]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/logging.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Change auth_use_nsswitch, init_system_daemon and init_daemon_domain to use attributes...
[people/stevee/selinux-policy.git] / policy / modules / system / logging.if
CommitLineData
e32d52ba 1## <summary>Policy for the kernel message logger and system logging daemon.</summary>
e181fe05 2
45185c07 3########################################
cff75c90 4## <summary>
45185c07
CP		 5## Make the specified type usable for log files
6## in a filesystem.
cff75c90 7## </summary>
45185c07
CP		 8## <desc>
9## <p>
10## Make the specified type usable for log files in a filesystem.
11## This will also make the type usable for files, making
12## calls to files_type() redundant. Failure to use this interface
13## for a log file type may result in problems with log
14## rotation, log analysis, and log monitoring programs.
15## </p>
16## <p>
17## Related interfaces:
18## </p>
19## <ul>
20## <li>logging_log_filetrans()</li>
21## </ul>
22## <p>
23## Example usage with a domain that can create
24## and append to a private log file stored in the
25## general directories (e.g., /var/log):
26## </p>
27## <p>
28## type mylogfile_t;
29## logging_log_file(mylogfile_t)
30## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
31## logging_log_filetrans(mydomain_t, mylogfile_t, file)
32## </p>
33## </desc>
34## <param name="type">
885b83ec 35## <summary>
45185c07 36## Type to be used for files.
885b83ec 37## </summary>
cff75c90 38## </param>
45185c07 39## <infoflow type="none"/>
b4cd1533 40#
199895e2 41interface(`logging_log_file',`
139520a2
CP		 42 gen_require(`
43 attribute logfile;
44 ')
0c73cd25 45
8fd36732 46 files_type($1)
a1fcff33 47 files_associate_tmp($1)
cff75c90 48 fs_associate_tmpfs($1)
0c73cd25 49 typeattribute $1 logfile;
b4cd1533
CP		 50')
51
d5b81a81
CP		 52#######################################
53## <summary>
54## Send audit messages.
55## </summary>
56## <param name="domain">
57## <summary>
58## Domain allowed access.
59## </summary>
60## </param>
61#
62interface(`logging_send_audit_msgs',`
63 allow $1 self:capability audit_write;
eaed904c
CP		 64 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
65')
66
67#######################################
68## <summary>
69## dontaudit attempts to send audit messages.
70## </summary>
71## <param name="domain">
72## <summary>
a0546c9d 73## Domain to not audit.
eaed904c
CP		 74## </summary>
75## </param>
76#
77interface(`logging_dontaudit_send_audit_msgs',`
78 dontaudit $1 self:capability audit_write;
79 dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
80')
81
82########################################
83## <summary>
84## Set login uid
85## </summary>
86## <param name="domain">
87## <summary>
88## Domain allowed access.
89## </summary>
90## </param>
91#
92interface(`logging_set_loginuid',`
93 allow $1 self:capability audit_control;
94 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
95')
96
7a8807b6
CP		 97########################################
98## <summary>
99## Set tty auditing
100## </summary>
101## <param name="domain">
102## <summary>
103## Domain allowed access.
104## </summary>
105## </param>
106#
107interface(`logging_set_tty_audit',`
108 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
109')
110
eaed904c
CP		 111########################################
112## <summary>
113## Set up audit
114## </summary>
115## <param name="domain">
116## <summary>
117## Domain allowed access.
118## </summary>
119## </param>
120#
121interface(`logging_set_audit_parameters',`
122 allow $1 self:capability { audit_write audit_control };
d5b81a81
CP		 123 allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
124')
125
bf080a46
CP		 126########################################
127## <summary>
128## Read the audit log.
129## </summary>
130## <param name="domain">
885b83ec 131## <summary>
bf080a46 132## Domain allowed access.
885b83ec 133## </summary>
bf080a46 134## </param>
bbcd3c97 135## <rolecap/>
bf080a46
CP		 136#
137interface(`logging_read_audit_log',`
138 gen_require(`
139 type auditd_log_t;
140 ')
141
142 files_search_var($1)
3f67f722 143 read_files_pattern($1, auditd_log_t, auditd_log_t)
c0868a7a 144 allow $1 auditd_log_t:dir list_dir_perms;
bf080a46
CP		 145')
146
33acca55
CP		 147########################################
148## <summary>
149## Execute auditctl in the auditctl domain.
