831 lines
23 KiB
Text
831 lines
23 KiB
Text
policy_module(logging, 1.20.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
attribute syslog_client_type;
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslogd daemon append public content files
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_append_public_content, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslogd daemon to send mail
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_can_sendmail, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslogd daemon list non security directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_list_non_security_dirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslogd the ability to read/write terminals
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_use_tty, true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslogd the ability to call nagios plugins. It is
|
|
## turned on by omprog rsyslog plugin.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_run_nagios_plugins, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow syslog to run unconfined scripts
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(logging_syslogd_run_unconfined, false)
|
|
|
|
attribute logfile;
|
|
|
|
type auditctl_t;
|
|
type auditctl_exec_t;
|
|
init_system_domain(auditctl_t, auditctl_exec_t)
|
|
role system_r types auditctl_t;
|
|
|
|
type auditd_etc_t;
|
|
files_security_file(auditd_etc_t)
|
|
|
|
type auditd_log_t;
|
|
files_security_file(auditd_log_t)
|
|
files_security_mountpoint(auditd_log_t)
|
|
|
|
type audit_spool_t;
|
|
files_spool_file(audit_spool_t)
|
|
files_security_file(audit_spool_t)
|
|
files_security_mountpoint(audit_spool_t)
|
|
|
|
type auditd_t;
|
|
type auditd_exec_t;
|
|
init_daemon_domain(auditd_t, auditd_exec_t)
|
|
|
|
type auditd_initrc_exec_t;
|
|
init_script_file(auditd_initrc_exec_t)
|
|
|
|
type auditd_var_run_t;
|
|
files_pid_file(auditd_var_run_t)
|
|
|
|
type auditd_unit_file_t;
|
|
systemd_unit_file(auditd_unit_file_t)
|
|
|
|
type auditd_tmp_t;
|
|
files_tmp_file(auditd_tmp_t)
|
|
|
|
type audisp_t;
|
|
type audisp_exec_t;
|
|
init_system_domain(audisp_t, audisp_exec_t)
|
|
|
|
type audisp_var_run_t;
|
|
files_pid_file(audisp_var_run_t)
|
|
|
|
type audisp_remote_t;
|
|
type audisp_remote_exec_t;
|
|
logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
|
|
|
|
type devlog_t;
|
|
files_type(devlog_t)
|
|
mls_trusted_object(devlog_t)
|
|
|
|
type klogd_t;
|
|
type klogd_exec_t;
|
|
init_daemon_domain(klogd_t, klogd_exec_t)
|
|
|
|
type klogd_tmp_t;
|
|
files_tmp_file(klogd_tmp_t)
|
|
|
|
type klogd_var_run_t;
|
|
files_pid_file(klogd_var_run_t)
|
|
|
|
type syslog_conf_t;
|
|
files_config_file(syslog_conf_t)
|
|
|
|
type syslogd_t;
|
|
type syslogd_exec_t;
|
|
init_daemon_domain(syslogd_t, syslogd_exec_t)
|
|
init_nnp_daemon_domain(syslogd_t)
|
|
mls_trusted_object(syslogd_t)
|
|
|
|
type syslogd_initrc_exec_t;
|
|
init_script_file(syslogd_initrc_exec_t)
|
|
|
|
type syslogd_unconfined_script_t;
|
|
type syslogd_unconfined_script_exec_t;
|
|
role system_r types syslogd_unconfined_script_t;
|
|
application_domain(syslogd_unconfined_script_t, syslogd_unconfined_script_exec_t)
|
|
|
|
type syslogd_tmp_t;
|
|
files_tmp_file(syslogd_tmp_t)
|
|
|
|
type syslogd_tmpfs_t;
|
|
files_tmpfs_file(syslogd_tmpfs_t)
|
|
|
|
type syslogd_var_lib_t;
|
|
files_type(syslogd_var_lib_t)
|
|
|
|
type syslogd_var_run_t;
|
|
files_pid_file(syslogd_var_run_t)
|
|
mls_trusted_object(syslogd_var_run_t)
|
|
|
|
type var_log_t;
|
|
logging_log_file(var_log_t)
|
|
files_mountpoint(var_log_t)
|
|
|
|
type syslogd_unit_file_t;
|
|
systemd_unit_file(syslogd_unit_file_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
|
|
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Auditctl local policy
|
|
#
|
|
|
|
allow auditctl_t self:capability { fsetid dac_read_search };
|
|
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
|
|
|
|
allow auditctl_t self:process getcap;
|
|
|
|
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
