]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/logging.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / system / logging.if
CommitLineData
e32d52ba 1## <summary>Policy for the kernel message logger and system logging daemon.</summary>
e181fe05 2
45185c07 3########################################
cff75c90 4## <summary>
45185c07
CP		 5## Make the specified type usable for log files
6## in a filesystem.
cff75c90 7## </summary>
45185c07
CP		 8## <desc>
9## <p>
10## Make the specified type usable for log files in a filesystem.
11## This will also make the type usable for files, making
12## calls to files_type() redundant. Failure to use this interface
13## for a log file type may result in problems with log
14## rotation, log analysis, and log monitoring programs.
15## </p>
16## <p>
17## Related interfaces:
18## </p>
19## <ul>
20## <li>logging_log_filetrans()</li>
21## </ul>
22## <p>
23## Example usage with a domain that can create
24## and append to a private log file stored in the
25## general directories (e.g., /var/log):
26## </p>
27## <p>
28## type mylogfile_t;
29## logging_log_file(mylogfile_t)
30## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
31## logging_log_filetrans(mydomain_t, mylogfile_t, file)
32## </p>
33## </desc>
34## <param name="type">
885b83ec 35## <summary>
45185c07 36## Type to be used for files.
885b83ec 37## </summary>
cff75c90 38## </param>
45185c07 39## <infoflow type="none"/>
b4cd1533 40#
199895e2 41interface(`logging_log_file',`
139520a2
CP		 42 gen_require(`
43 attribute logfile;
44 ')
0c73cd25 45
8fd36732 46 files_type($1)
a1fcff33 47 files_associate_tmp($1)
cff75c90 48 fs_associate_tmpfs($1)
0c73cd25 49 typeattribute $1 logfile;
b4cd1533
CP		 50')
51
d5b81a81
CP		 52#######################################
53## <summary>
54## Send audit messages.
55## </summary>
56## <param name="domain">
57## <summary>
58## Domain allowed access.
59## </summary>
60## </param>
61#
62interface(`logging_send_audit_msgs',`
63 allow $1 self:capability audit_write;
eaed904c
CP		 64 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
65')
66
67#######################################
68## <summary>
69## dontaudit attempts to send audit messages.
70## </summary>
71## <param name="domain">
72## <summary>
a0546c9d 73## Domain to not audit.
eaed904c
CP		 74## </summary>
75## </param>
76#
77interface(`logging_dontaudit_send_audit_msgs',`
78 dontaudit $1 self:capability audit_write;
79 dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
80')
81
82########################################
83## <summary>
84## Set login uid
85## </summary>
86## <param name="domain">
87## <summary>
88## Domain allowed access.
89## </summary>
90## </param>
91#
92interface(`logging_set_loginuid',`
93 allow $1 self:capability audit_control;
94 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
95')
96
7a8807b6
CP		 97########################################
98## <summary>
99## Set tty auditing
100## </summary>
101## <param name="domain">
102## <summary>
103## Domain allowed access.
104## </summary>
105## </param>
106#
107interface(`logging_set_tty_audit',`
108 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
109')
110
eaed904c
CP		 111########################################
112## <summary>
113## Set up audit
114## </summary>
115## <param name="domain">
116## <summary>
117## Domain allowed access.
118## </summary>
119## </param>
120#
121interface(`logging_set_audit_parameters',`
122 allow $1 self:capability { audit_write audit_control };
d5b81a81
CP		 123 allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
124')
125
bf080a46
CP		 126########################################
127## <summary>
128## Read the audit log.
129## </summary>
130## <param name="domain">
885b83ec 131## <summary>
bf080a46 132## Domain allowed access.
885b83ec 133## </summary>
bf080a46 134## </param>
bbcd3c97 135## <rolecap/>
bf080a46
CP		 136#
137interface(`logging_read_audit_log',`
138 gen_require(`
139 type auditd_log_t;
140 ')
141
142 files_search_var($1)
3f67f722 143 read_files_pattern($1, auditd_log_t, auditd_log_t)
c0868a7a 144 allow $1 auditd_log_t:dir list_dir_perms;
bf080a46
CP		 145')
146
33acca55
CP		 147########################################
148## <summary>
149## Execute auditctl in the auditctl domain.
