Closed JAORMX closed 5 years ago
@wrabcak what do you think about the comment?
Hi @JAORMX , The best will be allow caller domain to read/write also directories labeled as var_log_t (and var_log_t label is part of logfile attribute). So line 20 we don't need at all and please line 5 change with following line: "(allow process logfile (dir (ioctl read write getattr lock search open)))"
Thanks! Lukas.
Cirrus CI is failing but it looks like unrelated issue to this PR. Merging.
Thanks, Lukas.
For the log_rw_container it wasn't possible to create new files, which is something that's normally required. So we're adding this capability, while still not allowing that container to rename that directory or remove files from it as a security measure.
The audit_log_t file was also modified to be more restrictive for the log_rw_container block, so we only allow reads now. However, the write capability was left for the log_manage_container block.