|
|
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
|
allow auditctl_t auditd_etc_t:file map;
|
|
|
|
# Needed for adding watches
|
|
files_getattr_all_dirs(auditctl_t)
|
|
files_getattr_all_files(auditctl_t)
|
|
files_read_etc_files(auditctl_t)
|
|
|
|
kernel_read_kernel_sysctls(auditctl_t)
|
|
kernel_read_proc_symlinks(auditctl_t)
|
|
kernel_setsched(auditctl_t)
|
|
|
|
domain_read_all_domains_state(auditctl_t)
|
|
domain_use_interactive_fds(auditctl_t)
|
|
|
|
mls_file_read_all_levels(auditctl_t)
|
|
|
|
storage_getattr_removable_dev(auditctl_t)
|
|
|
|
term_use_all_inherited_terms(auditctl_t)
|
|
|
|
init_dontaudit_use_fds(auditctl_t)
|
|
|
|
locallogin_dontaudit_use_fds(auditctl_t)
|
|
|
|
logging_set_audit_parameters(auditctl_t)
|
|
logging_send_syslog_msg(auditctl_t)
|
|
|
|
optional_policy(`
|
|
insights_client_write_tmp(auditctl_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rhcd_read_fifo_files(auditctl_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Auditd local policy
|
|
#
|
|
|
|
allow auditd_t self:capability { chown fsetid setpcap sys_nice sys_resource };
|
|
dontaudit auditd_t self:capability { sys_admin sys_tty_config };
|
|
allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
|
|
allow auditd_t self:file rw_file_perms;
|
|
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
|
allow auditd_t self:fifo_file rw_fifo_file_perms;
|
|
allow auditd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
|
allow auditd_t auditd_etc_t:file { read_file_perms map };
|
|
|
|
allow auditd_t audisp_remote_t:process { noatsecure signal };
|
|
|
|
manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
|
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
|
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
|
logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
|
|
|
|
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
|
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
|
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|
|
|
|
manage_files_pattern(auditd_t, auditd_tmp_t, auditd_tmp_t)
|
|
manage_dirs_pattern(auditd_t, auditd_tmp_t, auditd_tmp_t)
|
|
files_tmp_filetrans(auditd_t, auditd_tmp_t, { file dir })
|
|
|
|
kernel_read_kernel_sysctls(auditd_t)
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
# Probably want a transition, and a new auditd_helper app
|
|
kernel_read_system_state(auditd_t)
|
|
kernel_read_network_state(auditd_t)
|
|
|
|
dev_read_sysfs(auditd_t)
|
|
|
|
fs_getattr_all_fs(auditd_t)
|
|
fs_search_auto_mountpoints(auditd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(auditd_t)
|
|
corenet_tcp_sendrecv_generic_if(auditd_t)
|
|
corenet_tcp_sendrecv_generic_node(auditd_t)
|
|
corenet_tcp_sendrecv_all_ports(auditd_t)
|
|
corenet_tcp_bind_generic_node(auditd_t)
|
|
corenet_tcp_bind_audit_port(auditd_t)
|
|
corenet_sendrecv_audit_server_packets(auditd_t)
|
|
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
# Probably want a transition, and a new auditd_helper app
|
|
corecmd_exec_bin(auditd_t)
|
|
corecmd_exec_shell(auditd_t)
|
|
|
|
domain_read_all_domains_state(auditd_t)
|
|
domain_use_interactive_fds(auditd_t)
|
|
|
|
files_read_etc_files(auditd_t)
|
|
files_list_usr(auditd_t)
|
|
|
|
init_read_utmp(auditd_t)
|
|
init_telinit(auditd_t)
|
|
|
|
logging_set_audit_parameters(auditd_t)
|
|
logging_send_syslog_msg(auditd_t)
|
|
logging_domtrans_dispatcher(auditd_t)
|
|
logging_signal_dispatcher(auditd_t)
|
|
|
|
auth_use_nsswitch(auditd_t)
|
|
|
|
mls_file_read_all_levels(auditd_t)
|
|
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
|
mls_socket_write_all_levels(auditd_t)
|
|
|
|
sysnet_dns_name_resolve(auditd_t)
|
|
|
|
systemd_start_systemd_services(auditd_t)
|
|
systemd_start_power_services(auditd_t)
|
|
systemd_status_power_services(auditd_t)
|
|
|
|
userdom_use_inherited_user_terminals(auditd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
|
userdom_dontaudit_search_user_home_dirs(auditd_t)
|
|
|
|
ifdef(`distro_ubuntu',`
|
|
optional_policy(`
|
|