150## </summary>
151## <param name="domain">
885b83ec 152## <summary>
a0546c9d 153## Domain allowed to transition.
885b83ec 154## </summary>
33acca55
CP		 155## </param>
156#
157interface(`logging_domtrans_auditctl',`
158 gen_require(`
159 type auditctl_t, auditctl_exec_t;
160 ')
161
3f67f722 162 domtrans_pattern($1, auditctl_exec_t, auditctl_t)
33acca55
CP		 163')
164
3b914745
CP		 165########################################
166## <summary>
167## Execute auditctl in the auditctl domain, and
168## allow the specified role the auditctl domain.
169## </summary>
170## <param name="domain">
171## <summary>
a0546c9d 172## Domain allowed to transition.
3b914745
CP		 173## </summary>
174## </param>
175## <param name="role">
176## <summary>
a7ee7f81 177## Role allowed access.
3b914745
CP		 178## </summary>
179## </param>
bbcd3c97 180## <rolecap/>
3b914745
CP		 181#
182interface(`logging_run_auditctl',`
183 gen_require(`
184 type auditctl_t;
185 ')
186
187 logging_domtrans_auditctl($1)
188 role $2 types auditctl_t;
3b914745
CP		 189')
190
df00b2e2 191########################################
165b42d2
CP		 192## <summary>
193## Execute auditd in the auditd domain.
194## </summary>
195## <param name="domain">
196## <summary>
a0546c9d 197## Domain allowed to transition.
165b42d2
CP		 198## </summary>
199## </param>
200#
201interface(`logging_domtrans_auditd',`
202 gen_require(`
203 type auditd_t, auditd_exec_t;
204 ')
205
3f67f722 206 domtrans_pattern($1, auditd_exec_t, auditd_t)
165b42d2
CP		 207')
208
209########################################
210## <summary>
211## Execute auditd in the auditd domain, and
212## allow the specified role the auditd domain.
213## </summary>
214## <param name="domain">
215## <summary>
a0546c9d 216## Domain allowed to transition.
165b42d2
CP		 217## </summary>
218## </param>
219## <param name="role">
220## <summary>
a7ee7f81 221## Role allowed access.
165b42d2
CP		 222## </summary>
223## </param>
165b42d2
CP		 224#
225interface(`logging_run_auditd',`
226 gen_require(`
227 type auditd_t;
228 ')
229
230 logging_domtrans_auditd($1)
231 role $2 types auditd_t;
165b42d2
CP		 232')
233
a5e2133b
CP		 234########################################
235## <summary>
236## Connect to auditdstored over an unix stream socket.
237## </summary>
238## <param name="domain">
239## <summary>
240## Domain allowed access.
241## </summary>
242## </param>
243#
244interface(`logging_stream_connect_auditd',`
c11057f7
CP		 245 refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
246 logging_stream_connect_dispatcher($1)
247')
248
249########################################
250## <summary>
251## Execute a domain transition to run the audit dispatcher.
252## </summary>
253## <param name="domain">
254## <summary>
255## Domain allowed to transition.
256## </summary>
257## </param>
258#
259interface(`logging_domtrans_dispatcher',`
a5e2133b 260 gen_require(`
c11057f7
CP		 261 type audisp_t, audisp_exec_t;
262 ')
263
264 domtrans_pattern($1, audisp_exec_t, audisp_t)
265')
266
267########################################
268## <summary>
269## Signal the audit dispatcher.
270## </summary>
271## <param name="domain">
272## <summary>
a0546c9d 273## Domain allowed access.
c11057f7
CP		 274## </summary>
275## </param>
276#
277interface(`logging_signal_dispatcher',`
278 gen_require(`
279 type audisp_t;
280 ')
281
282 allow $1 audisp_t:process signal;
283')
284
285########################################
286## <summary>
287## Create a domain for processes
288## which can be started by the system audit dispatcher
289## </summary>
290## <param name="domain">
291## <summary>
292## Type to be used as a domain.
293## </summary>
294## </param>
295## <param name="entry_point">
296## <summary>
297## Type of the program to be used as an entry point to this domain.
