]>
Commit | Line | Data |
---|---|---|
127d617b | 1 | policy_module(logging, 1.17.2) |
960373dd | 2 | |
eb7f9a34 CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
b4cd1533 CP |
8 | attribute logfile; |
9 | ||
c3cf6693 | 10 | type auditctl_t; |
605ba285 | 11 | type auditctl_exec_t; |
3f67f722 | 12 | init_system_domain(auditctl_t, auditctl_exec_t) |
605ba285 CP |
13 | role system_r types auditctl_t; |
14 | ||
a2868f6e CP |
15 | type auditd_etc_t; |
16 | files_security_file(auditd_etc_t) | |
605ba285 | 17 | |
a2868f6e CP |
18 | type auditd_log_t; |
19 | files_security_file(auditd_log_t) | |
3338f231 | 20 | files_security_mountpoint(auditd_log_t) |
eb7f9a34 | 21 | |
49e618c9 | 22 | type audit_spool_t; |
0059652b | 23 | files_spool_file(audit_spool_t) |
41b04c2c MG |
24 | files_security_file(audit_spool_t) |
25 | files_security_mountpoint(audit_spool_t) | |
49e618c9 | 26 | |
eb7f9a34 | 27 | type auditd_t; |
e070dd2d | 28 | type auditd_exec_t; |
3f67f722 | 29 | init_daemon_domain(auditd_t, auditd_exec_t) |
eb7f9a34 | 30 | |
cfafe4a7 CP |
31 | type auditd_initrc_exec_t; |
32 | init_script_file(auditd_initrc_exec_t) | |
33 | ||
eb7f9a34 | 34 | type auditd_var_run_t; |
c9428d33 | 35 | files_pid_file(auditd_var_run_t) |
eb7f9a34 | 36 | |
c11057f7 CP |
37 | type audisp_t; |
38 | type audisp_exec_t; | |
39 | init_system_domain(audisp_t, audisp_exec_t) | |
40 | ||
41 | type audisp_var_run_t; | |
42 | files_pid_file(audisp_var_run_t) | |
43 | ||
44 | type audisp_remote_t; | |
45 | type audisp_remote_exec_t; | |
46 | logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) | |
47 | ||
f0574fa9 | 48 | type devlog_t; |
8fd36732 | 49 | files_type(devlog_t) |
f0574fa9 | 50 | mls_trusted_object(devlog_t) |
4ddc1abd | 51 | |
f0574fa9 | 52 | type klogd_t; |
4ddc1abd | 53 | type klogd_exec_t; |
3f67f722 | 54 | init_daemon_domain(klogd_t, klogd_exec_t) |
4ddc1abd CP |
55 | |
56 | type klogd_tmp_t; | |
c9428d33 | 57 | files_tmp_file(klogd_tmp_t) |
4ddc1abd CP |
58 | |
59 | type klogd_var_run_t; | |
c9428d33 | 60 | files_pid_file(klogd_var_run_t) |
4ddc1abd | 61 | |
eaed904c | 62 | type syslog_conf_t; |
5e4542af | 63 | files_config_file(syslog_conf_t) |
eaed904c | 64 | |
4ddc1abd | 65 | type syslogd_t; |
4ddc1abd | 66 | type syslogd_exec_t; |
3f67f722 | 67 | init_daemon_domain(syslogd_t, syslogd_exec_t) |
3eaa9939 | 68 | mls_trusted_object(syslogd_t) |
4ddc1abd | 69 | |
cfafe4a7 CP |
70 | type syslogd_initrc_exec_t; |
71 | init_script_file(syslogd_initrc_exec_t) | |
72 | ||
4ddc1abd | 73 | type syslogd_tmp_t; |
c9428d33 | 74 | files_tmp_file(syslogd_tmp_t) |
4ddc1abd | 75 | |
eaed904c CP |
76 | type syslogd_var_lib_t; |
77 | files_type(syslogd_var_lib_t) | |
78 | ||
4ddc1abd | 79 | type syslogd_var_run_t; |
c9428d33 | 80 | files_pid_file(syslogd_var_run_t) |
4ddc1abd | 81 | |
31a1c2df CP |
82 | type var_log_t; |
83 | logging_log_file(var_log_t) | |
d6d16b97 | 84 | files_mountpoint(var_log_t) |
4ddc1abd | 85 | |
e070dd2d | 86 | ifdef(`enable_mls',` |
c11057f7 CP |
87 | init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) |
88 | init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) | |
e070dd2d CP |
89 | ') |
90 | ||
eb7f9a34 CP |
91 | ######################################## |
92 | # | |
14add30d | 93 | # Auditctl local policy |
eb7f9a34 CP |
94 | # |
95 | ||
eaed904c CP |