unconfined_domain(auditd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_send_mail(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(auditd_t)
|
|
dbus_connect_system_bus(auditd_t)
|
|
|
|
optional_policy(`
|
|
setroubleshoot_dbus_chat(auditd_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# audit dispatcher local policy
|
|
#
|
|
|
|
allow audisp_t self:capability { dac_read_search setpcap sys_nice };
|
|
allow audisp_t self:process { getcap signal_perms setcap setsched };
|
|
allow audisp_t self:fifo_file rw_fifo_file_perms;
|
|
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow audisp_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
|
|
|
|
allow audisp_t audisp_exec_t:file map;
|
|
|
|
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
|
|
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
|
|
|
|
kernel_read_system_state(audisp_t)
|
|
|
|
corecmd_exec_bin(audisp_t)
|
|
corecmd_exec_shell(audisp_t)
|
|
|
|
domain_use_interactive_fds(audisp_t)
|
|
|
|
fs_getattr_all_fs(audisp_t)
|
|
|
|
files_read_etc_files(audisp_t)
|
|
files_read_etc_runtime_files(audisp_t)
|
|
|
|
mls_file_read_all_levels(audisp_t)
|
|
mls_file_write_all_levels(audisp_t)
|
|
mls_socket_write_all_levels(audisp_t)
|
|
mls_dbus_send_all_levels(audisp_t)
|
|
|
|
auth_use_nsswitch(audisp_t)
|
|
|
|
logging_send_syslog_msg(audisp_t)
|
|
|
|
sysnet_dns_name_resolve(audisp_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(audisp_t)
|
|
dbus_connect_system_bus(audisp_t)
|
|
|
|
optional_policy(`
|
|
setroubleshoot_dbus_chat(audisp_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Audit remote logger local policy
|
|
#
|
|
|
|
allow audisp_remote_t self:capability { setuid setpcap };
|
|
allow audisp_remote_t self:process { getcap setcap };
|
|
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
|
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
|
|
|
allow audisp_remote_t auditd_t:unix_stream_socket rw_socket_perms;
|
|
|
|
read_files_pattern(audisp_remote_t, auditd_etc_t, auditd_etc_t)
|
|
allow audisp_remote_t auditd_etc_t:dir list_dir_perms;
|
|
allow audisp_remote_t auditd_etc_t:file map;
|
|
|
|
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
|
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
|
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
|
|
|
kernel_read_system_state(audisp_remote_t)
|
|
|
|
corecmd_exec_bin(audisp_remote_t)
|
|
|
|
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
|
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
|
|
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
|
|
corenet_tcp_sendrecv_all_ports(audisp_remote_t)
|
|
corenet_tcp_bind_audit_port(audisp_remote_t)
|
|
corenet_tcp_bind_generic_node(audisp_remote_t)
|
|
corenet_tcp_connect_audit_port(audisp_remote_t)
|
|
corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
|
|
|
files_read_etc_files(audisp_remote_t)
|
|
|
|
mls_socket_write_all_levels(audisp_remote_t)
|
|
|
|
logging_send_syslog_msg(audisp_remote_t)
|
|
logging_send_audit_msgs(audisp_remote_t)
|
|
|
|
auth_use_nsswitch(audisp_remote_t)
|
|
auth_append_login_records(audisp_remote_t)
|
|
|
|
mls_file_write_all_levels(audisp_remote_t)
|
|
|
|
init_telinit(audisp_remote_t)
|
|
init_read_utmp(audisp_remote_t)
|
|
init_dontaudit_write_utmp(audisp_remote_t)
|
|
|
|
sysnet_dns_name_resolve(audisp_remote_t)
|
|
|
|
systemd_start_power_services(audisp_remote_t)
|
|
|
|
term_search_ptys(audisp_remote_t)
|
|
|
|
userdom_use_user_ptys(audisp_remote_t)
|
|
|
|
optional_policy(`
|
|
kerberos_read_keytab(audisp_remote_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# klogd local policy
|
|
#
|
|
|
|
allow klogd_t self:capability sys_admin;
|
|
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
|
|
allow klogd_t self:process signal_perms;
|
|
|
|
manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
|
|
manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
|
|
files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
|
|
|
|
manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
|
|
