]>
Commit | Line | Data |
---|---|---|
e32d52ba | 1 | ## <summary>Policy for the kernel message logger and system logging daemon.</summary> |
e181fe05 | 2 | |
45185c07 | 3 | ######################################## |
cff75c90 | 4 | ## <summary> |
45185c07 CP |
5 | ## Make the specified type usable for log files |
6 | ## in a filesystem. | |
cff75c90 | 7 | ## </summary> |
45185c07 CP |
8 | ## <desc> |
9 | ## <p> | |
10 | ## Make the specified type usable for log files in a filesystem. | |
11 | ## This will also make the type usable for files, making | |
12 | ## calls to files_type() redundant. Failure to use this interface | |
13 | ## for a log file type may result in problems with log | |
14 | ## rotation, log analysis, and log monitoring programs. | |
15 | ## </p> | |
16 | ## <p> | |
17 | ## Related interfaces: | |
18 | ## </p> | |
19 | ## <ul> | |
20 | ## <li>logging_log_filetrans()</li> | |
21 | ## </ul> | |
22 | ## <p> | |
23 | ## Example usage with a domain that can create | |
24 | ## and append to a private log file stored in the | |
25 | ## general directories (e.g., /var/log): | |
26 | ## </p> | |
27 | ## <p> | |
28 | ## type mylogfile_t; | |
29 | ## logging_log_file(mylogfile_t) | |
30 | ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; | |
31 | ## logging_log_filetrans(mydomain_t, mylogfile_t, file) | |
32 | ## </p> | |
33 | ## </desc> | |
34 | ## <param name="type"> | |
885b83ec | 35 | ## <summary> |
45185c07 | 36 | ## Type to be used for files. |
885b83ec | 37 | ## </summary> |
cff75c90 | 38 | ## </param> |
45185c07 | 39 | ## <infoflow type="none"/> |
b4cd1533 | 40 | # |
199895e2 | 41 | interface(`logging_log_file',` |
139520a2 CP |
42 | gen_require(` |
43 | attribute logfile; | |
44 | ') | |
0c73cd25 | 45 | |
8fd36732 | 46 | files_type($1) |
a1fcff33 | 47 | files_associate_tmp($1) |
cff75c90 | 48 | fs_associate_tmpfs($1) |
0c73cd25 | 49 | typeattribute $1 logfile; |
b4cd1533 CP |
50 | ') |
51 | ||
d5b81a81 CP |
52 | ####################################### |
53 | ## <summary> | |
54 | ## Send audit messages. | |
55 | ## </summary> | |
56 | ## <param name="domain"> | |
57 | ## <summary> | |
58 | ## Domain allowed access. | |
59 | ## </summary> | |
60 | ## </param> | |
61 | # | |
62 | interface(`logging_send_audit_msgs',` | |
63 | allow $1 self:capability audit_write; | |
eaed904c CP |
64 | allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; |
65 | ') | |
66 | ||
67 | ####################################### | |
68 | ## <summary> | |
69 | ## dontaudit attempts to send audit messages. | |
70 | ## </summary> | |
71 | ## <param name="domain"> | |
72 | ## <summary> | |
a0546c9d | 73 | ## Domain to not audit. |
eaed904c CP |
74 | ## </summary> |
75 | ## </param> | |
76 | # | |
77 | interface(`logging_dontaudit_send_audit_msgs',` | |
78 | dontaudit $1 self:capability audit_write; | |
79 | dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; | |
80 | ') | |
81 | ||
82 | ######################################## | |
83 | ## <summary> | |
84 | ## Set login uid | |
85 | ## </summary> | |
86 | ## <param name="domain"> | |
87 | ## <summary> | |
88 | ## Domain allowed access. | |
89 | ## </summary> | |
90 | ## </param> | |
91 | # | |
92 | interface(`logging_set_loginuid',` | |
93 | allow $1 self:capability audit_control; | |
94 | allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; | |
95 | ') | |
96 | ||
7a8807b6 CP |
97 | ######################################## |
98 | ## <summary> | |
99 | ## Set tty auditing | |
100 | ## </summary> | |
101 | ## <param name="domain"> | |
102 | ## <summary> | |
103 | ## Domain allowed access. | |
104 | ## </summary> | |
105 | ## </param> | |
106 | # | |
107 | interface(`logging_set_tty_audit',` | |
108 | allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; | |
109 | ') | |
110 | ||
eaed904c CP |
111 | ######################################## |
112 | ## <summary> | |
113 | ## Set up audit | |
114 | ## </summary> | |
115 | ## <param name="domain"> | |
116 | ## <summary> | |
117 | ## Domain allowed access. | |
118 | ## </summary> | |
119 | ## </param> | |
120 | # | |
121 | interface(`logging_set_audit_parameters',` | |
122 | allow $1 self:capability { audit_write audit_control }; | |
d5b81a81 CP |
123 | allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; |
124 | ') | |
125 | ||
bf080a46 CP |
126 | ######################################## |
127 | ## <summary> | |
128 | ## Read the audit log. | |
129 | ## </summary> | |
130 | ## <param name="domain"> | |
885b83ec | 131 | ## <summary> |
bf080a46 | 132 | ## Domain allowed access. |
885b83ec | 133 | ## </summary> |
bf080a46 | 134 | ## </param> |
bbcd3c97 | 135 | ## <rolecap/> |
bf080a46 CP |
136 | # |
137 | interface(`logging_read_audit_log',` | |
138 | gen_require(` | |
139 | type auditd_log_t; | |