298## </summary>
299## </param>
300#
301interface(`logging_dispatcher_domain',`
302 gen_require(`
303 type audisp_t;
304 role system_r;
305 ')
306
307 domain_type($1)
308 domain_entry_file($1, $2)
309
310 role system_r types $1;
311
312 domtrans_pattern(audisp_t, $2, $1)
cfafe4a7 313 allow audisp_t $1:process { sigkill sigstop signull signal };
c11057f7
CP		 314
315 allow audisp_t $2:file getattr;
316 allow $1 audisp_t:unix_stream_socket rw_socket_perms;
317')
318
319########################################
320## <summary>
321## Connect to the audit dispatcher over an unix stream socket.
322## </summary>
323## <param name="domain">
324## <summary>
325## Domain allowed access.
326## </summary>
327## </param>
328#
329interface(`logging_stream_connect_dispatcher',`
330 gen_require(`
331 type audisp_t, audisp_var_run_t;
a5e2133b
CP		 332 ')
333
334 files_search_pids($1)
c11057f7 335 stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
a5e2133b
CP		 336')
337
165b42d2
CP		 338########################################
339## <summary>
340## Manage the auditd configuration files.
341## </summary>
342## <param name="domain">
343## <summary>
344## Domain allowed access.
345## </summary>
346## </param>
bbcd3c97 347## <rolecap/>
165b42d2
CP		 348#
349interface(`logging_manage_audit_config',`
350 gen_require(`
351 type auditd_etc_t;
352 ')
353
354 files_search_etc($1)
3f67f722 355 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
165b42d2
CP		 356')
357
358########################################
359## <summary>
360## Manage the audit log.
361## </summary>
362## <param name="domain">
363## <summary>
364## Domain allowed access.
365## </summary>
366## </param>
bbcd3c97 367## <rolecap/>
165b42d2
CP		 368#
369interface(`logging_manage_audit_log',`
370 gen_require(`
371 type auditd_log_t;
372 ')
373
374 files_search_var($1)
3f67f722
CP		 375 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
376 manage_files_pattern($1, auditd_log_t, auditd_log_t)
165b42d2
CP		 377')
378
14add30d
CP		 379########################################
380## <summary>
381## Execute klogd in the klog domain.
382## </summary>
383## <param name="domain">
384## <summary>
a0546c9d 385## Domain allowed to transition.
14add30d
CP		 386## </summary>
387## </param>
388#
389interface(`logging_domtrans_klog',`
390 gen_require(`
391 type klogd_t, klogd_exec_t;
392 ')
393
394 corecmd_search_bin($1)
3f67f722 395 domtrans_pattern($1, klogd_exec_t, klogd_t)
14add30d
CP		 396')
397
e40fa634
CP		 398########################################
399## <summary>
400## Check if syslogd is executable.
401## </summary>
402## <param name="domain">
403## <summary>
404## Domain allowed access.
405## </summary>
406## </param>
407#
408interface(`logging_check_exec_syslog',`
409 gen_require(`
96851b1d 410 type syslogd_exec_t;
e40fa634
CP		 411 ')
412
413 corecmd_list_bin($1)
414 corecmd_read_bin_symlinks($1)
415 allow $1 syslogd_exec_t:file execute;
416')
417
165b42d2 418########################################
df00b2e2
CP		 419## <summary>
420## Execute syslogd in the syslog domain.
421## </summary>
422## <param name="domain">
885b83ec 423## <summary>
a0546c9d 424## Domain allowed to transition.
885b83ec 425## </summary>
df00b2e2
CP		 426## </param>
427#
428interface(`logging_domtrans_syslog',`
429 gen_require(`
430 type syslogd_t, syslogd_exec_t;
df00b2e2
CP		 431 ')
432
8021cb4f 433 corecmd_search_bin($1)
3f67f722 434 domtrans_pattern($1, syslogd_exec_t, syslogd_t)
df00b2e2
CP		 435')
436
fb1aee72 437########################################
ac9db9b5 438## <summary>
45185c07 439## Create an object in the log directory, with a private type.
ac9db9b5 440## </summary>
45185c07
CP		 441## <desc>
442## <p>
443## Allow the specified domain to create an object
444## in the general system log directories (e.g., /var/log)
445## with a private type. Typically this is used for creating
446## private log files in /var/log with the private type instead
447## of the general system log type. To accomplish this goal,
448## either the program must be SELinux-aware, or use this interface.