96 | allow auditctl_t self:capability { fsetid dac_read_search dac_override }; |
97 | allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; | |
605ba285 | 98 | |
3f67f722 | 99 | read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) |
c0868a7a | 100 | allow auditctl_t auditd_etc_t:dir list_dir_perms; |
605ba285 | 101 | |
165b42d2 CP |
102 | # Needed for adding watches |
103 | files_getattr_all_dirs(auditctl_t) | |
14add30d | 104 | files_getattr_all_files(auditctl_t) |
165b42d2 CP |
105 | files_read_etc_files(auditctl_t) |
106 | ||
445522dc | 107 | kernel_read_kernel_sysctls(auditctl_t) |
3c8f6b1a | 108 | kernel_read_proc_symlinks(auditctl_t) |
7a8807b6 | 109 | kernel_setsched(auditctl_t) |
605ba285 | 110 | |
3c8f6b1a | 111 | domain_read_all_domains_state(auditctl_t) |
15722ec9 | 112 | domain_use_interactive_fds(auditctl_t) |
605ba285 | 113 | |
f8233ab7 | 114 | mls_file_read_all_levels(auditctl_t) |
bf080a46 | 115 | |
af2d8802 | 116 | term_use_all_inherited_terms(auditctl_t) |
b0d2243c | 117 | |
1c1ac67f | 118 | init_dontaudit_use_fds(auditctl_t) |
605ba285 | 119 | |
1c1ac67f | 120 | locallogin_dontaudit_use_fds(auditctl_t) |
605ba285 | 121 | |
eaed904c | 122 | logging_set_audit_parameters(auditctl_t) |
2db2c7d0 CP |
123 | logging_send_syslog_msg(auditctl_t) |
124 | ||
605ba285 CP |
125 | ######################################## |
126 | # | |
127 | # Auditd local policy | |
128 | # | |
129 | ||
eaed904c | 130 | allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; |
eb7f9a34 | 131 | dontaudit auditd_t self:capability sys_tty_config; |
7a8807b6 | 132 | allow auditd_t self:process { getcap signal_perms setcap setpgid setsched }; |
0b36a214 | 133 | allow auditd_t self:file rw_file_perms; |
605ba285 | 134 | allow auditd_t self:unix_dgram_socket create_socket_perms; |
7a8807b6 | 135 | allow auditd_t self:fifo_file rw_fifo_file_perms; |
06099da6 | 136 | allow auditd_t self:tcp_socket create_stream_socket_perms; |
605ba285 | 137 | |
c0868a7a | 138 | allow auditd_t auditd_etc_t:dir list_dir_perms; |
ef659a47 | 139 | allow auditd_t auditd_etc_t:file read_file_perms; |
eb7f9a34 | 140 | |
3f67f722 CP |
141 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
142 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | |
c0868a7a | 143 | allow auditd_t var_log_t:dir search_dir_perms; |
eb7f9a34 | 144 | |
3f67f722 CP |
145 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) |
146 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | |
147 | files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) | |
eb7f9a34 | 148 | |
445522dc | 149 | kernel_read_kernel_sysctls(auditd_t) |
522b59bb CP |
150 | # Needs to be able to run dispatcher. see /etc/audit/auditd.conf |
151 | # Probably want a transition, and a new auditd_helper app | |
152 | kernel_read_system_state(auditd_t) | |
d35c621e | 153 | |
8bd67899 | 154 | dev_read_sysfs(auditd_t) |
eb7f9a34 | 155 | |
0fd9dc55 | 156 | fs_getattr_all_fs(auditd_t) |
ab940a4c | 157 | fs_search_auto_mountpoints(auditd_t) |
06099da6 | 158 | fs_rw_anon_inodefs_files(auditd_t) |
eb7f9a34 | 159 | |
d9845ae9 CP |
160 | selinux_search_fs(auditctl_t) |
161 | ||
06099da6 CP |
162 | corenet_all_recvfrom_unlabeled(auditd_t) |
163 | corenet_all_recvfrom_netlabel(auditd_t) | |
164 | corenet_tcp_sendrecv_generic_if(auditd_t) | |
c1262146 | 165 | corenet_tcp_sendrecv_generic_node(auditd_t) |