140 | ') | |
141 | ||
142 | files_search_var($1) | |
3f67f722 | 143 | read_files_pattern($1, auditd_log_t, auditd_log_t) |
c0868a7a | 144 | allow $1 auditd_log_t:dir list_dir_perms; |
bf080a46 CP |
145 | ') |
146 | ||
33acca55 CP |
147 | ######################################## |
148 | ## <summary> | |
149 | ## Execute auditctl in the auditctl domain. | |
150 | ## </summary> | |
151 | ## <param name="domain"> | |
885b83ec | 152 | ## <summary> |
a0546c9d | 153 | ## Domain allowed to transition. |
885b83ec | 154 | ## </summary> |
33acca55 CP |
155 | ## </param> |
156 | # | |
157 | interface(`logging_domtrans_auditctl',` | |
158 | gen_require(` | |
159 | type auditctl_t, auditctl_exec_t; | |
160 | ') | |
161 | ||
3f67f722 | 162 | domtrans_pattern($1, auditctl_exec_t, auditctl_t) |
33acca55 CP |
163 | ') |
164 | ||
3b914745 CP |
165 | ######################################## |
166 | ## <summary> | |
167 | ## Execute auditctl in the auditctl domain, and | |
168 | ## allow the specified role the auditctl domain. | |
169 | ## </summary> | |
170 | ## <param name="domain"> | |
171 | ## <summary> | |
a0546c9d | 172 | ## Domain allowed to transition. |
3b914745 CP |
173 | ## </summary> |
174 | ## </param> | |
175 | ## <param name="role"> | |
176 | ## <summary> | |
a7ee7f81 | 177 | ## Role allowed access. |
3b914745 CP |
178 | ## </summary> |
179 | ## </param> | |
bbcd3c97 | 180 | ## <rolecap/> |
3b914745 CP |
181 | # |
182 | interface(`logging_run_auditctl',` | |
183 | gen_require(` | |
184 | type auditctl_t; | |
185 | ') | |
186 | ||
187 | logging_domtrans_auditctl($1) | |
188 | role $2 types auditctl_t; | |
3b914745 CP |
189 | ') |
190 | ||
df00b2e2 | 191 | ######################################## |
165b42d2 CP |
192 | ## <summary> |
193 | ## Execute auditd in the auditd domain. | |
194 | ## </summary> | |
195 | ## <param name="domain"> | |
196 | ## <summary> | |
a0546c9d | 197 | ## Domain allowed to transition. |
165b42d2 CP |
198 | ## </summary> |
199 | ## </param> | |
200 | # | |
201 | interface(`logging_domtrans_auditd',` | |
202 | gen_require(` | |
203 | type auditd_t, auditd_exec_t; | |
204 | ') | |
205 | ||
3f67f722 | 206 | domtrans_pattern($1, auditd_exec_t, auditd_t) |
165b42d2 CP |
207 | ') |
208 | ||
209 | ######################################## | |
210 | ## <summary> | |
211 | ## Execute auditd in the auditd domain, and | |
212 | ## allow the specified role the auditd domain. | |
213 | ## </summary> | |
214 | ## <param name="domain"> | |
215 | ## <summary> | |
a0546c9d | 216 | ## Domain allowed to transition. |
165b42d2 CP |
217 | ## </summary> |
218 | ## </param> | |
219 | ## <param name="role"> | |
220 | ## <summary> | |
a7ee7f81 | 221 | ## Role allowed access. |
165b42d2 CP |
222 | ## </summary> |
223 | ## </param> | |
165b42d2 CP |
224 | # |
225 | interface(`logging_run_auditd',` | |
226 | gen_require(` | |
227 | type auditd_t; | |
228 | ') | |
229 | ||
230 | logging_domtrans_auditd($1) | |
231 | role $2 types auditd_t; | |
165b42d2 CP |
232 | ') |
233 | ||
a5e2133b CP |
234 | ######################################## |
235 | ## <summary> | |
236 | ## Connect to auditdstored over an unix stream socket. | |
237 | ## </summary> | |
238 | ## <param name="domain"> | |
239 | ## <summary> | |
240 | ## Domain allowed access. | |
241 | ## </summary> | |
242 | ## </param> | |
243 | # | |
244 | interface(`logging_stream_connect_auditd',` | |
c11057f7 CP |
245 | refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') |
246 | logging_stream_connect_dispatcher($1) | |
247 | ') | |
248 | ||
249 | ######################################## | |
250 | ## <summary> | |
251 | ## Execute a domain transition to run the audit dispatcher. | |
252 | ## </summary> | |
253 | ## <param name="domain"> | |
254 | ## <summary> | |
255 | ## Domain allowed to transition. | |
256 | ## </summary> | |
257 | ## </param> | |
258 | # | |
259 | interface(`logging_domtrans_dispatcher',` | |
a5e2133b | 260 | gen_require(` |
c11057f7 CP |
261 | type audisp_t, audisp_exec_t; |
262 | ') | |
263 | ||
264 | domtrans_pattern($1, audisp_exec_t, audisp_t) | |
265 | ') | |
266 | ||
267 | ######################################## | |
268 | ## <summary> | |
269 | ## Signal the audit dispatcher. | |
270 | ## </summary> | |
271 | ## <param name="domain"> | |
272 | ## <summary> | |
a0546c9d | 273 | ## Domain allowed access. |
c11057f7 CP |
274 | ## </summary> |
275 | ## </param> | |
276 | # | |
277 | interface(`logging_signal_dispatcher',` | |
278 | gen_require(` | |
279 | type audisp_t; | |
280 | ') | |
281 | ||
282 | allow $1 audisp_t:process signal; | |
283 | ') | |
284 | ||
285 | ######################################## | |
286 | ## <summary> | |
287 | ## Create a domain for processes | |
288 | ## which can be started by the system audit dispatcher | |