449## </p>
5fb5bf26
CP		 450## <p>
451## Related interfaces:
452## </p>
453## <ul>
454## <li>logging_log_file()</li>
455## </ul>
456## <p>
457## Example usage with a domain that can create
458## and append to a private log file stored in the
459## general directories (e.g., /var/log):
460## </p>
461## <p>
462## type mylogfile_t;
463## logging_log_file(mylogfile_t)
464## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
465## logging_log_filetrans(mydomain_t, mylogfile_t, file)
466## </p>
45185c07 467## </desc>
ac9db9b5
CP		 468## <param name="domain">
469## <summary>
470## Domain allowed access.
471## </summary>
472## </param>
473## <param name="private type">
474## <summary>
475## The type of the object to be created.
476## </summary>
477## </param>
478## <param name="object">
479## <summary>
480## The object class of the object being created.
481## </summary>
482## </param>
45185c07 483## <infoflow type="write" weight="10"/>
fb1aee72 484#
103fe280 485interface(`logging_log_filetrans',`
139520a2
CP		 486 gen_require(`
487 type var_log_t;
139520a2 488 ')
0c73cd25 489
1c1ac67f 490 files_search_var($1)
3f67f722 491 filetrans_pattern($1, var_log_t, $2, $3)
fb1aee72
CP		 492')
493
ac9db9b5
CP		 494########################################
495## <summary>
496## Send system log messages.
497## </summary>
6e48775f
CP		 498## <desc>
499## <p>
500## Allow the specified domain to connect to the
501## system log service (syslog), to send messages be added to
502## the system logs. Typically this is used by services
503## that do not have their own log file in /var/log.
504## </p>
505## <p>
506## This does not allow messages to be sent to
507## the auditing system.
508## </p>
509## <p>
510## Programs which use the libc function syslog() will
511## require this access.
512## </p>
513## <p>
514## Related interfaces:
515## </p>
516## <ul>
517## <li>logging_send_audit_msgs()</li>
518## </ul>
519## </desc>
ac9db9b5
CP		 520## <param name="domain">
521## <summary>
522## Domain allowed access.
523## </summary>
524## </param>
8c77177b 525#
199895e2 526interface(`logging_send_syslog_msg',`
139520a2
CP		 527 gen_require(`
528 type syslogd_t, devlog_t;
139520a2 529 ')
0c73cd25 530
fef5dcf3
CP		 531 allow $1 devlog_t:lnk_file read_lnk_file_perms;
532 allow $1 devlog_t:sock_file write_sock_file_perms;
0c73cd25
CP		 533
534 # the type of socket depends on the syslog daemon
535 allow $1 syslogd_t:unix_dgram_socket sendto;
536 allow $1 syslogd_t:unix_stream_socket connectto;
cc41a97c
CP		 537 allow $1 self:unix_dgram_socket create_socket_perms;
538 allow $1 self:unix_stream_socket create_socket_perms;
0c73cd25 539
fef5dcf3
CP		 540 # If syslog is down, the glibc syslog() function
541 # will write to the console.
542 term_write_console($1)
2f84a77d 543 term_dontaudit_read_console($1)
8c77177b
CP		 544')
545
ab29591c
DW		 546########################################
547## <summary>
548## Connect to the syslog control unix stream socket.
549## </summary>
550## <param name="domain">
551## <summary>
552## Domain allowed access.
553## </summary>
554## </param>
555#
556interface(`logging_create_devlog_dev',`
557 gen_require(`
558 type devlog_t;
559 ')
560
561 allow $1 devlog_t:sock_file manage_sock_file_perms;
562 dev_filetrans($1, devlog_t, sock_file)
563')
564
3eaa9939
DW		 565########################################
566## <summary>
567## Connect to the syslog control unix stream socket.
568## </summary>
569## <param name="domain">
570## <summary>
571## Domain allowed access.
