## Policy for the kernel message logger and system logging daemon. ######################################## ## ## Make the specified type usable for log files ## in a filesystem. ## ## ##

## Make the specified type usable for log files in a filesystem. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a log file type may result in problems with log ## rotation, log analysis, and log monitoring programs. ##

##

## Related interfaces: ##

## ##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Type to be used for files. ## ## ## # interface(`logging_log_file',` gen_require(` attribute logfile; ') files_type($1) files_associate_tmp($1) fs_associate_tmpfs($1) typeattribute $1 logfile; ') ####################################### ## ## Send audit messages. ## ## ## ## Domain allowed access. ## ## # interface(`logging_send_audit_msgs',` allow $1 self:capability audit_write; allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay nlmsg_tty_audit }; ') ####################################### ## ## dontaudit attempts to send audit messages. ## ## ## ## Domain to not audit. ## ## # interface(`logging_dontaudit_send_audit_msgs',` dontaudit $1 self:capability audit_write; dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; ') ######################################## ## ## Create netlink audit socket ## ## ## ## Domain allowed access. ## ## # interface(`logging_create_syslog_netlink_audit_socket',` gen_require(` type syslogd_t; ') allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms; ') ######################################## ## ## Set login uid ## ## ## ## Domain allowed access. ## ## # interface(`logging_set_loginuid',` allow $1 self:capability audit_control; allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; ') ######################################## ## ## Set tty auditing ## ## ## ## Domain allowed access. ## ## # interface(`logging_set_tty_audit',` allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; ') ######################################## ## ## Set up audit ## ## ## ## Domain allowed access. ## ## # interface(`logging_set_audit_parameters',` allow $1 self:capability { audit_write audit_control }; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ') ######################################## ## ## Read the audit log. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_audit_log',` gen_require(` type auditd_log_t; ') files_search_var($1) read_files_pattern($1, auditd_log_t, auditd_log_t) read_lnk_files_pattern($1, auditd_log_t, auditd_log_t) allow $1 auditd_log_t:dir list_dir_perms; ') ######################################## ## ## Watch the audit log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_watch_audit_log_files',` gen_require(` type var_log_t, auditd_log_t; ') watch_files_pattern($1, auditd_log_t, auditd_log_t) ') ######################################## ## ## Watch the audit log directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_watch_audit_log_dirs',` gen_require(` type var_log_t, auditd_log_t; ') allow $1 var_log_t:dir search_dir_perms; watch_dirs_pattern($1, auditd_log_t, auditd_log_t) ') ######################################## ## ## Map the audit log. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_map_audit_log',` gen_require(` type auditd_log_t; ') allow $1 auditd_log_t:file map; ') ######################################## ## ## Execute auditctl in the auditctl domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_domtrans_auditctl',` gen_require(` type auditctl_t, auditctl_exec_t; ') domtrans_pattern($1, auditctl_exec_t, auditctl_t) ') ######################################## ## ## Execute auditctl in the auditctl domain, and ## allow the specified role the auditctl domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`logging_run_auditctl',` gen_require(` type auditctl_t; ') logging_domtrans_auditctl($1) role $2 types auditctl_t; ') ######################################## ## ## Execute auditd in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_domtrans_auditd',` gen_require(` type auditd_t, auditd_exec_t; ') domtrans_pattern($1, auditd_exec_t, auditd_t) ') ######################################## ## ## Execute auditd in the auditd domain, and ## allow the specified role the auditd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`logging_run_auditd',` gen_require(` type auditd_t; ') logging_domtrans_auditd($1) role $2 types auditd_t; ') ######################################## ## ## Connect to auditdstored over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_stream_connect_auditd',` refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') logging_stream_connect_dispatcher($1) ') ######################################## ## ## Execute a domain transition to run the audit dispatcher. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_domtrans_dispatcher',` gen_require(` type audisp_t, audisp_exec_t; ') domtrans_pattern($1, audisp_exec_t, audisp_t) ') ######################################## ## ## Signal the audit dispatcher. ## ## ## ## Domain allowed access. ## ## # interface(`logging_signal_dispatcher',` gen_require(` type audisp_t; ') allow $1 audisp_t:process signal; ') ######################################## ## ## Create a domain for processes ## which can be started by the system audit dispatcher ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # interface(`logging_dispatcher_domain',` gen_require(` type audisp_t; type auditd_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(audisp_t, $2, $1) domtrans_pattern(auditd_t, $2, $1) allow audisp_t $1:process { sigkill sigstop signull signal }; allow audisp_t $2:file getattr; allow $1 audisp_t:unix_stream_socket rw_socket_perms; ') ######################################## ## ## Connect to the audit dispatcher over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_stream_connect_dispatcher',` gen_require(` type audisp_t, audisp_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) ') ######################################## ## ## Manage the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_audit_config',` gen_require(` type auditd_etc_t; ') files_search_etc($1) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) ') ######################################## ## ## Manage the audit log. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_audit_log',` gen_require(` type auditd_log_t; ') files_search_var($1) manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) ') ######################################## ## ## Execute klogd in the klog domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_domtrans_klog',` gen_require(` type klogd_t, klogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, klogd_exec_t, klogd_t) ') ######################################## ## ## Check if syslogd is executable. ## ## ## ## Domain allowed access. ## ## # interface(`logging_check_exec_syslog',` gen_require(` type syslogd_exec_t; ') corecmd_list_bin($1) corecmd_read_bin_symlinks($1) allow $1 syslogd_exec_t:file execute; ') ######################################## ## ## Execute syslogd in the syslog domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_domtrans_syslog',` gen_require(` type syslogd_t, syslogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, syslogd_exec_t, syslogd_t) ') ######################################## ## ## Create an object in the log directory, with a private type. ## ## ##