files_pid_filetrans(klogd_t, klogd_var_run_t, file)
|
|
|
|
kernel_read_system_state(klogd_t)
|
|
kernel_read_messages(klogd_t)
|
|
kernel_read_kernel_sysctls(klogd_t)
|
|
# Control syslog and console logging
|
|
kernel_clear_ring_buffer(klogd_t)
|
|
kernel_change_ring_buffer_level(klogd_t)
|
|
|
|
files_read_kernel_symbol_table(klogd_t)
|
|
|
|
dev_read_raw_memory(klogd_t)
|
|
dev_read_sysfs(klogd_t)
|
|
|
|
fs_getattr_all_fs(klogd_t)
|
|
fs_search_auto_mountpoints(klogd_t)
|
|
|
|
domain_use_interactive_fds(klogd_t)
|
|
|
|
files_read_etc_runtime_files(klogd_t)
|
|
# read /etc/nsswitch.conf
|
|
files_read_etc_files(klogd_t)
|
|
|
|
logging_send_syslog_msg(klogd_t)
|
|
|
|
|
|
mls_file_read_all_levels(klogd_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(klogd_t)
|
|
|
|
ifdef(`distro_ubuntu',`
|
|
optional_policy(`
|
|
unconfined_domain(klogd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(klogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(klogd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# syslogd local policy
|
|
#
|
|
|
|
# chown fsetid for syslog-ng
|
|
# sys_admin for the integrated klog of syslog-ng and metalog
|
|
# sys_nice for rsyslog
|
|
# cjp: why net_admin!
|
|
allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid setpcap net_raw };
|
|
dontaudit syslogd_t self:capability sys_tty_config;
|
|
dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
|
|
allow syslogd_t self:capability2 { syslog block_suspend };
|
|
# setpgid for metalog
|
|
# setrlimit for syslog-ng
|
|
allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
|
|
# receive messages to be logged
|
|
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow syslogd_t self:unix_dgram_socket sendto;
|
|
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
|
allow syslogd_t self:udp_socket create_socket_perms;
|
|
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
|
allow syslogd_t self:rawip_socket create_socket_perms;
|
|
allow syslogd_t self:netlink_audit_socket { r_netlink_socket_perms nlmsg_write };
|
|
allow syslogd_t self:netlink_generic_socket create_socket_perms;
|
|
allow syslogd_t syslog_conf_t:file read_file_perms;
|
|
allow syslogd_t syslog_conf_t:dir list_dir_perms;
|
|
# receive messages including a memfd
|
|
allow syslogd_t user_tmp_t:file map;
|
|
|
|
# Create and bind to /dev/log or /var/run/log.
|
|
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
|
# now is /dev/log lnk_file
|
|
allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
|
|
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
|
|
|
# create/append log files.
|
|
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
|
|
relabel_files_pattern(syslogd_t, var_log_t, var_log_t)
|
|
allow syslogd_t var_log_t:file map;
|
|
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
|
files_search_spool(syslogd_t)
|
|
|
|
# Allow access for syslog-ng
|
|
allow syslogd_t var_log_t:dir { create setattr };
|
|
|
|
# manage temporary files
|
|
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
|
|
|
manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
|
|
manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
|
|
fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
|
|
|
|
manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
|
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
|
allow syslogd_t syslogd_var_lib_t:file map;
|
|
files_search_var_lib(syslogd_t)
|
|
|
|
allow syslogd_t syslogd_var_run_t:dir watch_dir_perms;
|
|
manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
|
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
|
relabel_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
|
manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
|
mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
|
files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
|
|
|
|
kernel_rw_stream_socket_perms(syslogd_t)
|
|
kernel_read_system_state(syslogd_t)
|
|
kernel_read_network_state(syslogd_t)
|
|
kernel_read_kernel_sysctls(syslogd_t)
|
|