572## </summary>
573## </param>
574#
575interface(`logging_stream_connect_syslog',`
576 gen_require(`
577 type syslogd_t, syslogd_var_run_t;
578 ')
579
580 files_search_pids($1)
581 stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
582')
583
605ba285
CP		 584########################################
585## <summary>
586## Read the auditd configuration files.
587## </summary>
588## <param name="domain">
885b83ec 589## <summary>
605ba285 590## Domain allowed access.
885b83ec 591## </summary>
605ba285 592## </param>
bbcd3c97 593## <rolecap/>
605ba285 594#
1815bad1 595interface(`logging_read_audit_config',`
605ba285
CP		 596 gen_require(`
597 type auditd_etc_t;
605ba285
CP		 598 ')
599
600 files_search_etc($1)
3f67f722 601 read_files_pattern($1, auditd_etc_t, auditd_etc_t)
c0868a7a 602 allow $1 auditd_etc_t:dir list_dir_perms;
605ba285
CP		 603')
604
0a0b8078
CP		 605########################################
606## <summary>
607## dontaudit search of auditd configuration files.
608## </summary>
609## <param name="domain">
610## <summary>
a0546c9d 611## Domain to not audit.
0a0b8078
CP		 612## </summary>
613## </param>
614## <rolecap/>
615#
616interface(`logging_dontaudit_search_audit_config',`
617 gen_require(`
618 type auditd_etc_t;
619 ')
620
621 dontaudit $1 auditd_etc_t:dir search_dir_perms;
622')
623
1abafe37
CP		 624########################################
625## <summary>
626## Read syslog configuration files.
627## </summary>
628## <param name="domain">
629## <summary>
630## Domain allowed access.
631## </summary>
632## </param>
633## <rolecap/>
634#
635interface(`logging_read_syslog_config',`
636 gen_require(`
637 type syslog_conf_t;
638 ')
639
640 allow $1 syslog_conf_t:file read_file_perms;
641')
642
daa0e0b0 643########################################
f7ebea06 644## <summary>
414e4151
CP		 645## Allows the domain to open a file in the
646## log directory, but does not allow the listing
647## of the contents of the log directory.
f7ebea06 648## </summary>
414e4151 649## <param name="domain">
885b83ec 650## <summary>
ac9db9b5 651## Domain allowed access.
885b83ec 652## </summary>
414e4151 653## </param>
3ce6cb4a 654#
199895e2 655interface(`logging_search_logs',`
139520a2
CP		 656 gen_require(`
657 type var_log_t;
139520a2 658 ')
0c73cd25 659
c9428d33 660 files_search_var($1)
46551033 661 allow $1 var_log_t:dir search_dir_perms;
3ce6cb4a
CP		 662')
663
fbc0a272
CP		 664#######################################
665## <summary>
ff8f0a63 666## Do not audit attempts to search the var log directory.
fbc0a272
CP		 667## </summary>
668## <param name="domain">
ff8f0a63
CP		 669## <summary>
670## Domain not to audit.
671## </summary>
fbc0a272
CP		 672## </param>
673#
674interface(`logging_dontaudit_search_logs',`
675 gen_require(`
676 type var_log_t;
677 ')
678
46551033 679 dontaudit $1 var_log_t:dir search_dir_perms;
fbc0a272
CP		 680')
681
f33561f5
CP		 682#######################################
683## <summary>
684## List the contents of the generic log directory (/var/log).
685## </summary>
686## <param name="domain">
885b83ec 687## <summary>
f33561f5 688## Domain allowed access.
885b83ec 689## </summary>
f33561f5
CP		 690## </param>
691#
692interface(`logging_list_logs',`
693 gen_require(`
694 type var_log_t;
695 ')
696
697 files_search_var($1)
c0868a7a 698 allow $1 var_log_t:dir list_dir_perms;
f33561f5
CP		 699')
700
96ce00af
CP		 701#######################################
702## <summary>
703## Read and write the generic log directory (/var/log).
704## </summary>
705## <param name="domain">
885b83ec 706## <summary>
ac9db9b5 707## Domain allowed access.
885b83ec 708## </summary>
96ce00af
CP		 709## </param>
710#
1815bad1 711interface(`logging_rw_generic_log_dirs',`
96ce00af
CP		 712 gen_require(`
713 type var_log_t;
96ce00af
CP		 714 ')
715
716 files_search_var($1)
717 allow $1 var_log_t:dir rw_dir_perms;
718')
719
127d617b
CP		 720#######################################
721## <summary>
722## Set attributes on all log dirs.
723## </summary>
724## <param name="domain">
725## <summary>
726## Domain allowed access.
727## </summary>
728## </param>
729## <rolecap/>
730#
731interface(`logging_setattr_all_log_dirs',`
732 gen_require(`
733 attribute logfile;
734 ')
735
736 allow $1 logfile:dir setattr;
737')
738
ac9db9b5
CP		 739########################################
740## <summary>
741## Do not audit attempts to get the atttributes
742## of any log files.
743## </summary>
744## <param name="domain">
745## <summary>
a0546c9d 746## Domain to not audit.
ac9db9b5
CP		 747## </summary>
748## </param>
b16c6b8c 749#
199895e2 750interface(`logging_dontaudit_getattr_all_logs',`
139520a2
CP		 751 gen_require(`
752 attribute logfile;
139520a2 753 ')
0c73cd25
CP		 754
755 dontaudit $1 logfile:file getattr;
b16c6b8c
CP		 756')
757
ac9db9b5
CP		 758########################################
759## <summary>
760## Append to all log files.
761## </summary>
762## <param name="domain">
763## <summary>
764## Domain allowed access.
765## </summary>
766## </param>
b4cd1533 767#
199895e2 768interface(`logging_append_all_logs',`
139520a2
CP		 769 gen_require(`
770 attribute logfile;
771 type var_log_t;
139520a2 772 ')
0c73cd25 773
c9428d33 774 files_search_var($1)
3eaa9939
DW		 775 append_files_pattern($1, logfile, logfile)
776')
777
778########################################
779## <summary>
780## Append to all log files.
781## </summary>
782## <param name="domain">
783## <summary>
784## Domain allowed access.
785## </summary>
786## </param>
787#
788interface(`logging_inherit_append_all_logs',`
789 gen_require(`
790 attribute logfile;
791 ')
792
4c17bb6e 793 allow $1 logfile:file { getattr append ioctl lock };
b4cd1533
CP		 794')
795
ac9db9b5
CP		 796########################################
797## <summary>
798## Read all log files.
799## </summary>
800## <param name="domain">
801## <summary>
802## Domain allowed access.
803## </summary>
804## </param>
bbcd3c97 805## <rolecap/>
b4cd1533 806#
199895e2 807interface(`logging_read_all_logs',`
139520a2
CP		 808 gen_require(`
809 attribute logfile;
139520a2 810 ')
0c73cd25 811
c9428d33 812 files_search_var($1)
eaed904c
CP		 813 allow $1 logfile:dir list_dir_perms;
814 read_files_pattern($1, logfile, logfile)
b4cd1533
CP		 815')
816
8fd36732
CP		 817########################################
818## <summary>
819## Execute all log files in the caller domain.
820## </summary>
821## <param name="domain">
885b83ec 822## <summary>
ac9db9b5 823## Domain allowed access.
885b83ec 824## </summary>
8fd36732 825## </param>
96ce00af 826#
8fd36732
CP		 827# cjp: not sure why this is needed. This was added
828# because of logrotate.
96ce00af
CP		 829interface(`logging_exec_all_logs',`
830 gen_require(`
831 attribute logfile;
96ce00af
CP		 832 ')
833
834 files_search_var($1)
c0868a7a 835 allow $1 logfile:dir list_dir_perms;
3f67f722 836 can_exec($1, logfile)
96ce00af
CP		 837')
838
c11057f7
CP		 839########################################
840## <summary>
841## read/write to all log files.
842## </summary>
843## <param name="domain">
844## <summary>
845## Domain allowed access.
846## </summary>
847## </param>
848#
849interface(`logging_rw_all_logs',`
850 gen_require(`
851 attribute logfile;
852 ')
853
854 files_search_var($1)
855 rw_files_pattern($1, logfile, logfile)
856')
857
ac9db9b5
CP		 858########################################
859## <summary>
860## Create, read, write, and delete all log files.
861## </summary>
862## <param name="domain">
863## <summary>
864## Domain allowed access.
