On 04/23/2014 07:19 PM, Stephen Smalley wrote:
Then I guess the question is what does journald do with the log message it reads from the file, e.g. does it write it to the journal and then who is allowed to read from the journal. In a MLS environment, for example, I would expect the journal to be unreadable except by systemhigh processes as it might contain data from any level.
The log message is written to the journal (a file under /var/log/journal), from where it can be retrieved by the user who submitted the FD under certain circumstances. The journal log file has an ACL which grants read permissions to the user, assuming that the message was routed to the user's UID (which depends on journald configuration).
However, with Fedora's targeted policy, this might not work because journald is likely not allowed to read the file.
-- Florian Weimer / Red Hat Product Security Team -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
