[people/stevee/selinux-policy.git] / policy / modules / system / logging.te

policy_module(logging, 1.17.2)

########################################
#
# Declarations
#

attribute logfile;

type auditctl_t;
type auditctl_exec_t;
init_system_domain(auditctl_t, auditctl_exec_t)
role system_r types auditctl_t;

type auditd_etc_t;
files_security_file(auditd_etc_t)

type auditd_log_t;
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)

type audit_spool_t;
files_spool_file(audit_spool_t)
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)

type auditd_t;
type auditd_exec_t;
init_daemon_domain(auditd_t, auditd_exec_t)

type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)

type auditd_var_run_t;
files_pid_file(auditd_var_run_t)

type audisp_t;
type audisp_exec_t;
init_system_domain(audisp_t, audisp_exec_t)

type audisp_var_run_t;
files_pid_file(audisp_var_run_t)

type audisp_remote_t;
type audisp_remote_exec_t;
logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)

type devlog_t;
files_type(devlog_t)
mls_trusted_object(devlog_t)

type klogd_t;
type klogd_exec_t;
init_daemon_domain(klogd_t, klogd_exec_t)

type klogd_tmp_t;
files_tmp_file(klogd_tmp_t)

type klogd_var_run_t;
files_pid_file(klogd_var_run_t)

type syslog_conf_t;
files_config_file(syslog_conf_t)

type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
mls_trusted_object(syslogd_t)

type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)

type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)

type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)

type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)

type var_log_t;
logging_log_file(var_log_t)
files_mountpoint(var_log_t)

ifdef(`enable_mls',`
	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')

########################################
#
# Auditctl local policy
#

allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;

# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)

kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
kernel_setsched(auditctl_t)

domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)

mls_file_read_all_levels(auditctl_t)

term_use_all_inherited_terms(auditctl_t)

init_dontaudit_use_fds(auditctl_t)

locallogin_dontaudit_use_fds(auditctl_t)

logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)

########################################
#
# Auditd local policy
#

allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
allow auditd_t self:file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;

allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;

manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;

manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)

dev_read_sysfs(auditd_t)

fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)

selinux_search_fs(auditctl_t)

corenet_all_recvfrom_unlabeled(auditd_t)
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
corenet_tcp_sendrecv_all_ports(auditd_t)
corenet_tcp_bind_generic_node(auditd_t)
corenet_tcp_bind_audit_port(auditd_t)
corenet_sendrecv_audit_server_packets(auditd_t)

# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
corecmd_exec_shell(auditd_t)

domain_use_interactive_fds(auditd_t)

files_read_etc_files(auditd_t)
files_list_usr(auditd_t)

init_telinit(auditd_t)

logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)

auth_use_nsswitch(auditd_t)

miscfiles_read_localization(auditd_t)

mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
mls_socket_write_all_levels(auditd_t)

seutil_dontaudit_read_config(auditd_t)

sysnet_dns_name_resolve(auditd_t)

userdom_use_inherited_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(auditd_t)
	')
')

optional_policy(`
	mta_send_mail(auditd_t)
')

optional_policy(`
	seutil_sigchld_newrole(auditd_t)
')

optional_policy(`
	udev_read_db(auditd_t)
')

########################################
#
# audit dispatcher local policy
#

allow audisp_t self:capability { dac_override setpcap sys_nice };
allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;

allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;

manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)

kernel_read_system_state(audisp_t)

corecmd_exec_bin(audisp_t)
corecmd_exec_shell(audisp_t)

domain_use_interactive_fds(audisp_t)

fs_getattr_all_fs(audisp_t)

files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)

mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
mls_socket_write_all_levels(audisp_t)
mls_dbus_send_all_levels(audisp_t)

auth_use_nsswitch(audisp_t)

logging_send_syslog_msg(audisp_t)

miscfiles_read_localization(audisp_t)

sysnet_dns_name_resolve(audisp_t)

optional_policy(`
	dbus_system_bus_client(audisp_t)

	optional_policy(`
		setroubleshoot_dbus_chat(audisp_t)
	')
')

########################################
#
# Audit remote logger local policy
#

allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;

manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })

corecmd_exec_bin(audisp_remote_t)

corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
corenet_tcp_sendrecv_all_ports(audisp_remote_t)
corenet_tcp_bind_audit_port(audisp_remote_t)
corenet_tcp_bind_generic_node(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)

files_read_etc_files(audisp_remote_t)

mls_socket_write_all_levels(audisp_remote_t)

logging_send_syslog_msg(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)

auth_use_nsswitch(audisp_remote_t)
auth_append_login_records(audisp_remote_t)

miscfiles_read_localization(audisp_remote_t)

init_telinit(audisp_remote_t)
init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)

sysnet_dns_name_resolve(audisp_remote_t)