150## </summary>
151## <param name="domain">
885b83ec 152## <summary>
a0546c9d 153## Domain allowed to transition.
885b83ec 154## </summary>
33acca55
CP		 155## </param>
156#
157interface(`logging_domtrans_auditctl',`
158 gen_require(`
159 type auditctl_t, auditctl_exec_t;
160 ')
161
3f67f722 162 domtrans_pattern($1, auditctl_exec_t, auditctl_t)
33acca55
CP		 163')
164
3b914745
CP		 165########################################
166## <summary>
167## Execute auditctl in the auditctl domain, and
168## allow the specified role the auditctl domain.
169## </summary>
170## <param name="domain">
171## <summary>
a0546c9d 172## Domain allowed to transition.
3b914745
CP		 173## </summary>
174## </param>
175## <param name="role">
176## <summary>
a7ee7f81 177## Role allowed access.
3b914745
CP		 178## </summary>
179## </param>
bbcd3c97 180## <rolecap/>
3b914745
CP		 181#
182interface(`logging_run_auditctl',`
183 gen_require(`
184 type auditctl_t;
185 ')
186
187 logging_domtrans_auditctl($1)
188 role $2 types auditctl_t;
3b914745
CP		 189')
190
df00b2e2 191########################################
165b42d2
CP		 192## <summary>
193## Execute auditd in the auditd domain.
194## </summary>
195## <param name="domain">
196## <summary>
a0546c9d 197## Domain allowed to transition.
165b42d2
CP		 198## </summary>
199## </param>
200#
201interface(`logging_domtrans_auditd',`
202 gen_require(`
203 type auditd_t, auditd_exec_t;
204 ')
205
3f67f722 206 domtrans_pattern($1, auditd_exec_t, auditd_t)
165b42d2
CP		 207')
208
209########################################
210## <summary>
211## Execute auditd in the auditd domain, and
212## allow the specified role the auditd domain.
213## </summary>
214## <param name="domain">
215## <summary>
a0546c9d 216## Domain allowed to transition.
165b42d2
CP		 217## </summary>
218## </param>
219## <param name="role">
220## <summary>
a7ee7f81 221## Role allowed access.
165b42d2
CP		 222## </summary>
223## </param>
165b42d2
CP		 224#
225interface(`logging_run_auditd',`
226 gen_require(`
227 type auditd_t;
228 ')
229
230 logging_domtrans_auditd($1)
231 role $2 types auditd_t;
165b42d2
CP		 232')
233
a5e2133b
CP		 234########################################
235## <summary>
236## Connect to auditdstored over an unix stream socket.
237## </summary>
238## <param name="domain">
239## <summary>
240## Domain allowed access.
241## </summary>
242## </param>
243#
244interface(`logging_stream_connect_auditd',`
c11057f7
CP		 245 refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
246 logging_stream_connect_dispatcher($1)
247')
248
249########################################
250## <summary>
251## Execute a domain transition to run the audit dispatcher.
252## </summary>
253## <param name="domain">
254## <summary>
255## Domain allowed to transition.
256## </summary>
257## </param>
258#
259interface(`logging_domtrans_dispatcher',`
a5e2133b 260 gen_require(`
c11057f7
CP		 261 type audisp_t, audisp_exec_t;
262 ')
263
264 domtrans_pattern($1, audisp_exec_t, audisp_t)
265')
266
267########################################
268## <summary>
269## Signal the audit dispatcher.