06099da6 | 166 | corenet_tcp_sendrecv_all_ports(auditd_t) |
c1262146 | 167 | corenet_tcp_bind_generic_node(auditd_t) |
06099da6 CP |
168 | corenet_tcp_bind_audit_port(auditd_t) |
169 | corenet_sendrecv_audit_server_packets(auditd_t) | |
170 | ||
522b59bb CP |
171 | # Needs to be able to run dispatcher. see /etc/audit/auditd.conf |
172 | # Probably want a transition, and a new auditd_helper app | |
522b59bb | 173 | corecmd_exec_bin(auditd_t) |
46551033 | 174 | corecmd_exec_shell(auditd_t) |
eb7f9a34 | 175 | |
15722ec9 | 176 | domain_use_interactive_fds(auditd_t) |
eb7f9a34 | 177 | |
8fd36732 | 178 | files_read_etc_files(auditd_t) |
603f90ab | 179 | files_list_usr(auditd_t) |
eb7f9a34 | 180 | |
a5f5eba4 | 181 | init_telinit(auditd_t) |
77f6e2cd | 182 | |
eaed904c | 183 | logging_set_audit_parameters(auditd_t) |
c9428d33 | 184 | logging_send_syslog_msg(auditd_t) |
c11057f7 CP |
185 | logging_domtrans_dispatcher(auditd_t) |
186 | logging_signal_dispatcher(auditd_t) | |
eb7f9a34 | 187 | |
3eaa9939 DW |
188 | auth_use_nsswitch(auditd_t) |
189 | ||
eb7f9a34 CP |
190 | miscfiles_read_localization(auditd_t) |
191 | ||
f8233ab7 CP |
192 | mls_file_read_all_levels(auditd_t) |
193 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory | |
195551b3 | 194 | mls_socket_write_all_levels(auditd_t) |
2db2c7d0 CP |
195 | |
196 | seutil_dontaudit_read_config(auditd_t) | |
f0574fa9 | 197 | |
c11057f7 CP |
198 | sysnet_dns_name_resolve(auditd_t) |
199 | ||
af2d8802 | 200 | userdom_use_inherited_user_terminals(auditd_t) |
15722ec9 | 201 | userdom_dontaudit_use_unpriv_user_fds(auditd_t) |
296273a7 | 202 | userdom_dontaudit_search_user_home_dirs(auditd_t) |
33acca55 | 203 | |
12cf805e CP |
204 | ifdef(`distro_ubuntu',` |
205 | optional_policy(` | |
206 | unconfined_domain(auditd_t) | |
207 | ') | |
208 | ') | |
209 | ||
c11057f7 CP |
210 | optional_policy(` |
211 | mta_send_mail(auditd_t) | |
212 | ') | |
213 | ||
bb7170f6 | 214 | optional_policy(` |
8fd36732 | 215 | seutil_sigchld_newrole(auditd_t) |
eb7f9a34 CP |
216 | ') |
217 | ||
bb7170f6 | 218 | optional_policy(` |
c9428d33 | 219 | udev_read_db(auditd_t) |
eb7f9a34 CP |
220 | ') |
221 | ||
c11057f7 CP |
222 | ######################################## |
223 | # | |
224 | # audit dispatcher local policy | |
225 | # | |
226 | ||
7a8807b6 CP |
227 | allow audisp_t self:capability { dac_override setpcap sys_nice }; |
228 | allow audisp_t self:process { getcap signal_perms setcap setsched }; | |
229 | allow audisp_t self:fifo_file rw_fifo_file_perms; | |
c11057f7 CP |
230 | allow audisp_t self:unix_stream_socket create_stream_socket_perms; |
231 | allow audisp_t self:unix_dgram_socket create_socket_perms; | |
232 | ||
0b36a214 | 233 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; |
c11057f7 CP |
234 | |
235 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) | |
236 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) | |
237 | ||
9c6adc46 MG |
238 | kernel_read_system_state(audisp_t) |
239 | ||
7a8807b6 CP |
240 | corecmd_exec_bin(audisp_t) |
241 | corecmd_exec_shell(audisp_t) | |
c11057f7 CP |
242 | |
243 | domain_use_interactive_fds(audisp_t) | |
244 | ||
9c6adc46 MG |
245 | fs_getattr_all_fs(audisp_t) |
246 | ||
c11057f7 | 247 | files_read_etc_files(audisp_t) |
7a8807b6 | 248 | files_read_etc_runtime_files(audisp_t) |
c11057f7 | 249 | |
3eaa9939 | 250 | mls_file_read_all_levels(audisp_t) |
c11057f7 | 251 | mls_file_write_all_levels(audisp_t) |
3eaa9939 DW |
252 | mls_socket_write_all_levels(audisp_t) |
253 | mls_dbus_send_all_levels(audisp_t) | |
254 | ||
255 | auth_use_nsswitch(audisp_t) | |
c11057f7 | 256 | |
c11057f7 CP |
257 | logging_send_syslog_msg(audisp_t) |
258 | ||
259 | miscfiles_read_localization(audisp_t) | |
260 | ||
06099da6 CP |
261 | sysnet_dns_name_resolve(audisp_t) |
262 | ||
7a8807b6 CP |
263 | optional_policy(` |
264 | dbus_system_bus_client(audisp_t) | |
3eaa9939 DW |
265 | |
266 | optional_policy(` | |
267 | setroubleshoot_dbus_chat(audisp_t) | |
268 | ') | |
7a8807b6 CP |
269 | ') |
270 | ||
c11057f7 CP |
271 | ######################################## |
272 | # | |
273 | # Audit remote logger local policy | |
274 | # | |
275 | ||
127d617b | 276 | allow audisp_remote_t self:capability { setuid setpcap }; |
3eaa9939 | 277 | allow audisp_remote_t self:process { getcap setcap }; |
c11057f7 | 278 | allow audisp_remote_t self:tcp_socket create_socket_perms; |
3eaa9939 DW |
279 | allow audisp_remote_t var_log_t:dir search_dir_perms; |
280 | ||
49e618c9 DW |
281 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) |
282 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | |
283 | files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) | |
284 | ||
3eaa9939 | 285 | corecmd_exec_bin(audisp_remote_t) |
c11057f7 CP |
286 | |
287 | corenet_all_recvfrom_unlabeled(audisp_remote_t) | |
288 | corenet_all_recvfrom_netlabel(audisp_remote_t) | |
668b3093 | 289 | corenet_tcp_sendrecv_generic_if(audisp_remote_t) |
c1262146 | 290 | corenet_tcp_sendrecv_generic_node(audisp_remote_t) |
7a8807b6 CP |
291 | corenet_tcp_sendrecv_all_ports(audisp_remote_t) |
292 | corenet_tcp_bind_audit_port(audisp_remote_t) | |
293 | corenet_tcp_bind_generic_node(audisp_remote_t) | |
06099da6 CP |
294 | corenet_tcp_connect_audit_port(audisp_remote_t) |
295 | corenet_sendrecv_audit_client_packets(audisp_remote_t) | |
c11057f7 CP |
296 | |
297 | files_read_etc_files(audisp_remote_t) | |
298 | ||
195551b3 DW |
299 | mls_socket_write_all_levels(audisp_remote_t) |
300 | ||
c11057f7 | 301 | logging_send_syslog_msg(audisp_remote_t) |
3eaa9939 DW |
302 | logging_send_audit_msgs(audisp_remote_t) |
303 | ||
304 | auth_use_nsswitch(audisp_remote_t) | |
ad0767a2 | 305 | auth_append_login_records(audisp_remote_t) |
c11057f7 CP |
306 | |
307 | miscfiles_read_localization(audisp_remote_t) | |
308 | ||
3eaa9939 DW |
309 | init_telinit(audisp_remote_t) |
310 | init_read_utmp(audisp_remote_t) | |
311 | init_dontaudit_write_utmp(audisp_remote_t) | |
312 | ||
c11057f7 CP |
313 | sysnet_dns_name_resolve(audisp_remote_t) |
314 | ||
4ddc1abd CP |
315 | ######################################## |
316 | # | |
317 | # klogd local policy | |
318 | # | |
319 | ||
2e0a8801 CP |
320 | allow klogd_t self:capability sys_admin; |
321 | dontaudit klogd_t self:capability { sys_resource sys_tty_config }; | |
322 | allow klogd_t self:process signal_perms; | |
323 | ||
3f67f722 CP |
324 | manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) |
325 | manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) | |
326 | files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir }) | |
daa0e0b0 | 327 | |
3f67f722 CP |
328 | manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t) |
329 | files_pid_filetrans(klogd_t, klogd_var_run_t, file) | |
4ddc1abd | 330 | |
4ddc1abd | 331 | kernel_read_system_state(klogd_t) |
219bcf7a | 332 | kernel_read_messages(klogd_t) |
445522dc | 333 | kernel_read_kernel_sysctls(klogd_t) |
219bcf7a CP |
334 | # Control syslog and console logging |
335 | kernel_clear_ring_buffer(klogd_t) | |
336 | kernel_change_ring_buffer_level(klogd_t) | |
219bcf7a | 337 | |
1c1ac67f | 338 | files_read_kernel_symbol_table(klogd_t) |
4ddc1abd | 339 | |
f0c985ca | 340 | dev_read_raw_memory(klogd_t) |
d1b9d922 | 341 | dev_read_sysfs(klogd_t) |
4ddc1abd | 342 | |
0fd9dc55 | 343 | fs_getattr_all_fs(klogd_t) |
d1b9d922 | 344 | fs_search_auto_mountpoints(klogd_t) |
4ddc1abd | 345 | |
15722ec9 | 346 | domain_use_interactive_fds(klogd_t) |
b7e1825b | 347 | |
c9428d33 | 348 | files_read_etc_runtime_files(klogd_t) |
4ddc1abd | 349 | # read /etc/nsswitch.conf |
8fd36732 | 350 | files_read_etc_files(klogd_t) |
4ddc1abd | 351 | |
c9428d33 | 352 | logging_send_syslog_msg(klogd_t) |
4ddc1abd | 353 | |
daa0e0b0 CP |
354 | miscfiles_read_localization(klogd_t) |
355 | ||
f8233ab7 | 356 | mls_file_read_all_levels(klogd_t) |
bf080a46 | 357 | |
296273a7 | 358 | userdom_dontaudit_search_user_home_dirs(klogd_t) |
725926c5 | 359 | |
12cf805e CP |
360 | ifdef(`distro_ubuntu',` |
361 | optional_policy(` | |
362 | unconfined_domain(klogd_t) | |
363 | ') | |
364 | ') | |
365 | ||
bb7170f6 | 366 | optional_policy(` |
d1b9d922 | 367 | udev_read_db(klogd_t) |
98a8ead4 | 368 | ') |
d1b9d922 | 369 | |
bb7170f6 | 370 | optional_policy(` |
725926c5 CP |
371 | seutil_sigchld_newrole(klogd_t) |
372 | ') | |
373 | ||
4ddc1abd CP |
374 | ######################################## |
375 | # | |
376 | # syslogd local policy | |
377 | # | |
219bcf7a | 378 | |
e9b9e452 CP |
379 | # chown fsetid for syslog-ng |
380 | # sys_admin for the integrated klog of syslog-ng and metalog | |
0907bda1 | 381 | # cjp: why net_admin! |
7a8f1d73 | 382 | allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid }; |
55f4564e | 383 | dontaudit syslogd_t self:capability sys_tty_config; |
bb1d4bb0 | 384 | allow syslogd_t self:capability2 syslog; |
e9b9e452 | 385 | # setpgid for metalog |
8c38fba0 | 386 | # setrlimit for syslog-ng |
97e70d54 | 387 | allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit }; |
d115b247 | 388 | # receive messages to be logged |
cc41a97c CP |
389 | allow syslogd_t self:unix_dgram_socket create_socket_perms; |
390 | allow syslogd_t self:unix_stream_socket create_stream_socket_perms; | |
d115b247 | 391 | allow syslogd_t self:unix_dgram_socket sendto; |
7a8807b6 | 392 | allow syslogd_t self:fifo_file rw_fifo_file_perms; |
35a4b349 | 393 | allow syslogd_t self:udp_socket create_socket_perms; |
5c45eaed | 394 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
219bcf7a | 395 | |
eaed904c CP |
396 | allow syslogd_t syslog_conf_t:file read_file_perms; |
397 | ||
605ba285 | 398 | # Create and bind to /dev/log or /var/run/log. |
c0868a7a | 399 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; |
3f67f722 | 400 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) |
605ba285 | 401 | |
55f4564e | 402 | # create/append log files. |
3f67f722 CP |
403 | manage_files_pattern(syslogd_t, var_log_t, var_log_t) |
404 | rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) | |