########################################
#
# klogd local policy
#

allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
allow klogd_t self:process signal_perms;

manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })

manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
files_pid_filetrans(klogd_t, klogd_var_run_t, file)

kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
kernel_read_kernel_sysctls(klogd_t)
# Control syslog and console logging
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)

files_read_kernel_symbol_table(klogd_t)

dev_read_raw_memory(klogd_t)
dev_read_sysfs(klogd_t)

fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)

domain_use_interactive_fds(klogd_t)

files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
files_read_etc_files(klogd_t)

logging_send_syslog_msg(klogd_t)

miscfiles_read_localization(klogd_t)

mls_file_read_all_levels(klogd_t)

userdom_dontaudit_search_user_home_dirs(klogd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(klogd_t)
	')
')

optional_policy(`
	udev_read_db(klogd_t)
')

optional_policy(`
	seutil_sigchld_newrole(klogd_t)
')

########################################
#
# syslogd local policy
#

# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:capability2 syslog;
# setpgid for metalog
# setrlimit for syslog-ng
allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;

allow syslogd_t syslog_conf_t:file read_file_perms;

# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)

# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)

# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };

# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })

manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)

manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })

# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)

kernel_read_system_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)

corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_generic_node(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
corenet_tcp_sendrecv_all_ports(syslogd_t)
corenet_tcp_bind_generic_node(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)

# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)

dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
dev_read_rand(syslogd_t)
# relating to systemd-kmsg-syslogd
dev_write_kmsg(syslogd_t)

domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
domain_read_all_domains_state(syslogd_t)

files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)

fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)

mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories

term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)

init_stream_connect(syslogd_t)
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_ttys(syslogd_t)

auth_use_nsswitch(syslogd_t)

init_use_fds(syslogd_t)

# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)

miscfiles_read_localization(syslogd_t)

userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)

ifdef(`distro_gentoo',`
	# default gentoo syslog-ng config appends kernel
	# and high priority messages to /dev/tty12
	term_append_unallocated_ttys(syslogd_t)
	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')

ifdef(`distro_suse',`
	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(syslogd_t)
	')
')

optional_policy(`
	bind_search_cache(syslogd_t)
')

optional_policy(`
	inn_manage_log(syslogd_t)
')

optional_policy(`
	mysql_stream_connect(syslogd_t)
')

optional_policy(`
	plymouthd_manage_log(syslogd_t)
')

optional_policy(`
	postgresql_stream_connect(syslogd_t)
')

optional_policy(`
	seutil_sigchld_newrole(syslogd_t)
')

optional_policy(`
    daemontools_search_svc_dir(syslogd_t)
')

optional_policy(`
	udev_read_db(syslogd_t)
')