865## </summary>
866## </param>
bbcd3c97 867## <rolecap/>
96ce00af
CP		 868#
869interface(`logging_manage_all_logs',`
870 gen_require(`
871 attribute logfile;
96ce00af
CP		 872 ')
873
874 files_search_var($1)
3f67f722 875 manage_files_pattern($1, logfile, logfile)
3eaa9939 876 manage_lnk_files_pattern($1, logfile, logfile)
96ce00af
CP		 877')
878
ac9db9b5
CP		 879########################################
880## <summary>
881## Read generic log files.
882## </summary>
883## <param name="domain">
884## <summary>
885## Domain allowed access.
886## </summary>
887## </param>
bbcd3c97 888## <rolecap/>
24280a52 889#
199895e2 890interface(`logging_read_generic_logs',`
139520a2
CP		 891 gen_require(`
892 type var_log_t;
139520a2 893 ')
0c73cd25 894
c9428d33 895 files_search_var($1)
c0868a7a 896 allow $1 var_log_t:dir list_dir_perms;
3f67f722 897 read_files_pattern($1, var_log_t, var_log_t)
24280a52
CP		 898')
899
dfa6eba1 900########################################
fb5c4713
DW		 901## <summary>
902## Link generic log files.
903## </summary>
904## <param name="domain">
905## <summary>
906## Domain allowed access.
907## </summary>
908## </param>
909## <rolecap/>
910#
911interface(`logging_link_generic_logs',`
912 gen_require(`
913 type var_log_t;
914 ')
915
916 allow $1 var_log_t:file link;
917')
918
919########################################
dfa6eba1
DW		 920## <summary>
921## Delete generic log files.
922## </summary>
923## <param name="domain">
924## <summary>
925## Domain allowed access.
926## </summary>
927## </param>
928## <rolecap/>
929#
930interface(`logging_delete_generic_logs',`
931 gen_require(`
932 type var_log_t;
933 ')
934
935 allow $1 var_log_t:file unlink;
936')
937
ac9db9b5
CP		 938########################################
939## <summary>
940## Write generic log files.
941## </summary>
942## <param name="domain">
943## <summary>
944## Domain allowed access.
945## </summary>
946## </param>
d490eb6b 947#
199895e2 948interface(`logging_write_generic_logs',`
139520a2
CP		 949 gen_require(`
950 type var_log_t;
139520a2 951 ')
0c73cd25 952
c9428d33 953 files_search_var($1)
c0868a7a 954 allow $1 var_log_t:dir list_dir_perms;
3f67f722 955 write_files_pattern($1, var_log_t, var_log_t)
d490eb6b
CP		 956')
957
c11057f7
CP		 958########################################
959## <summary>
960## Dontaudit Write generic log files.
961## </summary>
962## <param name="domain">
963## <summary>
a0546c9d 964## Domain to not audit.
c11057f7
CP		 965## </summary>
966## </param>
967#
968interface(`logging_dontaudit_write_generic_logs',`
969 gen_require(`
970 type var_log_t;
971 ')
972
973 dontaudit $1 var_log_t:file write;
974')
975
0907bda1
CP		 976########################################
977## <summary>
978## Read and write generic log files.
979## </summary>
980## <param name="domain">
885b83ec 981## <summary>
0907bda1 982## Domain allowed access.
885b83ec 983## </summary>
0907bda1 984## </param>
b4cd1533 985#
199895e2 986interface(`logging_rw_generic_logs',`
139520a2
CP		 987 gen_require(`
988 type var_log_t;
139520a2 989 ')
0c73cd25 990
c9428d33 991 files_search_var($1)
c0868a7a 992 allow $1 var_log_t:dir list_dir_perms;
3f67f722 993 rw_files_pattern($1, var_log_t, var_log_t)
b4cd1533 994')
0907bda1
CP		 995
996########################################
997## <summary>
998## Create, read, write, and delete
999## generic log files.
1000## </summary>
1001## <param name="domain">
885b83ec 1002## <summary>
0907bda1 1003## Domain allowed access.