270## </summary>
271## <param name="domain">
272## <summary>
a0546c9d 273## Domain allowed access.
c11057f7
CP		 274## </summary>
275## </param>
276#
277interface(`logging_signal_dispatcher',`
278 gen_require(`
279 type audisp_t;
280 ')
281
282 allow $1 audisp_t:process signal;
283')
284
285########################################
286## <summary>
287## Create a domain for processes
288## which can be started by the system audit dispatcher
289## </summary>
290## <param name="domain">
291## <summary>
292## Type to be used as a domain.
293## </summary>
294## </param>
295## <param name="entry_point">
296## <summary>
297## Type of the program to be used as an entry point to this domain.
298## </summary>
299## </param>
300#
301interface(`logging_dispatcher_domain',`
302 gen_require(`
303 type audisp_t;
304 role system_r;
305 ')
306
307 domain_type($1)
308 domain_entry_file($1, $2)
309
310 role system_r types $1;
311
312 domtrans_pattern(audisp_t, $2, $1)
cfafe4a7 313 allow audisp_t $1:process { sigkill sigstop signull signal };
c11057f7
CP		 314
315 allow audisp_t $2:file getattr;
316 allow $1 audisp_t:unix_stream_socket rw_socket_perms;
317')
318
319########################################
320## <summary>
321## Connect to the audit dispatcher over an unix stream socket.
322## </summary>
323## <param name="domain">
324## <summary>
325## Domain allowed access.
326## </summary>
327## </param>
328#
329interface(`logging_stream_connect_dispatcher',`
330 gen_require(`
331 type audisp_t, audisp_var_run_t;
a5e2133b
CP		 332 ')
333
334 files_search_pids($1)
c11057f7 335 stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
a5e2133b
CP		 336')
337
165b42d2
CP		 338########################################
339## <summary>
340## Manage the auditd configuration files.
341## </summary>
342## <param name="domain">
343## <summary>
344## Domain allowed access.
345## </summary>
346## </param>
bbcd3c97 347## <rolecap/>
165b42d2
CP		 348#
349interface(`logging_manage_audit_config',`
350 gen_require(`
351 type auditd_etc_t;
352 ')
353
354 files_search_etc($1)
3f67f722 355 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
165b42d2
CP		 356')
357
358########################################
359## <summary>
360## Manage the audit log.
361## </summary>
362## <param name="domain">
363## <summary>
364## Domain allowed access.
365## </summary>
366## </param>
bbcd3c97 367## <rolecap/>
165b42d2
CP		 368#
369interface(`logging_manage_audit_log',`
370 gen_require(`
371 type auditd_log_t;
372 ')
373
374 files_search_var($1)
3f67f722
CP		 375 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
376 manage_files_pattern($1, auditd_log_t, auditd_log_t)
165b42d2
CP		 377')
378
14add30d
CP		 379########################################
380## <summary>
381## Execute klogd in the klog domain.
382## </summary>
383## <param name="domain">
384## <summary>
a0546c9d 385## Domain allowed to transition.
14add30d
CP		 386## </summary>
387## </param>
388#
389interface(`logging_domtrans_klog',`
390 gen_require(`
391 type klogd_t, klogd_exec_t;
392 ')
393
394 corecmd_search_bin($1)
3f67f722 395 domtrans_pattern($1, klogd_exec_t, klogd_t)
14add30d
CP		 396')
397
e40fa634
CP		 398########################################
399## <summary>
400## Check if syslogd is executable.
401## </summary>
402## <param name="domain">
403## <summary>
404## Domain allowed access.
405## </summary>
406## </param>
407#
408interface(`logging_check_exec_syslog',`
409 gen_require(`
96851b1d 410 type syslogd_exec_t;
e40fa634
CP		 411 ')
412
413 corecmd_list_bin($1)
414 corecmd_read_bin_symlinks($1)
415 allow $1 syslogd_exec_t:file execute;
416')
417
165b42d2 418########################################
df00b2e2
CP		 419## <summary>
420## Execute syslogd in the syslog domain.
421## </summary>
422## <param name="domain">
885b83ec 423## <summary>
a0546c9d 424## Domain allowed to transition.