optional_policy(`
	# log to the xconsole
	xserver_rw_console(syslogd_t)
')
Commit	Line	Data
127d617b	1	policy_module(logging, 1.17.2)
960373dd	2
eb7f9a34 CP	3	########################################
	4	#
	5	# Declarations
	6	#
	7
b4cd1533 CP	8	attribute logfile;
b4cd1533 CP	9
c3cf6693	10	type auditctl_t;
605ba285	11	type auditctl_exec_t;
3f67f722	12	init_system_domain(auditctl_t, auditctl_exec_t)
605ba285 CP	13	role system_r types auditctl_t;
605ba285 CP	14
a2868f6e CP	15	type auditd_etc_t;
a2868f6e CP	16	files_security_file(auditd_etc_t)
605ba285	17
a2868f6e CP	18	type auditd_log_t;
a2868f6e CP	19	files_security_file(auditd_log_t)
3338f231	20	files_security_mountpoint(auditd_log_t)
eb7f9a34	21
49e618c9	22	type audit_spool_t;
0059652b	23	files_spool_file(audit_spool_t)
41b04c2c MG	24	files_security_file(audit_spool_t)
41b04c2c MG	25	files_security_mountpoint(audit_spool_t)
49e618c9	26
eb7f9a34	27	type auditd_t;
e070dd2d	28	type auditd_exec_t;
3f67f722	29	init_daemon_domain(auditd_t, auditd_exec_t)
eb7f9a34	30
cfafe4a7 CP	31	type auditd_initrc_exec_t;
	32	init_script_file(auditd_initrc_exec_t)
	33
eb7f9a34	34	type auditd_var_run_t;
c9428d33	35	files_pid_file(auditd_var_run_t)
eb7f9a34	36
c11057f7 CP	37	type audisp_t;
	38	type audisp_exec_t;
	39	init_system_domain(audisp_t, audisp_exec_t)
	40
	41	type audisp_var_run_t;
	42	files_pid_file(audisp_var_run_t)
	43
	44	type audisp_remote_t;
	45	type audisp_remote_exec_t;
	46	logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
	47
f0574fa9	48	type devlog_t;
8fd36732	49	files_type(devlog_t)
f0574fa9	50	mls_trusted_object(devlog_t)
4ddc1abd	51
f0574fa9	52	type klogd_t;
4ddc1abd	53	type klogd_exec_t;
3f67f722	54	init_daemon_domain(klogd_t, klogd_exec_t)
4ddc1abd CP	55
4ddc1abd CP	56	type klogd_tmp_t;
c9428d33	57	files_tmp_file(klogd_tmp_t)
4ddc1abd CP	58
4ddc1abd CP	59	type klogd_var_run_t;
c9428d33	60	files_pid_file(klogd_var_run_t)
4ddc1abd	61
eaed904c	62	type syslog_conf_t;
5e4542af	63	files_config_file(syslog_conf_t)
eaed904c	64
4ddc1abd	65	type syslogd_t;
4ddc1abd	66	type syslogd_exec_t;
3f67f722	67	init_daemon_domain(syslogd_t, syslogd_exec_t)
3eaa9939	68	mls_trusted_object(syslogd_t)
4ddc1abd	69
cfafe4a7 CP	70	type syslogd_initrc_exec_t;
	71	init_script_file(syslogd_initrc_exec_t)
	72
4ddc1abd	73	type syslogd_tmp_t;
c9428d33	74	files_tmp_file(syslogd_tmp_t)
4ddc1abd	75
eaed904c CP	76	type syslogd_var_lib_t;
	77	files_type(syslogd_var_lib_t)
	78
4ddc1abd	79	type syslogd_var_run_t;
c9428d33	80	files_pid_file(syslogd_var_run_t)
4ddc1abd	81
31a1c2df CP	82	type var_log_t;
31a1c2df CP	83	logging_log_file(var_log_t)
d6d16b97	84	files_mountpoint(var_log_t)
4ddc1abd	85
e070dd2d	86	ifdef(`enable_mls',`
c11057f7 CP	87	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
c11057f7 CP	88	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
e070dd2d CP	89	')
e070dd2d CP	90
eb7f9a34 CP	91	########################################
eb7f9a34 CP	92	#
14add30d	93	# Auditctl local policy
eb7f9a34 CP	94	#
eb7f9a34 CP	95
eaed904c CP	96	allow auditctl_t self:capability { fsetid dac_read_search dac_override };
eaed904c CP	97	allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
605ba285	98
3f67f722	99	read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
c0868a7a	100	allow auditctl_t auditd_etc_t:dir list_dir_perms;
605ba285	101
165b42d2 CP	102	# Needed for adding watches
165b42d2 CP	103	files_getattr_all_dirs(auditctl_t)
14add30d	104	files_getattr_all_files(auditctl_t)
165b42d2 CP	105	files_read_etc_files(auditctl_t)
165b42d2 CP	106
445522dc	107	kernel_read_kernel_sysctls(auditctl_t)
3c8f6b1a	108	kernel_read_proc_symlinks(auditctl_t)
7a8807b6	109	kernel_setsched(auditctl_t)
605ba285	110
3c8f6b1a	111	domain_read_all_domains_state(auditctl_t)
15722ec9	112	domain_use_interactive_fds(auditctl_t)
605ba285	113
f8233ab7	114	mls_file_read_all_levels(auditctl_t)
bf080a46	115
af2d8802	116	term_use_all_inherited_terms(auditctl_t)
b0d2243c	117
1c1ac67f	118	init_dontaudit_use_fds(auditctl_t)
605ba285	119
1c1ac67f	120	locallogin_dontaudit_use_fds(auditctl_t)
605ba285	121
eaed904c	122	logging_set_audit_parameters(auditctl_t)
2db2c7d0 CP	123	logging_send_syslog_msg(auditctl_t)
2db2c7d0 CP	124
605ba285 CP	125	########################################
	126	#
	127	# Auditd local policy
	128	#
	129
eaed904c	130	allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
eb7f9a34	131	dontaudit auditd_t self:capability sys_tty_config;
7a8807b6	132	allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
0b36a214	133	allow auditd_t self:file rw_file_perms;
605ba285	134	allow auditd_t self:unix_dgram_socket create_socket_perms;
7a8807b6	135	allow auditd_t self:fifo_file rw_fifo_file_perms;
06099da6	136	allow auditd_t self:tcp_socket create_stream_socket_perms;
605ba285	137
c0868a7a	138	allow auditd_t auditd_etc_t:dir list_dir_perms;
ef659a47	139	allow auditd_t auditd_etc_t:file read_file_perms;
eb7f9a34	140
3f67f722 CP	141	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
3f67f722 CP	142	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
c0868a7a	143	allow auditd_t var_log_t:dir search_dir_perms;
eb7f9a34	144
3f67f722 CP	145	manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
	146	manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
	147	files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
eb7f9a34	148
445522dc	149	kernel_read_kernel_sysctls(auditd_t)
522b59bb CP	150	# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
	151	# Probably want a transition, and a new auditd_helper app
	152	kernel_read_system_state(auditd_t)
d35c621e	153
8bd67899	154	dev_read_sysfs(auditd_t)
eb7f9a34	155
0fd9dc55	156	fs_getattr_all_fs(auditd_t)
ab940a4c	157	fs_search_auto_mountpoints(auditd_t)
06099da6	158	fs_rw_anon_inodefs_files(auditd_t)
eb7f9a34	159
d9845ae9 CP	160	selinux_search_fs(auditctl_t)
d9845ae9 CP	161
06099da6 CP	162	corenet_all_recvfrom_unlabeled(auditd_t)
	163	corenet_all_recvfrom_netlabel(auditd_t)
	164	corenet_tcp_sendrecv_generic_if(auditd_t)
c1262146	165	corenet_tcp_sendrecv_generic_node(auditd_t)
06099da6	166	corenet_tcp_sendrecv_all_ports(auditd_t)
c1262146	167	corenet_tcp_bind_generic_node(auditd_t)
06099da6 CP	168	corenet_tcp_bind_audit_port(auditd_t)
	169	corenet_sendrecv_audit_server_packets(auditd_t)
	170
522b59bb CP	171	# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
522b59bb CP	172	# Probably want a transition, and a new auditd_helper app
522b59bb	173	corecmd_exec_bin(auditd_t)
46551033	174	corecmd_exec_shell(auditd_t)
eb7f9a34	175
15722ec9	176	domain_use_interactive_fds(auditd_t)
eb7f9a34	177
8fd36732	178	files_read_etc_files(auditd_t)
603f90ab	179	files_list_usr(auditd_t)
eb7f9a34	180
a5f5eba4	181	init_telinit(auditd_t)
77f6e2cd	182
eaed904c	183	logging_set_audit_parameters(auditd_t)
c9428d33	184	logging_send_syslog_msg(auditd_t)
c11057f7 CP	185	logging_domtrans_dispatcher(auditd_t)
c11057f7 CP	186	logging_signal_dispatcher(auditd_t)
eb7f9a34	187
3eaa9939 DW	188	auth_use_nsswitch(auditd_t)
3eaa9939 DW	189
eb7f9a34 CP	190	miscfiles_read_localization(auditd_t)
eb7f9a34 CP	191
f8233ab7 CP	192	mls_file_read_all_levels(auditd_t)
f8233ab7 CP	193	mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
195551b3	194	mls_socket_write_all_levels(auditd_t)
2db2c7d0 CP	195
2db2c7d0 CP	196	seutil_dontaudit_read_config(auditd_t)
f0574fa9	197
c11057f7 CP	198	sysnet_dns_name_resolve(auditd_t)
c11057f7 CP	199
af2d8802	200	userdom_use_inherited_user_terminals(auditd_t)
15722ec9	201	userdom_dontaudit_use_unpriv_user_fds(auditd_t)
296273a7	202	userdom_dontaudit_search_user_home_dirs(auditd_t)
33acca55	203
12cf805e CP	204	ifdef(`distro_ubuntu',`
	205	optional_policy(`
	206	unconfined_domain(auditd_t)
	207	')
	208	')
	209
c11057f7 CP	210	optional_policy(`
	211	mta_send_mail(auditd_t)
	212	')
	213