289 | ## </summary> | |
290 | ## <param name="domain"> | |
291 | ## <summary> | |
292 | ## Type to be used as a domain. | |
293 | ## </summary> | |
294 | ## </param> | |
295 | ## <param name="entry_point"> | |
296 | ## <summary> | |
297 | ## Type of the program to be used as an entry point to this domain. | |
298 | ## </summary> | |
299 | ## </param> | |
300 | # | |
301 | interface(`logging_dispatcher_domain',` | |
302 | gen_require(` | |
303 | type audisp_t; | |
304 | role system_r; | |
305 | ') | |
306 | ||
307 | domain_type($1) | |
308 | domain_entry_file($1, $2) | |
309 | ||
310 | role system_r types $1; | |
311 | ||
312 | domtrans_pattern(audisp_t, $2, $1) | |
cfafe4a7 | 313 | allow audisp_t $1:process { sigkill sigstop signull signal }; |
c11057f7 CP |
314 | |
315 | allow audisp_t $2:file getattr; | |
316 | allow $1 audisp_t:unix_stream_socket rw_socket_perms; | |
317 | ') | |
318 | ||
319 | ######################################## | |
320 | ## <summary> | |
321 | ## Connect to the audit dispatcher over an unix stream socket. | |
322 | ## </summary> | |
323 | ## <param name="domain"> | |
324 | ## <summary> | |
325 | ## Domain allowed access. | |
326 | ## </summary> | |
327 | ## </param> | |
328 | # | |
329 | interface(`logging_stream_connect_dispatcher',` | |
330 | gen_require(` | |
331 | type audisp_t, audisp_var_run_t; | |
a5e2133b CP |
332 | ') |
333 | ||
334 | files_search_pids($1) | |
c11057f7 | 335 | stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) |
a5e2133b CP |
336 | ') |
337 | ||
165b42d2 CP |
338 | ######################################## |
339 | ## <summary> | |
340 | ## Manage the auditd configuration files. | |
341 | ## </summary> | |
342 | ## <param name="domain"> | |
343 | ## <summary> | |
344 | ## Domain allowed access. | |
345 | ## </summary> | |
346 | ## </param> | |
bbcd3c97 | 347 | ## <rolecap/> |
165b42d2 CP |
348 | # |
349 | interface(`logging_manage_audit_config',` | |
350 | gen_require(` | |
351 | type auditd_etc_t; | |
352 | ') | |
353 | ||
354 | files_search_etc($1) | |
3f67f722 | 355 | manage_files_pattern($1, auditd_etc_t, auditd_etc_t) |
165b42d2 CP |
356 | ') |
357 | ||
358 | ######################################## | |
359 | ## <summary> | |
360 | ## Manage the audit log. | |
361 | ## </summary> | |
362 | ## <param name="domain"> | |
363 | ## <summary> | |
364 | ## Domain allowed access. | |
365 | ## </summary> | |
366 | ## </param> | |
bbcd3c97 | 367 | ## <rolecap/> |
165b42d2 CP |
368 | # |
369 | interface(`logging_manage_audit_log',` | |
370 | gen_require(` | |
371 | type auditd_log_t; | |
372 | ') | |
373 | ||
374 | files_search_var($1) | |
3f67f722 CP |
375 | manage_dirs_pattern($1, auditd_log_t, auditd_log_t) |
376 | manage_files_pattern($1, auditd_log_t, auditd_log_t) | |
165b42d2 CP |
377 | ') |
378 | ||
14add30d CP |
379 | ######################################## |
380 | ## <summary> | |
381 | ## Execute klogd in the klog domain. | |
382 | ## </summary> | |
383 | ## <param name="domain"> | |
384 | ## <summary> | |
a0546c9d | 385 | ## Domain allowed to transition. |
14add30d CP |
386 | ## </summary> |
387 | ## </param> | |
388 | # | |
389 | interface(`logging_domtrans_klog',` | |
390 | gen_require(` | |
391 | type klogd_t, klogd_exec_t; | |
392 | ') | |
393 | ||
394 | corecmd_search_bin($1) | |
3f67f722 | 395 | domtrans_pattern($1, klogd_exec_t, klogd_t) |
14add30d CP |
396 | ') |
397 | ||
e40fa634 CP |
398 | ######################################## |
399 | ## <summary> | |
400 | ## Check if syslogd is executable. | |
401 | ## </summary> | |
402 | ## <param name="domain"> | |
403 | ## <summary> | |
404 | ## Domain allowed access. | |
405 | ## </summary> | |
406 | ## </param> | |
407 | # | |
408 | interface(`logging_check_exec_syslog',` | |
409 | gen_require(` | |
96851b1d | 410 | type syslogd_exec_t; |
e40fa634 CP |
411 | ') |
412 | ||
413 | corecmd_list_bin($1) | |
414 | corecmd_read_bin_symlinks($1) | |
415 | allow $1 syslogd_exec_t:file execute; | |
416 | ') | |
417 | ||
165b42d2 | 418 | ######################################## |
df00b2e2 CP |
419 | ## <summary> |
420 | ## Execute syslogd in the syslog domain. | |
421 | ## </summary> | |
422 | ## <param name="domain"> | |
885b83ec | 423 | ## <summary> |
a0546c9d | 424 | ## Domain allowed to transition. |
885b83ec | 425 | ## </summary> |
df00b2e2 CP |
426 | ## </param> |
427 | # | |
428 | interface(`logging_domtrans_syslog',` | |
429 | gen_require(` | |
430 | type syslogd_t, syslogd_exec_t; | |
df00b2e2 CP |
431 | ') |
432 | ||
8021cb4f | 433 | corecmd_search_bin($1) |
3f67f722 | 434 | domtrans_pattern($1, syslogd_exec_t, syslogd_t) |
df00b2e2 CP |
435 | ') |
436 | ||
fb1aee72 | 437 | ######################################## |
ac9db9b5 | 438 | ## <summary> |