885b83ec 425## </summary>
df00b2e2
CP		 426## </param>
427#
428interface(`logging_domtrans_syslog',`
429 gen_require(`
430 type syslogd_t, syslogd_exec_t;
df00b2e2
CP		 431 ')
432
8021cb4f 433 corecmd_search_bin($1)
3f67f722 434 domtrans_pattern($1, syslogd_exec_t, syslogd_t)
df00b2e2
CP		 435')
436
fb1aee72 437########################################
ac9db9b5 438## <summary>
45185c07 439## Create an object in the log directory, with a private type.
ac9db9b5 440## </summary>
45185c07
CP		 441## <desc>
442## <p>
443## Allow the specified domain to create an object
444## in the general system log directories (e.g., /var/log)
445## with a private type. Typically this is used for creating
446## private log files in /var/log with the private type instead
447## of the general system log type. To accomplish this goal,
448## either the program must be SELinux-aware, or use this interface.
449## </p>
5fb5bf26
CP		 450## <p>
451## Related interfaces:
452## </p>
453## <ul>
454## <li>logging_log_file()</li>
455## </ul>
456## <p>
457## Example usage with a domain that can create
458## and append to a private log file stored in the
459## general directories (e.g., /var/log):
460## </p>
461## <p>
462## type mylogfile_t;
463## logging_log_file(mylogfile_t)
464## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
465## logging_log_filetrans(mydomain_t, mylogfile_t, file)
466## </p>
45185c07 467## </desc>
ac9db9b5
CP		 468## <param name="domain">
469## <summary>
470## Domain allowed access.
471## </summary>
472## </param>
473## <param name="private type">
474## <summary>
475## The type of the object to be created.
476## </summary>
477## </param>
478## <param name="object">
479## <summary>
480## The object class of the object being created.
481## </summary>
482## </param>
45185c07 483## <infoflow type="write" weight="10"/>
fb1aee72 484#
103fe280 485interface(`logging_log_filetrans',`
139520a2
CP		 486 gen_require(`
487 type var_log_t;
139520a2 488 ')
0c73cd25 489
1c1ac67f 490 files_search_var($1)
3f67f722 491 filetrans_pattern($1, var_log_t, $2, $3)
fb1aee72
CP		 492')
493
ac9db9b5
CP		 494########################################
495## <summary>
496## Send system log messages.
497## </summary>
6e48775f
CP		 498## <desc>
499## <p>
500## Allow the specified domain to connect to the
501## system log service (syslog), to send messages be added to
502## the system logs. Typically this is used by services
503## that do not have their own log file in /var/log.
504## </p>
505## <p>
506## This does not allow messages to be sent to
507## the auditing system.
508## </p>
509## <p>
510## Programs which use the libc function syslog() will
511## require this access.
512## </p>
513## <p>
514## Related interfaces:
515## </p>
516## <ul>
517## <li>logging_send_audit_msgs()</li>
518## </ul>
519## </desc>
ac9db9b5
CP		 520## <param name="domain">
521## <summary>
522## Domain allowed access.
523## </summary>
524## </param>
8c77177b 525#
199895e2 526interface(`logging_send_syslog_msg',`
139520a2
CP		 527 gen_require(`
528 type syslogd_t, devlog_t;
139520a2 529 ')
0c73cd25 530
fef5dcf3
CP		 531 allow $1 devlog_t:lnk_file read_lnk_file_perms;
532 allow $1 devlog_t:sock_file write_sock_file_perms;
0c73cd25
CP		 533
534 # the type of socket depends on the syslog daemon
535 allow $1 syslogd_t:unix_dgram_socket sendto;
536 allow $1 syslogd_t:unix_stream_socket connectto;
cc41a97c
CP		 537 allow $1 self:unix_dgram_socket create_socket_perms;
538 allow $1 self:unix_stream_socket create_socket_perms;
0c73cd25 539
fef5dcf3
CP		 540 # If syslog is down, the glibc syslog() function
541 # will write to the console.
