2009/6/16 KaiGai Kohei <kaigai@xxxxxxxxxxxxx>: > > The "fd" class represents a file descriptor object, not any filesystem > objects. For example, if you open the /tmp/aaa, this file belongs to > "file" class, but the file descriptor of the file belongs to "fd" class. I figured it was something like that, but I didn't see any actions I could take on fd's. > It seems to me the policy does not allow: > > logrotate_use_fds(syslogd_t) > > The fd class inherits the security context of the process which opened > itself. Ok, fair enough, but why is syslog-ng seeing /dev/null as a logrotate_t target? If logrotate opens /dev/null (as it probably does) that shouldn't affect any other process that opens that same device. If it does that sounds like a potential security problem. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