## Allow the specified domain to create an object ## in the general system log directories (e.g., /var/log) ## with a private type. Typically this is used for creating ## private log files in /var/log with the private type instead ## of the general system log type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • logging_log_file()
  • ##
##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # interface(`logging_log_filetrans',` gen_require(` type var_log_t; ') files_search_var($1) filetrans_pattern($1, var_log_t, $2, $3, $4) ') ####################################### ## ## Create an object in the log directory, with a private type. ## ## ##

## Allow the specified domain to create an object ## in the general system log directories (e.g., /var/log) ## with a private type. Typically this is used for creating ## private log files in /var/log with the private type instead ## of the general system log type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • logging_log_file()
  • ##
##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # interface(`logging_log_named_filetrans',` gen_require(` type var_log_t; ') files_search_var($1) filetrans_pattern($1, var_log_t, $2, $3, $4) ') ######################################## ## ## Send system log messages. ## ## ##

## Allow the specified domain to connect to the ## system log service (syslog), to send messages be added to ## the system logs. Typically this is used by services ## that do not have their own log file in /var/log. ##

##

## This does not allow messages to be sent to ## the auditing system. ##

##

## Programs which use the libc function syslog() will ## require this access. ##

##

## Related interfaces: ##

##
    ##
  • logging_send_audit_msgs()
  • ##
##
## ## ## Domain allowed access. ## ## # interface(`logging_send_syslog_msg',` gen_require(` attribute syslog_client_type; ') typeattribute $1 syslog_client_type; ') ######################################## ## ## Connect to the syslog control unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_create_devlog_dev',` gen_require(` type devlog_t; ') allow $1 devlog_t:lnk_file manage_lnk_file_perms; allow $1 devlog_t:sock_file manage_sock_file_perms; dev_filetrans($1, devlog_t, lnk_file, "log") init_pid_filetrans($1, devlog_t, sock_file, "syslog") logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") ') ######################################## ## ## Relabel the devlog sock_file. ## ## ## ## Domain allowed access. ## ## # interface(`logging_relabel_devlog_dev',` gen_require(` type devlog_t; ') allow $1 devlog_t:sock_file relabel_sock_file_perms; allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; ') ######################################## ## ## Allow domain to read the syslog pid files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_read_syslog_pid',` gen_require(` type syslogd_var_run_t; ') read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) ') ######################################## ## ## Relabel the syslog pid sock_file. ## ## ## ## Domain allowed access. ## ## # interface(`logging_relabel_syslog_pid_socket',` gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; ') ######################################## ## ## Allow domain to write the syslog pid sock_file. ## ## ## ## Domain allowed access. ## ## # interface(`logging_write_syslog_pid_socket',` gen_require(` type syslogd_var_run_t; ') write_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) ') ######################################## ## ## Connect to the syslog control unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_stream_connect_syslog',` gen_require(` type syslogd_t, syslogd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## ## ## Read the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_audit_config',` gen_require(` type auditd_etc_t; ') files_search_etc($1) read_files_pattern($1, auditd_etc_t, auditd_etc_t) allow $1 auditd_etc_t:dir list_dir_perms; ') ######################################## ## ## Map the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_map_audit_config',` gen_require(` type auditd_etc_t; ') allow $1 auditd_etc_t:file map; ') ######################################## ## ## dontaudit search of auditd log files. ## ## ## ## Domain to not audit. ## ## ## # interface(`logging_dontaudit_search_audit_logs',` gen_require(` type auditd_log_t; ') dontaudit $1 auditd_log_t:dir search_dir_perms; ') ######################################## ## ## dontaudit search of auditd configuration files. ## ## ## ## Domain to not audit. ## ## ## # interface(`logging_dontaudit_search_audit_config',` gen_require(` type auditd_etc_t; ') dontaudit $1 auditd_etc_t:dir search_dir_perms; ') ######################################## ## ## Read syslog configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_syslog_config',` gen_require(` type syslog_conf_t; ') allow $1 syslog_conf_t:file read_file_perms; ') ######################################## ## ## Manage syslog configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_syslog_config',` gen_require(` type syslog_conf_t; ') manage_files_pattern($1, syslog_conf_t, syslog_conf_t) ') ######################################## ## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. ## ## ## ## Domain allowed access. ## ## # interface(`logging_search_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir search_dir_perms; ') ####################################### ## ## Do not audit attempts to search the var log directory. ## ## ## ## Domain not to audit. ## ## # interface(`logging_dontaudit_search_logs',` gen_require(` type var_log_t; ') dontaudit $1 var_log_t:dir search_dir_perms; ') ####################################### ## ## List the contents of the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # interface(`logging_list_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; ') ####################################### ## ## Read and write the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # interface(`logging_rw_generic_log_dirs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; ') ####################################### ## ## Watch the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # interface(`logging_watch_generic_log_dirs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir watch_dir_perms; ') ####################################### ## ## Search through all log dirs. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_search_all_logs',` gen_require(` attribute logfile; ') allow $1 logfile:dir search_dir_perms; ') ####################################### ## ## Set attributes on all log dirs. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_setattr_all_log_dirs',` gen_require(` attribute logfile; ') allow $1 logfile:dir setattr; ') ####################################### ## ## Relabel on all log dirs. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_relabel_all_log_dirs',` gen_require(` attribute logfile; ') relabel_dirs_pattern($1, logfile, logfile) ') ######################################## ## ## Do not audit attempts to get the attributes ## of any log files. ## ## ## ## Domain to not audit. ## ## # interface(`logging_dontaudit_getattr_all_logs',` gen_require(` attribute logfile; ') dontaudit $1 logfile:file getattr; ') ######################################## ## ## Read the atttributes of any log file ## ## ## ## Domain allowed access ## ## # interface(`logging_getattr_all_logs',` gen_require(` attribute logfile; ') allow $1 logfile:file getattr; ') ######################################## ## ## Append to all log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_append_all_logs',` gen_require(` attribute logfile; type var_log_t; ') files_search_var($1) append_files_pattern($1, logfile, logfile) ') ######################################## ## ## Append to all log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_inherit_append_all_logs',` gen_require(` attribute logfile; ') allow $1 logfile:file { getattr append ioctl lock }; ') ######################################## ## ## Read all log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) allow $1 logfile:dir list_dir_perms; allow $1 logfile:file map; read_files_pattern($1, logfile, logfile) read_lnk_files_pattern($1, logfile, logfile) ') ######################################## ## ## Execute all log files in the caller domain. ## ## ## ## Domain allowed access. ## ## # # cjp: not sure why this is needed. This was added # because of logrotate. interface(`logging_exec_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) allow $1 logfile:dir list_dir_perms; can_exec($1, logfile) ') ######################################## ## ## read/write to all log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_rw_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) rw_files_pattern($1, logfile, logfile) ') ######################################## ## ## Create, read, write, and delete all log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) manage_dirs_pattern($1, logfile, logfile) manage_files_pattern($1, logfile, logfile) manage_lnk_files_pattern($1, logfile, logfile) allow $1 logfile:file map; ') ####################################### ## ## Watch all directories in the path for log directories. ## ## ## ## Domain allowed access. ## ## # interface(`logging_watch_all_log_dirs_path',` gen_require(` attribute logfile; ') files_watch_root_dirs($1) files_search_var($1) files_watch_var_dirs($1) allow $1 logfile:dir { search_dir_perms watch_dir_perms }; ') ######################################## ## ## Read generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; allow $1 var_log_t:file map; read_files_pattern($1, var_log_t, var_log_t) read_lnk_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## Create generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_create_generic_logs',` gen_require(` type var_log_t; ') logging_search_logs($1) create_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## Link generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_link_generic_logs',` gen_require(` type var_log_t; ') allow $1 var_log_t:file link; ') ######################################## ## ## Delete generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_delete_generic_logs',` gen_require(` type var_log_t; ') allow $1 var_log_t:file unlink; ') ######################################## ## ## Map generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_mmap_generic_logs',` gen_require(` type var_log_t; ') allow $1 var_log_t:file map; ') ######################################## ## ## Write generic log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_write_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; write_files_pattern($1, var_log_t, var_log_t) read_lnk_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## Create, read, write, and delete symbolic ## links in the /var/log directory. ## ## ## ## Domain allowed access. ## ## # interface(`logging_manage_var_log_symlinks',` gen_require(` type var_log_t; ') manage_lnk_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## Allow attempts to write to /var/log ## ## ## ## Domain allowed access. ## ## # interface(`logging_write_var_log_dirs',` gen_require(` type var_log_t; ') allow $1 var_log_t:dir { setattr write }; ') ######################################## ## ## Dontaudit read/Write inherited generic log