kernel_read_net_sysctls(syslogd_t)
|
|
kernel_read_netlink_audit_socket(syslogd_t)
|
|
kernel_read_proc_symlinks(syslogd_t)
|
|
# Allow access to /proc/kmsg for syslog-ng
|
|
kernel_read_messages(syslogd_t)
|
|
kernel_request_load_module(syslogd_t)
|
|
kernel_read_vm_sysctls(syslogd_t)
|
|
kernel_clear_ring_buffer(syslogd_t)
|
|
kernel_change_ring_buffer_level(syslogd_t)
|
|
kernel_read_ring_buffer(syslogd_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
kernel_rw_unix_dgram_sockets(syslogd_t)
|
|
')
|
|
|
|
corecmd_exec_bin(syslogd_t)
|
|
corecmd_exec_shell(syslogd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(syslogd_t)
|
|
corenet_udp_sendrecv_generic_if(syslogd_t)
|
|
corenet_udp_sendrecv_generic_node(syslogd_t)
|
|
corenet_udp_sendrecv_all_ports(syslogd_t)
|
|
corenet_udp_bind_generic_node(syslogd_t)
|
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
|
corenet_udp_bind_syslog_tls_port(syslogd_t)
|
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
|
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
|
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
|
corenet_tcp_sendrecv_all_ports(syslogd_t)
|
|
corenet_tcp_bind_generic_node(syslogd_t)
|
|
corenet_tcp_bind_rsh_port(syslogd_t)
|
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
|
# Allow users to define additional syslog ports to connect to
|
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
|
corenet_tcp_bind_syslog_tls_port(syslogd_t)
|
|
corenet_tcp_connect_syslog_tls_port(syslogd_t)
|
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
|
corenet_tcp_connect_postgresql_port(syslogd_t)
|
|
corenet_tcp_connect_mysqld_port(syslogd_t)
|
|
corenet_tcp_connect_http_port(syslogd_t)
|
|
corenet_tcp_connect_wap_wsp_port(syslogd_t)
|
|
|
|
# syslog-ng can send or receive logs
|
|
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
|
corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
|
|
|
tunable_policy(`logging_syslogd_use_tty',`
|
|
term_use_all_ttys(syslogd_t)
|
|
term_use_all_ptys(syslogd_t)
|
|
')
|
|
|
|
tunable_policy(`logging_syslogd_append_public_content',`
|
|
files_search_non_security_dirs(syslogd_t)
|
|
miscfiles_append_public_files(syslogd_t)
|
|
')
|
|
|
|
tunable_policy(`logging_syslogd_can_sendmail',`
|
|
# support for ommail module to send logs via mail
|
|
corenet_tcp_connect_smtp_port(syslogd_t)
|
|
')
|
|
|
|
tunable_policy(`logging_syslogd_list_non_security_dirs',`
|
|
files_list_non_security(syslogd_t)
|
|
files_watch_non_security_dirs(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`logging_syslogd_run_nagios_plugins',`
|
|
nagios_domtrans_unconfined_plugins(syslogd_t)
|
|
nagios_unconfined_signull(syslogd_t)
|
|
')
|
|
')
|
|
|
|
dev_filetrans(syslogd_t, devlog_t, sock_file)
|
|
dev_read_sysfs(syslogd_t)
|
|
dev_read_rand(syslogd_t)
|
|
dev_read_urand(syslogd_t)
|
|
# relating to systemd-kmsg-syslogd
|
|
dev_write_kmsg(syslogd_t)
|
|
dev_read_kmsg(syslogd_t)
|
|
|
|
domain_read_all_domains_state(syslogd_t)
|
|
domain_getattr_all_domains(syslogd_t)
|
|
domain_signull_all_domains(syslogd_t)
|
|
domain_use_interactive_fds(syslogd_t)
|
|
|
|
files_read_etc_files(syslogd_t)
|
|
files_read_usr_files(syslogd_t)
|
|
files_read_var_files(syslogd_t)
|
|
files_read_etc_runtime_files(syslogd_t)
|
|
# /initrd is not umounted before minilog starts
|
|
files_dontaudit_search_isid_type_dirs(syslogd_t)
|
|
files_dontaudit_list_var(syslogd_t)
|
|
files_read_kernel_symbol_table(syslogd_t)
|
|
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
|
|
|
fs_getattr_all_fs(syslogd_t)
|
|
fs_read_efivarfs_files(syslogd_t)
|
|
fs_search_auto_mountpoints(syslogd_t)
|
|
fs_list_cgroup_dirs(syslogd_t)
|
|
fs_write_cgroup_files(syslogd_t)
|
|
|
|
miscfiles_manage_generic_cert_files(syslogd_t)
|
|
|
|
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
|
mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram
|
|
|
|
term_write_console(syslogd_t)
|
|
# Allow syslog to a terminal
|
|
term_write_unallocated_ttys(syslogd_t)
|
|
term_use_generic_ptys(syslogd_t)
|
|
|
|
