[prev in list] [next in list] [prev in thread] [next in thread] 

List:       refpolicy
Subject:    [refpolicy] system_logging.patch
From:       dwalsh () redhat ! com (Daniel J Walsh)
Date:       2009-11-24 15:57:48
Message-ID: 4B0C027C.60607 () redhat ! com
[Download RAW message or body]

On 11/24/2009 10:56 AM, Daniel J Walsh wrote:
> On 11/24/2009 09:32 AM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:13 -0500, Daniel J Walsh wrote:
> > > http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_logging.patch
> > > Latest audit system handling.
> > 
> > 
> > > -/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
> > > -/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
> > > -/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
> > > -/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
> > > +/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
> > >  +/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
> > >  +/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
> > >  +/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
> > >                 
> > > /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
> > > /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
> > > /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
> > > /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
> > 
> > Why do sockets need to be system high?
> > 
So processes that listen on these socketes have to be system_high.  They are \
providing system_high information.
> > > +optional_policy(`
> > > +	dbus_system_bus_client(audisp_t)
> > > +
> > > +	optional_policy(`
> > > +		setroubleshoot_dbus_chat(audisp_t)
> > > +	')
> > > +')
> > 
> > Is audisp actually doing this, or is it a script it runs that is doing
> > this?  If its the latter, it needs its own policy.
> > 
> > 
> It is sedisp, so I guess it could have its own policy.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic