While trying to create a domain that could read all the files in /var/log, I noticed that hald_log_t files do not have the logfile attribute. This appears to be intentional because the logging_log_filetrans interface was used instead of the logging_log_file interface. Is this still the intention? Attached is a patch to add an interface to allow domains to read hald_log_t in case hald_log_t needs to remain a private type. Thoughts? rob.
Index: policy/modules/services/hal.if =================================================================== --- policy/modules/services/hal.if (revision 2659) +++ policy/modules/services/hal.if (working copy) @@ -210,6 +210,28 @@ ######################################## ## <summary> +## Allow attempts to read the hal +## log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow to read log files +## </summary> +## </param> +# +interface(`hal_read_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + allow $1 hald_log_t:dir search_dir_perms; + allow $1 hald_log_t:dir r_dir_perms; + allow $1 hald_log_t:file read_file_perms; +') + +######################################## +## <summary> ## Do not audit attempts to write the hal ## log files. ## </summary>