3f335a42 | 405 | files_search_spool(syslogd_t) |
14add30d | 406 | |
605ba285 CP |
407 | # Allow access for syslog-ng |
408 | allow syslogd_t var_log_t:dir { create setattr }; | |
4ddc1abd | 409 | |
55f4564e | 410 | # manage temporary files |
3f67f722 CP |
411 | manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) |
412 | manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | |
413 | files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) | |
3b857eae | 414 | |
3eaa9939 | 415 | manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) |
eaed904c CP |
416 | manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) |
417 | files_search_var_lib(syslogd_t) | |
418 | ||
3eaa9939 DW |
419 | manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) |
420 | manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) | |
421 | manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) | |
422 | files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) | |
423 | ||
55f4564e | 424 | # manage pid file |
3f67f722 CP |
425 | manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) |
426 | files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) | |
55f4564e | 427 | |
c11057f7 | 428 | kernel_read_system_state(syslogd_t) |
445522dc | 429 | kernel_read_kernel_sysctls(syslogd_t) |
a42ca7eb | 430 | kernel_read_proc_symlinks(syslogd_t) |
605ba285 | 431 | # Allow access to /proc/kmsg for syslog-ng |
d3f715d2 CP |
432 | kernel_read_messages(syslogd_t) |
433 | kernel_clear_ring_buffer(syslogd_t) | |
434 | kernel_change_ring_buffer_level(syslogd_t) | |
219bcf7a | 435 | |
19006686 CP |
436 | corenet_all_recvfrom_unlabeled(syslogd_t) |
437 | corenet_all_recvfrom_netlabel(syslogd_t) | |
668b3093 | 438 | corenet_udp_sendrecv_generic_if(syslogd_t) |
c1262146 | 439 | corenet_udp_sendrecv_generic_node(syslogd_t) |
0fd9dc55 | 440 | corenet_udp_sendrecv_all_ports(syslogd_t) |
c1262146 | 441 | corenet_udp_bind_generic_node(syslogd_t) |
a524921a | 442 | corenet_udp_bind_syslogd_port(syslogd_t) |
6b19be33 | 443 | # syslog-ng can listen and connect on tcp port 514 (rsh) |
668b3093 | 444 | corenet_tcp_sendrecv_generic_if(syslogd_t) |
c1262146 | 445 | corenet_tcp_sendrecv_generic_node(syslogd_t) |
6b19be33 | 446 | corenet_tcp_sendrecv_all_ports(syslogd_t) |
c1262146 | 447 | corenet_tcp_bind_generic_node(syslogd_t) |
6b19be33 CP |
448 | corenet_tcp_bind_rsh_port(syslogd_t) |
449 | corenet_tcp_connect_rsh_port(syslogd_t) | |
5f5b7a1e CP |
450 | # Allow users to define additional syslog ports to connect to |
451 | corenet_tcp_bind_syslogd_port(syslogd_t) | |
452 | corenet_tcp_connect_syslogd_port(syslogd_t) | |
c11057f7 CP |
453 | corenet_tcp_connect_postgresql_port(syslogd_t) |
454 | corenet_tcp_connect_mysqld_port(syslogd_t) | |
6b19be33 | 455 | |
35a4b349 CP |
456 | # syslog-ng can send or receive logs |
457 | corenet_sendrecv_syslogd_client_packets(syslogd_t) | |
458 | corenet_sendrecv_syslogd_server_packets(syslogd_t) | |
c11057f7 CP |
459 | corenet_sendrecv_postgresql_client_packets(syslogd_t) |
460 | corenet_sendrecv_mysqld_client_packets(syslogd_t) | |
219bcf7a | 461 | |
3f67f722 | 462 | dev_filetrans(syslogd_t, devlog_t, sock_file) |
c11057f7 | 463 | dev_read_sysfs(syslogd_t) |
3eaa9939 | 464 | dev_read_rand(syslogd_t) |
6712da05 MG |
465 | # relating to systemd-kmsg-syslogd |