files. ## ## ## ## Domain to not audit. ## ## # interface(`logging_dontaudit_rw_inherited_generic_logs',` gen_require(` type var_log_t; ') dontaudit $1 var_log_t:file rw_inherited_file_perms; ') ######################################## ## ## Dontaudit Write generic log files. ## ## ## ## Domain to not audit. ## ## # interface(`logging_dontaudit_write_generic_logs',` gen_require(` type var_log_t; ') dontaudit $1 var_log_t:file write; ') ######################################## ## ## Read and write generic log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_rw_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; rw_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## Create, read, write, and delete ## generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) manage_files_pattern($1, var_log_t, var_log_t) manage_lnk_files_pattern($1, var_log_t, var_log_t) ') ######################################## ## ## All of the rules required to administrate ## the audit environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # interface(`logging_admin_audit',` gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; type auditd_unit_file_t; ') allow $1 auditd_t:process signal_perms; ps_process_pattern($1, auditd_t) tunable_policy(`deny_ptrace',`',` allow $1 auditd_t:process ptrace; ') manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) logging_run_auditctl($1, $2) init_labeled_script_domtrans($1, auditd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; logging_systemctl_audit($1) admin_pattern($1, auditd_unit_file_t) allow $1 auditd_unit_file_t:service all_service_perms; ') ######################################## ## ## Execute auditd server in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_systemctl_audit',` gen_require(` type auditd_t; type auditd_unit_file_t; ') systemd_exec_systemctl($1) allow $1 auditd_unit_file_t:file read_file_perms; allow $1 auditd_unit_file_t:service manage_service_perms; ps_process_pattern($1, auditd_t) ') ######################################## ## ## Execute auditd server in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`logging_systemctl_syslogd',` gen_require(` type syslogd_t; type syslogd_unit_file_t; ') systemd_exec_systemctl($1) allow $1 syslogd_unit_file_t:file read_file_perms; allow $1 syslogd_unit_file_t:service manage_service_perms; ps_process_pattern($1, syslogd_t) ') ######################################## ## ## All of the rules required to administrate ## the syslog environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # interface(`logging_admin_syslog',` gen_require(` type syslogd_t, klogd_t, syslog_conf_t; type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; type syslogd_initrc_exec_t; ') allow $1 self:capability2 syslog; allow $1 syslogd_t:process signal_perms; allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) tunable_policy(`deny_ptrace',`',` allow $1 syslogd_t:process ptrace; allow $1 klogd_t:process ptrace; ') manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) manage_files_pattern($1, syslog_conf_t, syslog_conf_t) files_etc_filetrans($1, syslog_conf_t, file) manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) allow $1 logfile:dir relabel_dir_perms; allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 syslogd_initrc_exec_t system_r; allow $2 system_r; ') ######################################## ## ## All of the rules required to administrate ## the logging environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') ######################################## ## ## Transition to syslog.conf ## ## ## ## Domain allowed access. ## ## # interface(`logging_filetrans_named_conf',` gen_require(` type syslog_conf_t; ') files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") ') ######################################## ## ## Transition to logging named content ## ## ## ## Domain allowed access. ## ## # interface(`logging_filetrans_named_content',` gen_require(` type var_log_t; type audit_spool_t; type syslogd_var_run_t; type syslog_conf_t; ') files_pid_filetrans($1, syslogd_var_run_t, dir, "log") files_spool_filetrans($1, var_log_t, dir, "rsyslog") files_spool_filetrans($1, var_log_t, dir, "log") files_spool_filetrans($1, audit_spool_t, dir, "audit") files_var_filetrans($1, var_log_t, dir, "webmin") files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") logging_log_filetrans($1, var_log_t, dir, "anaconda") logging_log_filetrans($1, var_log_t, dir, "remote") ') ####################################### ## ## Create objects in /run/systemd/journal/ directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`logging_syslogd_pid_filetrans',` gen_require(` type syslogd_var_run_t; ') files_search_pids($1) filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) ') ####################################### ## ## Map files in /run/log/journal/ directory. ## ## ## ## Domain allowed access. ## ## # interface(`logging_mmap_journal',` gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:file map; ') ####################################### ## ## Watch the /run/log/journal directory. ## ## ## ## Domain allowed access. ## ## # interface(`logging_watch_journal_dir',` gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:dir watch_dir_perms; ') ######################################## ## ## Send a message to syslogd over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_dgram_send',` gen_require(` type syslogd_t; ') allow $1 syslogd_t:unix_dgram_socket sendto; ') ####################################### ## ## Use file descriptors from syslogd. ## ## ## ## Domain allowed access. ## ## # interface(`logging_fd_use',` gen_require(` type syslogd_t; ') allow $1 syslogd_t:fd use; ')