542 term_write_console($1)
2f84a77d 543 term_dontaudit_read_console($1)
8c77177b
CP		 544')
545
3eaa9939
DW		 546########################################
547## <summary>
548## Connect to the syslog control unix stream socket.
549## </summary>
550## <param name="domain">
551## <summary>
552## Domain allowed access.
553## </summary>
554## </param>
555#
556interface(`logging_stream_connect_syslog',`
557 gen_require(`
558 type syslogd_t, syslogd_var_run_t;
559 ')
560
561 files_search_pids($1)
562 stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
563')
564
605ba285
CP		 565########################################
566## <summary>
567## Read the auditd configuration files.
568## </summary>
569## <param name="domain">
885b83ec 570## <summary>
605ba285 571## Domain allowed access.
885b83ec 572## </summary>
605ba285 573## </param>
bbcd3c97 574## <rolecap/>
605ba285 575#
1815bad1 576interface(`logging_read_audit_config',`
605ba285
CP		 577 gen_require(`
578 type auditd_etc_t;
605ba285
CP		 579 ')
580
581 files_search_etc($1)
3f67f722 582 read_files_pattern($1, auditd_etc_t, auditd_etc_t)
c0868a7a 583 allow $1 auditd_etc_t:dir list_dir_perms;
605ba285
CP		 584')
585
0a0b8078
CP		 586########################################
587## <summary>
588## dontaudit search of auditd configuration files.
589## </summary>
590## <param name="domain">
591## <summary>
a0546c9d 592## Domain to not audit.
0a0b8078
CP		 593## </summary>
594## </param>
595## <rolecap/>
596#
597interface(`logging_dontaudit_search_audit_config',`
598 gen_require(`
599 type auditd_etc_t;
600 ')
601
602 dontaudit $1 auditd_etc_t:dir search_dir_perms;
603')
604
1abafe37
CP		 605########################################
606## <summary>
607## Read syslog configuration files.
608## </summary>
609## <param name="domain">
610## <summary>
611## Domain allowed access.
612## </summary>
613## </param>
614## <rolecap/>
615#
616interface(`logging_read_syslog_config',`
617 gen_require(`
618 type syslog_conf_t;
619 ')
620
621 allow $1 syslog_conf_t:file read_file_perms;
622')
623
daa0e0b0 624########################################
f7ebea06 625## <summary>
414e4151
CP		 626## Allows the domain to open a file in the
627## log directory, but does not allow the listing
628## of the contents of the log directory.
f7ebea06 629## </summary>
414e4151 630## <param name="domain">
885b83ec 631## <summary>
ac9db9b5 632## Domain allowed access.
885b83ec 633## </summary>
414e4151 634## </param>
3ce6cb4a 635#
199895e2 636interface(`logging_search_logs',`
139520a2
CP		 637 gen_require(`
638 type var_log_t;
139520a2 639 ')
0c73cd25 640
c9428d33 641 files_search_var($1)
46551033 642 allow $1 var_log_t:dir search_dir_perms;
3ce6cb4a
CP		 643')
644
fbc0a272
CP		 645#######################################
646## <summary>
ff8f0a63 647## Do not audit attempts to search the var log directory.
fbc0a272
CP		 648## </summary>
649## <param name="domain">
ff8f0a63
CP		 650## <summary>
651## Domain not to audit.
652## </summary>
fbc0a272
CP		 653## </param>
654#
655interface(`logging_dontaudit_search_logs',`
656 gen_require(`
657 type var_log_t;
658 ')
659
46551033 660 dontaudit $1 var_log_t:dir search_dir_perms;
fbc0a272
CP		 661')
662
f33561f5
CP		 663#######################################
664## <summary>
665## List the contents of the generic log directory (/var/log).
666## </summary>
667## <param name="domain">
885b83ec 668## <summary>
f33561f5 669## Domain allowed access.