466 | dev_write_kmsg(syslogd_t) | |
55f4564e | 467 | |
24eccc63 | 468 | domain_read_all_domains_state(syslogd_t) |
15722ec9 | 469 | domain_use_interactive_fds(syslogd_t) |
15b2e336 | 470 | domain_read_all_domains_state(syslogd_t) |
25baab18 | 471 | |
8fd36732 | 472 | files_read_etc_files(syslogd_t) |
c11057f7 | 473 | files_read_usr_files(syslogd_t) |
14add30d | 474 | files_read_var_files(syslogd_t) |
77f6e2cd | 475 | files_read_etc_runtime_files(syslogd_t) |
605ba285 | 476 | # /initrd is not umounted before minilog starts |
9e04f5c5 | 477 | files_dontaudit_search_isid_type_dirs(syslogd_t) |
c11057f7 CP |
478 | files_read_kernel_symbol_table(syslogd_t) |
479 | ||
480 | fs_getattr_all_fs(syslogd_t) | |
481 | fs_search_auto_mountpoints(syslogd_t) | |
482 | ||
483 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | |
484 | ||
485 | term_write_console(syslogd_t) | |
486 | # Allow syslog to a terminal | |
487 | term_write_unallocated_ttys(syslogd_t) | |
488 | ||
1ac1e26d | 489 | init_stream_connect(syslogd_t) |
c11057f7 CP |
490 | # for sending messages to logged in users |
491 | init_read_utmp(syslogd_t) | |
492 | init_dontaudit_write_utmp(syslogd_t) | |
c3c753f7 | 493 | term_write_all_ttys(syslogd_t) |
c11057f7 CP |
494 | |
495 | auth_use_nsswitch(syslogd_t) | |
496 | ||
497 | init_use_fds(syslogd_t) | |
219bcf7a | 498 | |
b0bdeb03 CP |
499 | # cjp: this doesnt make sense |
500 | logging_send_syslog_msg(syslogd_t) | |
501 | ||
219bcf7a CP |
502 | miscfiles_read_localization(syslogd_t) |
503 | ||
15722ec9 | 504 | userdom_dontaudit_use_unpriv_user_fds(syslogd_t) |
296273a7 | 505 | userdom_dontaudit_search_user_home_dirs(syslogd_t) |
daa0e0b0 | 506 | |
ce6bf7cc CP |
507 | ifdef(`distro_gentoo',` |
508 | # default gentoo syslog-ng config appends kernel | |
509 | # and high priority messages to /dev/tty12 | |
510 | term_append_unallocated_ttys(syslogd_t) | |
511 | term_dontaudit_setattr_unallocated_ttys(syslogd_t) | |
512 | ') | |
513 | ||
605ba285 | 514 | ifdef(`distro_suse',` |
a5f339f1 | 515 | # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel |
3f67f722 | 516 | files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) |
a5f339f1 CP |
517 | ') |
518 | ||
12cf805e CP |
519 | ifdef(`distro_ubuntu',` |
520 | optional_policy(` | |
521 | unconfined_domain(syslogd_t) | |
522 | ') | |
523 | ') | |
524 | ||
7a8807b6 CP |
525 | optional_policy(` |
526 | bind_search_cache(syslogd_t) | |
527 | ') | |
528 | ||
bb7170f6 | 529 | optional_policy(` |
9b06402e CP |
530 | inn_manage_log(syslogd_t) |
531 | ') | |
532 | ||
7a8807b6 CP |
533 | optional_policy(` |
534 | mysql_stream_connect(syslogd_t) | |
535 | ') | |
536 | ||
5505450b DW |
537 | optional_policy(` |
538 | plymouthd_manage_log(syslogd_t) | |
539 | ') | |
540 | ||
bb7170f6 | 541 | optional_policy(` |
c11057f7 | 542 | postgresql_stream_connect(syslogd_t) |
77f6e2cd CP |
543 | ') |
544 | ||
bb7170f6 | 545 | optional_policy(` |
8fd36732 | 546 | seutil_sigchld_newrole(syslogd_t) |
25baab18 CP |
547 | ') |
548 | ||
3eaa9939 DW |
549 | optional_policy(` |
550 | daemontools_search_svc_dir(syslogd_t) | |
551 | ') | |
552 | ||
bb7170f6 | 553 | optional_policy(` |
c9428d33 | 554 | udev_read_db(syslogd_t) |
25baab18 CP |
555 | ') |
556 | ||
413982c6 CP |
557 | optional_policy(` |
558 | # log to the xconsole | |
559 | xserver_rw_console(syslogd_t) | |
560 | ') |