Hi,
Since syslogd_t runs at mls_systemhigh, both the /dev/log file and the unix_dgram_socket object bond to it are of mls_systemhigh, rendering that other application domain such as klogd_t running at lower security level failed to "sendto" it. One possible solution is to add syslogd_t to mlstrustedobject attribute since the unix_dgram_socket object inherits the creator's SID by default.
However, the side effect is that syslogd_t is also the label for the entire syslogd's procfs entries. The attached two patches are aimed to resolve this problem while eliminating such side effect, by declaring a separate type, syslogd_s_t, for the unix_dgram_socket object created by syslogd_t which alone could be added to the mlstrustedobject attribute.
Thanks to Stephen's suggestion security_transition_sid() would be called in socket_sockcreate_sid() to query the relevant type_transition rule say in logging.pp for any newly created socket.
After applying th!
ese two patches below errors don't exist any more:
type=1400 audit(1298535101.654:868): avc: denied { sendto } for pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket
BTW, do we have a way to actually display the label for the unix_dgram_socket that bond to /dev/log?
Any comments is are greatly appreciated!
Thanks a lot!
Best regards,
Harry