logging to syslog, the logs should probably still come out var_log_t.
Why? What is your argument for this?
I could think of one argument to use private types. This will help the
administrator of the service. We can now give him access to only the
service logs as opposed to all generic logs
> > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> > ---
> > policy/modules/system/logging.te | 7 +++++++
> > 1 files changed, 7 insertions(+), 0 deletions(-)
> >
> > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> > index 696e0c8..b16ddac 100644
> > --- a/policy/modules/system/logging.te
> > +++ b/policy/modules/system/logging.te
> > @@ -490,6 +490,13 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + cron_create_log_files(syslogd_t)
> > + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
> > + cron_setattr_log_files(syslogd_t)
> > + cron_write_log_files(syslogd_t)
> > +')
> > +
> > +optional_policy(`
> > inn_manage_log(syslogd_t)
> > ')
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files
2012-10-31 14:46 ` Dominick Grift
@ 2012-10-31 17:58 ` Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-10-31 17:58 UTC (permalink / raw)
To: refpolicy
On Wed, Oct 31, 2012 at 03:46:17PM +0100, Dominick Grift wrote:
> > While we already have syslogd doing this for inn logs, your patch makes me question this. Do we really want this? It seems that we would want all of the syslog logs to be var_log_t. If a service does logging itself, it would need a private log type, but if its logging to syslog, the logs should probably still come out var_log_t.
>
> Why? What is your argument for this?
>
> I could think of one argument to use private types. This will help the
> administrator of the service. We can now give him access to only the
> service logs as opposed to all generic logs
My first idea was to allow syslogd_t to manage all possible log files
(attribute "logfile"), but grift correctly pointed out that not all log
files are to be managed by the system logger, making this a bit too broad.
Prime examples of this are xserver_log_t, rpm_log_t, portage_log_t,
fsadm_log_t and others. Some of these are only generated by their respective
daemons, others are application log files (not service/daemon, and
definitely not syslog trigered).
Another possibility would be to provide interfaces like
"logging_syslog_log_file" and "logging_syslog_log_dir" which takes two
arguments, one being the type and one being an (optional) name to use for
file name transitions.
In case of cron, this could then be something like:
type cron_log_t;
logging_syslog_log_file(cron_log_t, "cron.log")
If the type is also to be used for directories, something like
type httpd_log_t;
logging_syslog_log_file(httpd_log_t)
logging_syslog_log_dir(httpd_log_t, "apache")
The interface would then assign an attribute "syslogfile" to the type, and
introduce a file transition:
logging_syslog_log_file(`
gen_require(`
attribute syslogfile;
type syslogd_t;
type var_log_t;
')
typeattribute $1 syslogfile;
filetrans_pattern(syslogd_t, var_log_t, $1, file, $2)
logging_log_file($1)
')
In the logging.te, there would be something like:
manage_files_pattern(syslogd_t, syslogfile, syslogfile)
manage_dirs_pattern(syslogd_t, syslogfile, syslogfile)
Is that an option to consider?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-10-31 17:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-29 19:16 [refpolicy] [PATCH 1/1] Allow system logger to write to cron log files Sven Vermeulen
2012-10-31 14:30 ` Christopher J. PeBenito
2012-10-31 14:46 ` Dominick Grift
2012-10-31 17:58 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.