[refpolicy] [PATCH 1/1] Allow userdomains to send syslog messages
Dominick Grift
domg472 at gmail.com
Thu Aug 25 04:56:41 CDT 2011
On Wed, Aug 24, 2011 at 12:11:11PM -0400, Christopher J. PeBenito wrote:
> On 08/24/11 10:31, Dominick Grift wrote:
> > On Wed, Aug 24, 2011 at 10:16:24AM -0400, Christopher J. PeBenito wrote:
> >> On 08/24/11 09:51, Dominick Grift wrote:
> >>> On Wed, Aug 24, 2011 at 09:41:10AM -0400, Christopher J. PeBenito wrote:
> >>>> On 08/24/11 09:15, Dominick Grift wrote:
> >>>>> On Wed, Aug 24, 2011 at 09:10:00AM -0400, Christopher J. PeBenito wrote:
> >>>>>> On 08/23/11 06:57, Sven Vermeulen wrote:
> >>> ... snip ...
> >>>>> I do, the git-daemon run by users can be configured to use syslog. I allowed this by default in my git policy. Would you prefer a boolean "git_session_daemon_can_syslog" instead of allowing it by default?
> >>>>
> >>>> Thats a different domain. I'm speaking of unpriv user domains user_t,
> >>>> staff_t, etc.
> >>>
> >>> Until a git (session) daemon domain is implemented it runs in the unprivileged user domain.
> >>
> >> Ok. I don't see this as a good reason to allow this. A user running a
> >> daemon should be logging to their home directory.
> >
> > Agreed, but what if the administrator decides to run it as an unprivileged user and still wants to it to syslog.
> >
> > It seems actually very sane to me. Running git-daemon as a system service requires inetd and it runs as root. Running inetd just to export a repository might be a bit much. If you can achieve what you want by running it as a unpriv user then why not.
>
> If a user can run it as a user service w/o inetd, then why can't it run
> as a system service w/o inetd? Why cant you use start-stop-daemon or su
> to run it with a different uid?
Anyhow, if the git session daemon policy is generally accepted. i will be more than happy to send an additional patch removing the privilege for git_session_t to use syslog. Better something than nothing at all...
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110825/97c73acd/attachment.bin
More information about the refpolicy
mailing list