45185c07 | 439 | ## Create an object in the log directory, with a private type. |
ac9db9b5 | 440 | ## </summary> |
45185c07 CP |
441 | ## <desc> |
442 | ## <p> | |
443 | ## Allow the specified domain to create an object | |
444 | ## in the general system log directories (e.g., /var/log) | |
445 | ## with a private type. Typically this is used for creating | |
446 | ## private log files in /var/log with the private type instead | |
447 | ## of the general system log type. To accomplish this goal, | |
448 | ## either the program must be SELinux-aware, or use this interface. | |
449 | ## </p> | |
5fb5bf26 CP |
450 | ## <p> |
451 | ## Related interfaces: | |
452 | ## </p> | |
453 | ## <ul> | |
454 | ## <li>logging_log_file()</li> | |
455 | ## </ul> | |
456 | ## <p> | |
457 | ## Example usage with a domain that can create | |
458 | ## and append to a private log file stored in the | |
459 | ## general directories (e.g., /var/log): | |
460 | ## </p> | |
461 | ## <p> | |
462 | ## type mylogfile_t; | |
463 | ## logging_log_file(mylogfile_t) | |
464 | ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; | |
465 | ## logging_log_filetrans(mydomain_t, mylogfile_t, file) | |
466 | ## </p> | |
45185c07 | 467 | ## </desc> |
ac9db9b5 CP |
468 | ## <param name="domain"> |
469 | ## <summary> | |
470 | ## Domain allowed access. | |
471 | ## </summary> | |
472 | ## </param> | |
473 | ## <param name="private type"> | |
474 | ## <summary> | |
475 | ## The type of the object to be created. | |
476 | ## </summary> | |
477 | ## </param> | |
478 | ## <param name="object"> | |
479 | ## <summary> | |
480 | ## The object class of the object being created. | |
481 | ## </summary> | |
482 | ## </param> | |
45185c07 | 483 | ## <infoflow type="write" weight="10"/> |
fb1aee72 | 484 | # |
103fe280 | 485 | interface(`logging_log_filetrans',` |
139520a2 CP |
486 | gen_require(` |
487 | type var_log_t; | |
139520a2 | 488 | ') |
0c73cd25 | 489 | |
1c1ac67f | 490 | files_search_var($1) |
3f67f722 | 491 | filetrans_pattern($1, var_log_t, $2, $3) |
fb1aee72 CP |
492 | ') |
493 | ||
ac9db9b5 CP |
494 | ######################################## |
495 | ## <summary> | |
496 | ## Send system log messages. | |
497 | ## </summary> | |
6e48775f CP |
498 | ## <desc> |
499 | ## <p> | |
500 | ## Allow the specified domain to connect to the | |
501 | ## system log service (syslog), to send messages be added to | |
502 | ## the system logs. Typically this is used by services | |
503 | ## that do not have their own log file in /var/log. | |
504 | ## </p> | |
505 | ## <p> | |
506 | ## This does not allow messages to be sent to | |
507 | ## the auditing system. | |
508 | ## </p> | |
509 | ## <p> | |
510 | ## Programs which use the libc function syslog() will | |
511 | ## require this access. | |
512 | ## </p> | |
513 | ## <p> | |
514 | ## Related interfaces: | |
515 | ## </p> | |
516 | ## <ul> | |
517 | ## <li>logging_send_audit_msgs()</li> | |
518 | ## </ul> | |
519 | ## </desc> | |
ac9db9b5 CP |
520 | ## <param name="domain"> |
521 | ## <summary> | |
522 | ## Domain allowed access. | |
523 | ## </summary> | |
524 | ## </param> | |
8c77177b | 525 | # |
199895e2 | 526 | interface(`logging_send_syslog_msg',` |
139520a2 CP |
527 | gen_require(` |
528 | type syslogd_t, devlog_t; | |
139520a2 | 529 | ') |
0c73cd25 | 530 | |
fef5dcf3 CP |
531 | allow $1 devlog_t:lnk_file read_lnk_file_perms; |
532 | allow $1 devlog_t:sock_file write_sock_file_perms; | |
0c73cd25 CP |
533 | |
534 | # the type of socket depends on the syslog daemon | |
535 | allow $1 syslogd_t:unix_dgram_socket sendto; | |
536 | allow $1 syslogd_t:unix_stream_socket connectto; | |
cc41a97c CP |
537 | allow $1 self:unix_dgram_socket create_socket_perms; |
538 | allow $1 self:unix_stream_socket create_socket_perms; | |
0c73cd25 | 539 | |
fef5dcf3 CP |
540 | # If syslog is down, the glibc syslog() function |
541 | # will write to the console. | |
542 | term_write_console($1) | |
2f84a77d | 543 | term_dontaudit_read_console($1) |
8c77177b CP |
544 | ') |
545 | ||
ab29591c DW |
546 | ######################################## |
547 | ## <summary> | |
548 | ## Connect to the syslog control unix stream socket. | |
549 | ## </summary> | |
550 | ## <param name="domain"> | |
551 | ## <summary> | |
552 | ## Domain allowed access. | |
553 | ## </summary> | |
554 | ## </param> | |
555 | # | |
556 | interface(`logging_create_devlog_dev',` | |
557 | gen_require(` | |
558 | type devlog_t; | |
559 | ') | |
560 | ||
561 | allow $1 devlog_t:sock_file manage_sock_file_perms; | |
562 | dev_filetrans($1, devlog_t, sock_file) | |
563 | ') | |
564 | ||
3eaa9939 DW |
565 | ######################################## |
566 | ## <summary> | |
567 | ## Connect to the syslog control unix stream socket. | |
568 | ## </summary> | |