885b83ec 670## </summary>
f33561f5
CP		 671## </param>
672#
673interface(`logging_list_logs',`
674 gen_require(`
675 type var_log_t;
676 ')
677
678 files_search_var($1)
c0868a7a 679 allow $1 var_log_t:dir list_dir_perms;
f33561f5
CP		 680')
681
96ce00af
CP		 682#######################################
683## <summary>
684## Read and write the generic log directory (/var/log).
685## </summary>
686## <param name="domain">
885b83ec 687## <summary>
ac9db9b5 688## Domain allowed access.
885b83ec 689## </summary>
96ce00af
CP		 690## </param>
691#
1815bad1 692interface(`logging_rw_generic_log_dirs',`
96ce00af
CP		 693 gen_require(`
694 type var_log_t;
96ce00af
CP		 695 ')
696
697 files_search_var($1)
698 allow $1 var_log_t:dir rw_dir_perms;
699')
700
ac9db9b5
CP		 701########################################
702## <summary>
703## Do not audit attempts to get the atttributes
704## of any log files.
705## </summary>
706## <param name="domain">
707## <summary>
a0546c9d 708## Domain to not audit.
ac9db9b5
CP		 709## </summary>
710## </param>
b16c6b8c 711#
199895e2 712interface(`logging_dontaudit_getattr_all_logs',`
139520a2
CP		 713 gen_require(`
714 attribute logfile;
139520a2 715 ')
0c73cd25
CP		 716
717 dontaudit $1 logfile:file getattr;
b16c6b8c
CP		 718')
719
ac9db9b5
CP		 720########################################
721## <summary>
722## Append to all log files.
723## </summary>
724## <param name="domain">
725## <summary>
726## Domain allowed access.
727## </summary>
728## </param>
b4cd1533 729#
199895e2 730interface(`logging_append_all_logs',`
139520a2
CP		 731 gen_require(`
732 attribute logfile;
733 type var_log_t;
139520a2 734 ')
0c73cd25 735
c9428d33 736 files_search_var($1)
3eaa9939
DW		 737 append_files_pattern($1, logfile, logfile)
738')
739
740########################################
741## <summary>
742## Append to all log files.
743## </summary>
744## <param name="domain">
745## <summary>
746## Domain allowed access.
747## </summary>
748## </param>
749#
750interface(`logging_inherit_append_all_logs',`
751 gen_require(`
752 attribute logfile;
753 ')
754
755 allow $1 logfile:file { getattr append };
b4cd1533
CP		 756')
757
ac9db9b5
CP		 758########################################
759## <summary>
760## Read all log files.
761## </summary>
762## <param name="domain">
763## <summary>
764## Domain allowed access.
765## </summary>
766## </param>
bbcd3c97 767## <rolecap/>
b4cd1533 768#
199895e2 769interface(`logging_read_all_logs',`
139520a2
CP		 770 gen_require(`
771 attribute logfile;
139520a2 772 ')
0c73cd25 773
c9428d33 774 files_search_var($1)
eaed904c
CP		 775 allow $1 logfile:dir list_dir_perms;
776 read_files_pattern($1, logfile, logfile)
b4cd1533
CP		 777')
778
8fd36732
CP		 779########################################
780## <summary>
781## Execute all log files in the caller domain.
782## </summary>
783## <param name="domain">
885b83ec 784## <summary>
ac9db9b5 785## Domain allowed access.
885b83ec 786## </summary>
8fd36732 787## </param>
96ce00af 788#
8fd36732
CP		 789# cjp: not sure why this is needed. This was added
790# because of logrotate.
96ce00af
CP		 791interface(`logging_exec_all_logs',`
792 gen_require(`
793 attribute logfile;
96ce00af
CP		 794 ')
795
796 files_search_var($1)
c0868a7a 797 allow $1 logfile:dir list_dir_perms;
3f67f722 798 can_exec($1, logfile)
96ce00af
CP		 799')
800
c11057f7
CP		 801########################################
802## <summary>
803## read/write to all log files.