init_stream_connect(syslogd_t)
|
|
init_read_pid_files(syslogd_t)
|
|
# for sending messages to logged in users
|
|
init_read_utmp(syslogd_t)
|
|
init_dontaudit_write_utmp(syslogd_t)
|
|
term_write_all_ttys(syslogd_t)
|
|
|
|
auth_use_nsswitch(syslogd_t)
|
|
|
|
init_use_fds(syslogd_t)
|
|
|
|
# cjp: this doesnt make sense
|
|
logging_send_syslog_msg(syslogd_t)
|
|
logging_manage_all_logs(syslogd_t)
|
|
logging_set_loginuid(syslogd_t)
|
|
logging_watch_all_log_dirs_path(syslogd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
|
userdom_search_user_home_dirs(syslogd_t)
|
|
userdom_rw_inherited_user_tmp_files(syslogd_t)
|
|
userdom_read_user_tmp_symlinks(syslogd_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
# default gentoo syslog-ng config appends kernel
|
|
# and high priority messages to /dev/tty12
|
|
term_append_unallocated_ttys(syslogd_t)
|
|
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
|
|
')
|
|
|
|
ifdef(`distro_suse',`
|
|
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
|
files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
|
|
')
|
|
|
|
ifdef(`distro_ubuntu',`
|
|
optional_policy(`
|
|
unconfined_domain(syslogd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_search_cache(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
container_read_lib_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_manage_log_files(syslogd_t)
|
|
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
|
cron_generic_log_filetrans_log(syslogd_t, file, "cron")
|
|
')
|
|
|
|
optional_policy(`
|
|
inn_manage_log(syslogd_t)
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(syslogd, syslogd_t)
|
|
kerberos_manage_host_rcache(syslogd_t)
|
|
kerberos_read_config(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_read_config(syslogd_t)
|
|
mysql_stream_connect(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
plymouthd_manage_log(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_search_spool(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
psad_search_lib_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(syslogd_t)
|
|
snmp_read_snmp_var_lib_files(syslogd_t)
|
|
snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_rw_coredump_tmpfs_files(syslogd_t)
|
|
systemd_map_coredump_tmpfs_files(syslogd_t)
|
|
systemd_read_unit_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_rw_bootchart_tmpfs_files(syslogd_t)
|
|
systemd_map_bootchart_tmpfs_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_search_svc_dir(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# log to the xconsole
|
|
xserver_rw_console(syslogd_t)
|
|
')
|
|
|
|
#####################################################
|
|
#
|
|
# syslog client rules
|
|
#
|
|
allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms;
|
|
allow syslog_client_type devlog_t:sock_file write_sock_file_perms;
|
|
|
|
# the type of socket depends on the syslog daemon
|
|
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
|
|
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
|
|
allow syslog_client_type self:unix_dgram_socket create_socket_perms;
|
|
allow syslog_client_type self:unix_stream_socket create_socket_perms;
|
|
|
|
|
|
kernel_stream_connect(syslog_client_type)
|
|
|
|
# If syslog is down, the glibc syslog() function
|
|
# will write to the console.
|
|
term_write_console(syslog_client_type)
|
|
term_dontaudit_read_console(syslog_client_type)
|
|
ifdef(`hide_broken_symptoms',`
|
|
kernel_dgram_send(syslog_client_type)
|
|
')
|
|
|
|
logging_stream_connect_syslog(syslog_client_type)
|
|
|
|
########################################
|
|
#
|
|
# syslogd_unconfined_script_t local policy
|
|
#
|
|
|
|
tunable_policy(`logging_syslogd_run_unconfined',`
|
|
domtrans_pattern(syslogd_t, syslogd_unconfined_script_exec_t, syslogd_unconfined_script_t)
|
|
allow syslogd_t syslogd_unconfined_script_t:process2 nnp_transition;
|
|
',`
|
|
can_exec(syslogd_t, syslogd_unconfined_script_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(syslogd_unconfined_script_t)
|
|
')
|