569 | ## <param name="domain"> | |
570 | ## <summary> | |
571 | ## Domain allowed access. | |
572 | ## </summary> | |
573 | ## </param> | |
574 | # | |
575 | interface(`logging_stream_connect_syslog',` | |
576 | gen_require(` | |
577 | type syslogd_t, syslogd_var_run_t; | |
578 | ') | |
579 | ||
580 | files_search_pids($1) | |
581 | stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) | |
582 | ') | |
583 | ||
605ba285 CP |
584 | ######################################## |
585 | ## <summary> | |
586 | ## Read the auditd configuration files. | |
587 | ## </summary> | |
588 | ## <param name="domain"> | |
885b83ec | 589 | ## <summary> |
605ba285 | 590 | ## Domain allowed access. |
885b83ec | 591 | ## </summary> |
605ba285 | 592 | ## </param> |
bbcd3c97 | 593 | ## <rolecap/> |
605ba285 | 594 | # |
1815bad1 | 595 | interface(`logging_read_audit_config',` |
605ba285 CP |
596 | gen_require(` |
597 | type auditd_etc_t; | |
605ba285 CP |
598 | ') |
599 | ||
600 | files_search_etc($1) | |
3f67f722 | 601 | read_files_pattern($1, auditd_etc_t, auditd_etc_t) |
c0868a7a | 602 | allow $1 auditd_etc_t:dir list_dir_perms; |
605ba285 CP |
603 | ') |
604 | ||
0a0b8078 CP |
605 | ######################################## |
606 | ## <summary> | |
607 | ## dontaudit search of auditd configuration files. | |
608 | ## </summary> | |
609 | ## <param name="domain"> | |
610 | ## <summary> | |
a0546c9d | 611 | ## Domain to not audit. |
0a0b8078 CP |
612 | ## </summary> |
613 | ## </param> | |
614 | ## <rolecap/> | |
615 | # | |
616 | interface(`logging_dontaudit_search_audit_config',` | |
617 | gen_require(` | |
618 | type auditd_etc_t; | |
619 | ') | |
620 | ||
621 | dontaudit $1 auditd_etc_t:dir search_dir_perms; | |
622 | ') | |
623 | ||
1abafe37 CP |
624 | ######################################## |
625 | ## <summary> | |
626 | ## Read syslog configuration files. | |
627 | ## </summary> | |
628 | ## <param name="domain"> | |
629 | ## <summary> | |
630 | ## Domain allowed access. | |
631 | ## </summary> | |
632 | ## </param> | |
633 | ## <rolecap/> | |
634 | # | |
635 | interface(`logging_read_syslog_config',` | |
636 | gen_require(` | |
637 | type syslog_conf_t; | |
638 | ') | |
639 | ||
640 | allow $1 syslog_conf_t:file read_file_perms; | |
641 | ') | |
642 | ||
daa0e0b0 | 643 | ######################################## |
f7ebea06 | 644 | ## <summary> |
414e4151 CP |
645 | ## Allows the domain to open a file in the |
646 | ## log directory, but does not allow the listing | |
647 | ## of the contents of the log directory. | |
f7ebea06 | 648 | ## </summary> |
414e4151 | 649 | ## <param name="domain"> |
885b83ec | 650 | ## <summary> |
ac9db9b5 | 651 | ## Domain allowed access. |
885b83ec | 652 | ## </summary> |
414e4151 | 653 | ## </param> |
3ce6cb4a | 654 | # |
199895e2 | 655 | interface(`logging_search_logs',` |
139520a2 CP |
656 | gen_require(` |
657 | type var_log_t; | |
139520a2 | 658 | ') |
0c73cd25 | 659 | |
c9428d33 | 660 | files_search_var($1) |
46551033 | 661 | allow $1 var_log_t:dir search_dir_perms; |
3ce6cb4a CP |
662 | ') |
663 | ||
fbc0a272 CP |
664 | ####################################### |
665 | ## <summary> | |
ff8f0a63 | 666 | ## Do not audit attempts to search the var log directory. |
fbc0a272 CP |
667 | ## </summary> |
668 | ## <param name="domain"> | |
ff8f0a63 CP |
669 | ## <summary> |
670 | ## Domain not to audit. | |
671 | ## </summary> | |
fbc0a272 CP |
672 | ## </param> |
673 | # | |
674 | interface(`logging_dontaudit_search_logs',` | |
675 | gen_require(` | |
676 | type var_log_t; | |
677 | ') | |
678 | ||
46551033 | 679 | dontaudit $1 var_log_t:dir search_dir_perms; |
fbc0a272 CP |
680 | ') |
681 | ||
f33561f5 CP |
682 | ####################################### |
683 | ## <summary> | |
684 | ## List the contents of the generic log directory (/var/log). | |
685 | ## </summary> | |
686 | ## <param name="domain"> | |
885b83ec | 687 | ## <summary> |
f33561f5 | 688 | ## Domain allowed access. |
885b83ec | 689 | ## </summary> |
f33561f5 CP |
690 | ## </param> |
691 | # | |
692 | interface(`logging_list_logs',` | |
693 | gen_require(` | |
694 | type var_log_t; | |
695 | ') | |
696 | ||
697 | files_search_var($1) | |
c0868a7a | 698 | allow $1 var_log_t:dir list_dir_perms; |
f33561f5 CP |
699 | ') |
700 | ||
96ce00af CP |
701 | ####################################### |
702 | ## <summary> | |
703 | ## Read and write the generic log directory (/var/log). | |
704 | ## </summary> | |
705 | ## <param name="domain"> | |
885b83ec | 706 | ## <summary> |
ac9db9b5 | 707 | ## Domain allowed access. |
885b83ec | 708 | ## </summary> |
96ce00af CP |
709 | ## </param> |
710 | # | |
1815bad1 | 711 | interface(`logging_rw_generic_log_dirs',` |
96ce00af CP |
712 | gen_require(` |
713 | type var_log_t; | |
96ce00af CP |