804## </summary>
805## <param name="domain">
806## <summary>
807## Domain allowed access.
808## </summary>
809## </param>
810#
811interface(`logging_rw_all_logs',`
812 gen_require(`
813 attribute logfile;
814 ')
815
816 files_search_var($1)
817 rw_files_pattern($1, logfile, logfile)
818')
819
ac9db9b5
CP		 820########################################
821## <summary>
822## Create, read, write, and delete all log files.
823## </summary>
824## <param name="domain">
825## <summary>
826## Domain allowed access.
827## </summary>
828## </param>
bbcd3c97 829## <rolecap/>
96ce00af
CP		 830#
831interface(`logging_manage_all_logs',`
832 gen_require(`
833 attribute logfile;
96ce00af
CP		 834 ')
835
836 files_search_var($1)
3f67f722 837 manage_files_pattern($1, logfile, logfile)
3eaa9939 838 manage_lnk_files_pattern($1, logfile, logfile)
96ce00af
CP		 839')
840
ac9db9b5
CP		 841########################################
842## <summary>
843## Read generic log files.
844## </summary>
845## <param name="domain">
846## <summary>
847## Domain allowed access.
848## </summary>
849## </param>
bbcd3c97 850## <rolecap/>
24280a52 851#
199895e2 852interface(`logging_read_generic_logs',`
139520a2
CP		 853 gen_require(`
854 type var_log_t;
139520a2 855 ')
0c73cd25 856
c9428d33 857 files_search_var($1)
c0868a7a 858 allow $1 var_log_t:dir list_dir_perms;
3f67f722 859 read_files_pattern($1, var_log_t, var_log_t)
24280a52
CP		 860')
861
ac9db9b5
CP		 862########################################
863## <summary>
864## Write generic log files.
865## </summary>
866## <param name="domain">
867## <summary>
868## Domain allowed access.
869## </summary>
870## </param>
d490eb6b 871#
199895e2 872interface(`logging_write_generic_logs',`
139520a2
CP		 873 gen_require(`
874 type var_log_t;
139520a2 875 ')
0c73cd25 876
c9428d33 877 files_search_var($1)
c0868a7a 878 allow $1 var_log_t:dir list_dir_perms;
3f67f722 879 write_files_pattern($1, var_log_t, var_log_t)
d490eb6b
CP		 880')
881
c11057f7
CP		 882########################################
883## <summary>
884## Dontaudit Write generic log files.
885## </summary>
886## <param name="domain">
887## <summary>
a0546c9d 888## Domain to not audit.
c11057f7
CP		 889## </summary>
890## </param>
891#
892interface(`logging_dontaudit_write_generic_logs',`
893 gen_require(`
894 type var_log_t;
895 ')
896
897 dontaudit $1 var_log_t:file write;
898')
899
0907bda1
CP		 900########################################
901## <summary>
902## Read and write generic log files.
903## </summary>
904## <param name="domain">
885b83ec 905## <summary>
0907bda1 906## Domain allowed access.
885b83ec 907## </summary>
0907bda1 908## </param>
b4cd1533 909#
199895e2 910interface(`logging_rw_generic_logs',`
139520a2
CP		 911 gen_require(`
912 type var_log_t;
139520a2 913 ')
0c73cd25 914
c9428d33 915 files_search_var($1)
c0868a7a 916 allow $1 var_log_t:dir list_dir_perms;
3f67f722 917 rw_files_pattern($1, var_log_t, var_log_t)
b4cd1533 918')
0907bda1
CP		 919
920########################################
921## <summary>
922## Create, read, write, and delete
923## generic log files.
924## </summary>
925## <param name="domain">
885b83ec 926## <summary>
0907bda1 927## Domain allowed access.