885b83ec 1004## </summary>
0907bda1 1005## </param>
bbcd3c97 1006## <rolecap/>
0907bda1
CP		 1007#
1008interface(`logging_manage_generic_logs',`
1009 gen_require(`
1010 type var_log_t;
0907bda1
CP		 1011 ')
1012
1013 files_search_var($1)
3f67f722 1014 manage_files_pattern($1, var_log_t, var_log_t)
0907bda1 1015')
eaed904c
CP		 1016
1017########################################
1018## <summary>
1019## All of the rules required to administrate
1020## the audit environment
1021## </summary>
1022## <param name="domain">
1023## <summary>
1024## Domain allowed access.
1025## </summary>
1026## </param>
c11057f7
CP		 1027## <param name="role">
1028## <summary>
1029## User role allowed access.
1030## </summary>
1031## </param>
eaed904c
CP		 1032## <rolecap/>
1033#
1034interface(`logging_admin_audit',`
1035 gen_require(`
1036 type auditd_t, auditd_etc_t, auditd_log_t;
1037 type auditd_var_run_t;
06099da6 1038 type auditd_initrc_exec_t;
eaed904c
CP		 1039 ')
1040
1041 allow $1 auditd_t:process { ptrace signal_perms };
1042 ps_process_pattern($1, auditd_t)
1043
1044 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
1045 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
1046
1047 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
1048 manage_files_pattern($1, auditd_log_t, auditd_log_t)
1049
1050 manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
1051 manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
c11057f7 1052
7a4c2825 1053 logging_run_auditctl($1, $2)
06099da6
CP		 1054
1055 init_labeled_script_domtrans($1, auditd_initrc_exec_t)
1056 domain_system_change_exemption($1)
1057 role_transition $2 auditd_initrc_exec_t system_r;
1058 allow $2 system_r;
eaed904c
CP		 1059')
1060
1061########################################
1062## <summary>
1063## All of the rules required to administrate
1064## the syslog environment
1065## </summary>
1066## <param name="domain">
1067## <summary>
1068## Domain allowed access.
1069## </summary>
1070## </param>
06099da6
CP		 1071## <param name="role">
1072## <summary>
1073## User role allowed access.
1074## </summary>
1075## </param>
eaed904c
CP		 1076## <rolecap/>
1077#
1078interface(`logging_admin_syslog',`
1079 gen_require(`
1080 type syslogd_t, klogd_t, syslog_conf_t;
1081 type syslogd_tmp_t, syslogd_var_lib_t;
1082 type syslogd_var_run_t, klogd_var_run_t;
1083 type klogd_tmp_t, var_log_t;
06099da6 1084 type syslogd_initrc_exec_t;
eaed904c
CP		 1085 ')
1086
4ba442da 1087 allow $1 self:capability2 syslog;
eaed904c
CP		 1088 allow $1 syslogd_t:process { ptrace signal_perms };
1089 allow $1 klogd_t:process { ptrace signal_perms };
1090 ps_process_pattern($1, syslogd_t)
1091 ps_process_pattern($1, klogd_t)
1092
1093 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
1094 manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
1095
1096 manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
1097 manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
1098
1099 manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1100 manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1101
1102 manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
1103 manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
1104 files_etc_filetrans($1, syslog_conf_t, file)
1105
1106 manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1107 manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1108
1109 manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1110 manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1111
1112 logging_manage_all_logs($1)
83029ff3
DG		 1113 allow $1 logfile:dir relabel_dir_perms;
1114 allow $1 logfile:file relabel_file_perms;
06099da6
CP		 1115
1116 init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
1117 domain_system_change_exemption($1)
1118 role_transition $2 syslogd_initrc_exec_t system_r;
1119 allow $2 system_r;
eaed904c
CP		 1120')
1121
1122########################################
1123## <summary>
1124## All of the rules required to administrate
1125## the logging environment
1126## </summary>
1127## <param name="domain">
1128## <summary>
1129## Domain allowed access.
1130## </summary>
1131## </param>
c11057f7
CP		 1132## <param name="role">
1133## <summary>
1134## User role allowed access.
1135## </summary>
1136## </param>
eaed904c
CP		 1137## <rolecap/>
1138#
1139interface(`logging_admin',`
7a4c2825 1140 logging_admin_audit($1, $2)
06099da6 1141 logging_admin_syslog($1, $2)
eaed904c 1142')
The IPFire selinux policy.