714 | ') |
715 | ||
716 | files_search_var($1) | |
717 | allow $1 var_log_t:dir rw_dir_perms; | |
718 | ') | |
719 | ||
127d617b CP |
720 | ####################################### |
721 | ## <summary> | |
722 | ## Set attributes on all log dirs. | |
723 | ## </summary> | |
724 | ## <param name="domain"> | |
725 | ## <summary> | |
726 | ## Domain allowed access. | |
727 | ## </summary> | |
728 | ## </param> | |
729 | ## <rolecap/> | |
730 | # | |
731 | interface(`logging_setattr_all_log_dirs',` | |
732 | gen_require(` | |
733 | attribute logfile; | |
734 | ') | |
735 | ||
736 | allow $1 logfile:dir setattr; | |
737 | ') | |
738 | ||
ac9db9b5 CP |
739 | ######################################## |
740 | ## <summary> | |
741 | ## Do not audit attempts to get the atttributes | |
742 | ## of any log files. | |
743 | ## </summary> | |
744 | ## <param name="domain"> | |
745 | ## <summary> | |
a0546c9d | 746 | ## Domain to not audit. |
ac9db9b5 CP |
747 | ## </summary> |
748 | ## </param> | |
b16c6b8c | 749 | # |
199895e2 | 750 | interface(`logging_dontaudit_getattr_all_logs',` |
139520a2 CP |
751 | gen_require(` |
752 | attribute logfile; | |
139520a2 | 753 | ') |
0c73cd25 CP |
754 | |
755 | dontaudit $1 logfile:file getattr; | |
b16c6b8c CP |
756 | ') |
757 | ||
ac9db9b5 CP |
758 | ######################################## |
759 | ## <summary> | |
760 | ## Append to all log files. | |
761 | ## </summary> | |
762 | ## <param name="domain"> | |
763 | ## <summary> | |
764 | ## Domain allowed access. | |
765 | ## </summary> | |
766 | ## </param> | |
b4cd1533 | 767 | # |
199895e2 | 768 | interface(`logging_append_all_logs',` |
139520a2 CP |
769 | gen_require(` |
770 | attribute logfile; | |
771 | type var_log_t; | |
139520a2 | 772 | ') |
0c73cd25 | 773 | |
c9428d33 | 774 | files_search_var($1) |
3eaa9939 DW |
775 | append_files_pattern($1, logfile, logfile) |
776 | ') | |
777 | ||
778 | ######################################## | |
779 | ## <summary> | |
780 | ## Append to all log files. | |
781 | ## </summary> | |
782 | ## <param name="domain"> | |
783 | ## <summary> | |
784 | ## Domain allowed access. | |
785 | ## </summary> | |
786 | ## </param> | |
787 | # | |
788 | interface(`logging_inherit_append_all_logs',` | |
789 | gen_require(` | |
790 | attribute logfile; | |
791 | ') | |
792 | ||
4c17bb6e | 793 | allow $1 logfile:file { getattr append ioctl lock }; |
b4cd1533 CP |
794 | ') |
795 | ||
ac9db9b5 CP |
796 | ######################################## |
797 | ## <summary> | |
798 | ## Read all log files. | |
799 | ## </summary> | |
800 | ## <param name="domain"> | |
801 | ## <summary> | |
802 | ## Domain allowed access. | |
803 | ## </summary> | |
804 | ## </param> | |
bbcd3c97 | 805 | ## <rolecap/> |
b4cd1533 | 806 | # |
199895e2 | 807 | interface(`logging_read_all_logs',` |
139520a2 CP |
808 | gen_require(` |
809 | attribute logfile; | |
139520a2 | 810 | ') |
0c73cd25 | 811 | |
c9428d33 | 812 | files_search_var($1) |
eaed904c CP |
813 | allow $1 logfile:dir list_dir_perms; |
814 | read_files_pattern($1, logfile, logfile) | |
b4cd1533 CP |
815 | ') |
816 | ||
8fd36732 CP |
817 | ######################################## |
818 | ## <summary> | |
819 | ## Execute all log files in the caller domain. | |
820 | ## </summary> | |
821 | ## <param name="domain"> | |
885b83ec | 822 | ## <summary> |
ac9db9b5 | 823 | ## Domain allowed access. |
885b83ec | 824 | ## </summary> |
8fd36732 | 825 | ## </param> |
96ce00af | 826 | # |
8fd36732 CP |
827 | # cjp: not sure why this is needed. This was added |
828 | # because of logrotate. | |
96ce00af CP |
829 | interface(`logging_exec_all_logs',` |
830 | gen_require(` | |
831 | attribute logfile; | |
96ce00af CP |
832 | ') |
833 | ||
834 | files_search_var($1) | |
c0868a7a | 835 | allow $1 logfile:dir list_dir_perms; |
3f67f722 | 836 | can_exec($1, logfile) |
96ce00af CP |
837 | ') |
838 | ||
c11057f7 CP |
839 | ######################################## |
840 | ## <summary> | |
841 | ## read/write to all log files. | |
842 | ## </summary> | |
843 | ## <param name="domain"> | |
844 | ## <summary> | |
845 | ## Domain allowed access. | |
846 | ## </summary> | |
847 | ## </param> | |
848 | # | |
849 | interface(`logging_rw_all_logs',` | |
850 | gen_require(` | |
851 | attribute logfile; | |
852 | ') | |
853 | ||
854 | files_search_var($1) | |
855 | rw_files_pattern($1, logfile, logfile) | |
856 | ') | |
857 | ||
ac9db9b5 CP |
858 | ######################################## |
859 | ## <summary> | |
860 | ## Create, read, write, and delete all log files. | |
861 | ## </summary> | |
862 | ## <param name="domain"> | |
863 | ## <summary> | |
864 | ## Domain allowed access. | |
865 | ## </summary> | |
866 | ## </param> | |
bbcd3c97 | 867 | ## <rolecap/> |
96ce00af CP |
868 | # |