885b83ec 928## </summary>
0907bda1 929## </param>
bbcd3c97 930## <rolecap/>
0907bda1
CP		 931#
932interface(`logging_manage_generic_logs',`
933 gen_require(`
934 type var_log_t;
0907bda1
CP		 935 ')
936
937 files_search_var($1)
3f67f722 938 manage_files_pattern($1, var_log_t, var_log_t)
0907bda1 939')
eaed904c
CP		 940
941########################################
942## <summary>
943## All of the rules required to administrate
944## the audit environment
945## </summary>
946## <param name="domain">
947## <summary>
948## Domain allowed access.
949## </summary>
950## </param>
c11057f7
CP		 951## <param name="role">
952## <summary>
953## User role allowed access.
954## </summary>
955## </param>
eaed904c
CP		 956## <rolecap/>
957#
958interface(`logging_admin_audit',`
959 gen_require(`
960 type auditd_t, auditd_etc_t, auditd_log_t;
961 type auditd_var_run_t;
06099da6 962 type auditd_initrc_exec_t;
eaed904c
CP		 963 ')
964
965 allow $1 auditd_t:process { ptrace signal_perms };
966 ps_process_pattern($1, auditd_t)
967
968 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
969 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
970
971 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
972 manage_files_pattern($1, auditd_log_t, auditd_log_t)
973
974 manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
975 manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
c11057f7 976
7a4c2825 977 logging_run_auditctl($1, $2)
06099da6
CP		 978
979 init_labeled_script_domtrans($1, auditd_initrc_exec_t)
980 domain_system_change_exemption($1)
981 role_transition $2 auditd_initrc_exec_t system_r;
982 allow $2 system_r;
eaed904c
CP		 983')
984
985########################################
986## <summary>
987## All of the rules required to administrate
988## the syslog environment
989## </summary>
990## <param name="domain">
991## <summary>
992## Domain allowed access.
993## </summary>
994## </param>
06099da6
CP		 995## <param name="role">
996## <summary>
997## User role allowed access.
998## </summary>
999## </param>
eaed904c
CP		 1000## <rolecap/>
1001#
1002interface(`logging_admin_syslog',`
1003 gen_require(`
1004 type syslogd_t, klogd_t, syslog_conf_t;
1005 type syslogd_tmp_t, syslogd_var_lib_t;
1006 type syslogd_var_run_t, klogd_var_run_t;
1007 type klogd_tmp_t, var_log_t;
06099da6 1008 type syslogd_initrc_exec_t;
eaed904c
CP		 1009 ')
1010
1011 allow $1 syslogd_t:process { ptrace signal_perms };
1012 allow $1 klogd_t:process { ptrace signal_perms };
1013 ps_process_pattern($1, syslogd_t)
1014 ps_process_pattern($1, klogd_t)
1015
1016 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
1017 manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
1018
1019 manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
1020 manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
1021
1022 manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1023 manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1024
1025 manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
1026 manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
1027 files_etc_filetrans($1, syslog_conf_t, file)
1028
1029 manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1030 manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1031
1032 manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1033 manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1034
1035 logging_manage_all_logs($1)
83029ff3
DG		 1036 allow $1 logfile:dir relabel_dir_perms;
1037 allow $1 logfile:file relabel_file_perms;
06099da6
CP		 1038
1039 init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
1040 domain_system_change_exemption($1)
1041 role_transition $2 syslogd_initrc_exec_t system_r;
1042 allow $2 system_r;
eaed904c
CP		 1043')
1044
1045########################################
1046## <summary>
1047## All of the rules required to administrate
1048## the logging environment
1049## </summary>
1050## <param name="domain">
1051## <summary>
1052## Domain allowed access.
1053## </summary>
1054## </param>
c11057f7
CP		 1055## <param name="role">
1056## <summary>
1057## User role allowed access.
1058## </summary>
1059## </param>
eaed904c
CP		 1060## <rolecap/>
1061#
1062interface(`logging_admin',`
7a4c2825 1063 logging_admin_audit($1, $2)
06099da6 1064 logging_admin_syslog($1, $2)
eaed904c 1065')
The IPFire selinux policy.