869 | interface(`logging_manage_all_logs',` | |
870 | gen_require(` | |
871 | attribute logfile; | |
96ce00af CP |
872 | ') |
873 | ||
874 | files_search_var($1) | |
3f67f722 | 875 | manage_files_pattern($1, logfile, logfile) |
3eaa9939 | 876 | manage_lnk_files_pattern($1, logfile, logfile) |
96ce00af CP |
877 | ') |
878 | ||
ac9db9b5 CP |
879 | ######################################## |
880 | ## <summary> | |
881 | ## Read generic log files. | |
882 | ## </summary> | |
883 | ## <param name="domain"> | |
884 | ## <summary> | |
885 | ## Domain allowed access. | |
886 | ## </summary> | |
887 | ## </param> | |
bbcd3c97 | 888 | ## <rolecap/> |
24280a52 | 889 | # |
199895e2 | 890 | interface(`logging_read_generic_logs',` |
139520a2 CP |
891 | gen_require(` |
892 | type var_log_t; | |
139520a2 | 893 | ') |
0c73cd25 | 894 | |
c9428d33 | 895 | files_search_var($1) |
c0868a7a | 896 | allow $1 var_log_t:dir list_dir_perms; |
3f67f722 | 897 | read_files_pattern($1, var_log_t, var_log_t) |
24280a52 CP |
898 | ') |
899 | ||
dfa6eba1 | 900 | ######################################## |
fb5c4713 DW |
901 | ## <summary> |
902 | ## Link generic log files. | |
903 | ## </summary> | |
904 | ## <param name="domain"> | |
905 | ## <summary> | |
906 | ## Domain allowed access. | |
907 | ## </summary> | |
908 | ## </param> | |
909 | ## <rolecap/> | |
910 | # | |
911 | interface(`logging_link_generic_logs',` | |
912 | gen_require(` | |
913 | type var_log_t; | |
914 | ') | |
915 | ||
916 | allow $1 var_log_t:file link; | |
917 | ') | |
918 | ||
919 | ######################################## | |
dfa6eba1 DW |
920 | ## <summary> |
921 | ## Delete generic log files. | |
922 | ## </summary> | |
923 | ## <param name="domain"> | |
924 | ## <summary> | |
925 | ## Domain allowed access. | |
926 | ## </summary> | |
927 | ## </param> | |
928 | ## <rolecap/> | |
929 | # | |
930 | interface(`logging_delete_generic_logs',` | |
931 | gen_require(` | |
932 | type var_log_t; | |
933 | ') | |
934 | ||
935 | allow $1 var_log_t:file unlink; | |
936 | ') | |
937 | ||
ac9db9b5 CP |
938 | ######################################## |
939 | ## <summary> | |
940 | ## Write generic log files. | |
941 | ## </summary> | |
942 | ## <param name="domain"> | |
943 | ## <summary> | |
944 | ## Domain allowed access. | |
945 | ## </summary> | |
946 | ## </param> | |
d490eb6b | 947 | # |
199895e2 | 948 | interface(`logging_write_generic_logs',` |
139520a2 CP |
949 | gen_require(` |
950 | type var_log_t; | |
139520a2 | 951 | ') |
0c73cd25 | 952 | |
c9428d33 | 953 | files_search_var($1) |
c0868a7a | 954 | allow $1 var_log_t:dir list_dir_perms; |
3f67f722 | 955 | write_files_pattern($1, var_log_t, var_log_t) |
d490eb6b CP |
956 | ') |
957 | ||
c11057f7 CP |
958 | ######################################## |
959 | ## <summary> | |
960 | ## Dontaudit Write generic log files. | |
961 | ## </summary> | |
962 | ## <param name="domain"> | |
963 | ## <summary> | |
a0546c9d | 964 | ## Domain to not audit. |
c11057f7 CP |
965 | ## </summary> |
966 | ## </param> | |
967 | # | |
968 | interface(`logging_dontaudit_write_generic_logs',` | |
969 | gen_require(` | |
970 | type var_log_t; | |
971 | ') | |
972 | ||
973 | dontaudit $1 var_log_t:file write; | |
974 | ') | |
975 | ||
0907bda1 CP |
976 | ######################################## |
977 | ## <summary> | |
978 | ## Read and write generic log files. | |
979 | ## </summary> | |
980 | ## <param name="domain"> | |
885b83ec | 981 | ## <summary> |
0907bda1 | 982 | ## Domain allowed access. |
885b83ec | 983 | ## </summary> |
0907bda1 | 984 | ## </param> |
b4cd1533 | 985 | # |
199895e2 | 986 | interface(`logging_rw_generic_logs',` |
139520a2 CP |
987 | gen_require(` |
988 | type var_log_t; | |
139520a2 | 989 | ') |
0c73cd25 | 990 | |
c9428d33 | 991 | files_search_var($1) |
c0868a7a | 992 | allow $1 var_log_t:dir list_dir_perms; |
3f67f722 | 993 | rw_files_pattern($1, var_log_t, var_log_t) |
b4cd1533 | 994 | ') |
0907bda1 CP |
995 | |
996 | ######################################## | |
997 | ## <summary> | |
998 | ## Create, read, write, and delete | |
999 | ## generic log files. | |
1000 | ## </summary> | |
1001 | ## <param name="domain"> | |
885b83ec | 1002 | ## <summary> |
0907bda1 | 1003 | ## Domain allowed access. |
885b83ec | 1004 | ## </summary> |
0907bda1 | 1005 | ## </param> |
bbcd3c97 | 1006 | ## <rolecap/> |
0907bda1 CP |
1007 | # |
1008 | interface(`logging_manage_generic_logs',` | |
1009 | gen_require(` | |
1010 | type var_log_t; | |
0907bda1 CP |
1011 | ') |
1012 | ||
1013 | files_search_var($1) | |
3f67f722 | 1014 | manage_files_pattern($1, var_log_t, var_log_t) |
0907bda1 | 1015 | ') |
eaed904c CP |
1016 | |
1017 | ######################################## | |
1018 | ## <summary> | |
1019 | ## All of the rules required to administrate | |
1020 | ## the audit environment | |
1021 | ## </summary> | |
1022 | ## <param name="domain"> | |
1023 | ## <summary> | |
1024 | ## Domain allowed access. | |
1025 | ## </summary> | |
1026 | ## </param> | |
c11057f7 CP |
1027 | ## <param name="role"> |
1028 | ## <summary> | |
1029 | ## User role allowed access. | |
1030 | ## </summary> | |
1031 | ## </param> | |
eaed904c CP |
1032 | ## <rolecap/> |
1033 | # | |
1034 | interface(`logging_admin_audit',` | |
1035 | gen_require(` | |
1036 | type auditd_t, auditd_etc_t, auditd_log_t; | |
1037 | type auditd_var_run_t; | |
06099da6 | 1038 | type auditd_initrc_exec_t; |
eaed904c CP |
1039 | ') |
1040 | ||
1041 | allow $1 auditd_t:process { ptrace signal_perms }; | |
1042 | ps_process_pattern($1, auditd_t) | |
1043 | ||
1044 | manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) | |
1045 | manage_files_pattern($1, auditd_etc_t, auditd_etc_t) | |
1046 | ||
1047 | manage_dirs_pattern($1, auditd_log_t, auditd_log_t) | |
1048 | manage_files_pattern($1, auditd_log_t, auditd_log_t) | |
1049 | ||
1050 | manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) | |
1051 | manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) | |
c11057f7 | 1052 | |
7a4c2825 | 1053 | logging_run_auditctl($1, $2) |
06099da6 CP |
1054 | |
1055 | init_labeled_script_domtrans($1, auditd_initrc_exec_t) | |
1056 | domain_system_change_exemption($1) | |
1057 | role_transition $2 auditd_initrc_exec_t system_r; | |
1058 | allow $2 system_r; | |
eaed904c CP |
1059 | ') |
1060 | ||
1061 | ######################################## | |
1062 | ## <summary> | |
1063 | ## All of the rules required to administrate | |
1064 | ## the syslog environment | |
1065 | ## </summary> | |
1066 | ## <param name="domain"> | |
1067 | ## <summary> | |
1068 | ## Domain allowed access. | |
1069 | ## </summary> | |
1070 | ## </param> | |
06099da6 CP |
1071 | ## <param name="role"> |
1072 | ## <summary> | |
1073 | ## User role allowed access. | |
1074 | ## </summary> | |
1075 | ## </param> | |
eaed904c CP |
1076 | ## <rolecap/> |
1077 | # | |
1078 | interface(`logging_admin_syslog',` | |
1079 | gen_require(` | |
1080 | type syslogd_t, klogd_t, syslog_conf_t; | |
1081 | type syslogd_tmp_t, syslogd_var_lib_t; | |
1082 | type syslogd_var_run_t, klogd_var_run_t; | |
1083 | type klogd_tmp_t, var_log_t; | |
06099da6 | 1084 | type syslogd_initrc_exec_t; |
eaed904c CP |
1085 | ') |
1086 | ||
4ba442da | 1087 | allow $1 self:capability2 syslog; |
eaed904c CP |
1088 | allow $1 syslogd_t:process { ptrace signal_perms }; |
1089 | allow $1 klogd_t:process { ptrace signal_perms }; | |
1090 | ps_process_pattern($1, syslogd_t) | |
1091 | ps_process_pattern($1, klogd_t) | |
1092 | ||
1093 | manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) | |
1094 | manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) | |
1095 | ||
1096 | manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) | |
1097 | manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) | |
1098 | ||
1099 | manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) | |
1100 | manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) | |
1101 | ||
1102 | manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) | |
1103 | manage_files_pattern($1, syslog_conf_t, syslog_conf_t) | |
1104 | files_etc_filetrans($1, syslog_conf_t, file) | |
1105 | ||
1106 | manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) | |
1107 | manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) | |
1108 | ||
1109 | manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) | |
1110 | manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) | |
1111 | ||
1112 | logging_manage_all_logs($1) | |
83029ff3 DG |
1113 | allow $1 logfile:dir relabel_dir_perms; |
1114 | allow $1 logfile:file relabel_file_perms; | |
06099da6 CP |
1115 | |
1116 | init_labeled_script_domtrans($1, syslogd_initrc_exec_t) | |
1117 | domain_system_change_exemption($1) | |
1118 | role_transition $2 syslogd_initrc_exec_t system_r; | |
1119 | allow $2 system_r; | |
eaed904c CP |
1120 | ') |
1121 | ||
1122 | ######################################## | |
1123 | ## <summary> | |
1124 | ## All of the rules required to administrate | |
1125 | ## the logging environment | |
1126 | ## </summary> | |
1127 | ## <param name="domain"> | |
1128 | ## <summary> | |
1129 | ## Domain allowed access. | |
1130 | ## </summary> | |
1131 | ## </param> | |
c11057f7 CP |
1132 | ## <param name="role"> |
1133 | ## <summary> | |
1134 | ## User role allowed access. | |
1135 | ## </summary> | |
1136 | ## </param> | |
eaed904c CP |
1137 | ## <rolecap/> |
1138 | # | |
1139 | interface(`logging_admin',` | |
7a4c2825 | 1140 | logging_admin_audit($1, $2) |
06099da6 | 1141 | logging_admin_syslog($1, $2) |
eaed904c | 1142 | ') |