bb7170f6	214	optional_policy(`
8fd36732	215	seutil_sigchld_newrole(auditd_t)
eb7f9a34 CP	216	')
eb7f9a34 CP	217
bb7170f6	218	optional_policy(`
c9428d33	219	udev_read_db(auditd_t)
eb7f9a34 CP	220	')
eb7f9a34 CP	221
c11057f7 CP	222	########################################
	223	#
	224	# audit dispatcher local policy
	225	#
	226
7a8807b6 CP	227	allow audisp_t self:capability { dac_override setpcap sys_nice };
	228	allow audisp_t self:process { getcap signal_perms setcap setsched };
	229	allow audisp_t self:fifo_file rw_fifo_file_perms;
c11057f7 CP	230	allow audisp_t self:unix_stream_socket create_stream_socket_perms;
	231	allow audisp_t self:unix_dgram_socket create_socket_perms;
	232
0b36a214	233	allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
c11057f7 CP	234
	235	manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
	236	files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
	237
9c6adc46 MG	238	kernel_read_system_state(audisp_t)
9c6adc46 MG	239
7a8807b6 CP	240	corecmd_exec_bin(audisp_t)
7a8807b6 CP	241	corecmd_exec_shell(audisp_t)
c11057f7 CP	242
	243	domain_use_interactive_fds(audisp_t)
	244
9c6adc46 MG	245	fs_getattr_all_fs(audisp_t)
9c6adc46 MG	246
c11057f7	247	files_read_etc_files(audisp_t)
7a8807b6	248	files_read_etc_runtime_files(audisp_t)
c11057f7	249
3eaa9939	250	mls_file_read_all_levels(audisp_t)
c11057f7	251	mls_file_write_all_levels(audisp_t)
3eaa9939 DW	252	mls_socket_write_all_levels(audisp_t)
	253	mls_dbus_send_all_levels(audisp_t)
	254
	255	auth_use_nsswitch(audisp_t)
c11057f7	256
c11057f7 CP	257	logging_send_syslog_msg(audisp_t)
	258
	259	miscfiles_read_localization(audisp_t)
	260
06099da6 CP	261	sysnet_dns_name_resolve(audisp_t)
06099da6 CP	262
7a8807b6 CP	263	optional_policy(`
7a8807b6 CP	264	dbus_system_bus_client(audisp_t)
3eaa9939 DW	265
	266	optional_policy(`
	267	setroubleshoot_dbus_chat(audisp_t)
	268	')
7a8807b6 CP	269	')
7a8807b6 CP	270
c11057f7 CP	271	########################################
	272	#
	273	# Audit remote logger local policy
	274	#
	275
127d617b	276	allow audisp_remote_t self:capability { setuid setpcap };
3eaa9939	277	allow audisp_remote_t self:process { getcap setcap };
c11057f7	278	allow audisp_remote_t self:tcp_socket create_socket_perms;
3eaa9939 DW	279	allow audisp_remote_t var_log_t:dir search_dir_perms;
3eaa9939 DW	280
49e618c9 DW	281	manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
	282	manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
	283	files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
	284
3eaa9939	285	corecmd_exec_bin(audisp_remote_t)
c11057f7 CP	286
	287	corenet_all_recvfrom_unlabeled(audisp_remote_t)
	288	corenet_all_recvfrom_netlabel(audisp_remote_t)
668b3093	289	corenet_tcp_sendrecv_generic_if(audisp_remote_t)
c1262146	290	corenet_tcp_sendrecv_generic_node(audisp_remote_t)
7a8807b6 CP	291	corenet_tcp_sendrecv_all_ports(audisp_remote_t)
	292	corenet_tcp_bind_audit_port(audisp_remote_t)
	293	corenet_tcp_bind_generic_node(audisp_remote_t)
06099da6 CP	294	corenet_tcp_connect_audit_port(audisp_remote_t)
06099da6 CP	295	corenet_sendrecv_audit_client_packets(audisp_remote_t)
c11057f7 CP	296
	297	files_read_etc_files(audisp_remote_t)
	298
195551b3 DW	299	mls_socket_write_all_levels(audisp_remote_t)
195551b3 DW	300
c11057f7	301	logging_send_syslog_msg(audisp_remote_t)
3eaa9939 DW	302	logging_send_audit_msgs(audisp_remote_t)
	303
	304	auth_use_nsswitch(audisp_remote_t)
ad0767a2	305	auth_append_login_records(audisp_remote_t)
c11057f7 CP	306
	307	miscfiles_read_localization(audisp_remote_t)
	308
3eaa9939 DW	309	init_telinit(audisp_remote_t)
	310	init_read_utmp(audisp_remote_t)
	311	init_dontaudit_write_utmp(audisp_remote_t)
	312
c11057f7 CP	313	sysnet_dns_name_resolve(audisp_remote_t)
c11057f7 CP	314
4ddc1abd CP	315	########################################
	316	#
	317	# klogd local policy
	318	#
	319
2e0a8801 CP	320	allow klogd_t self:capability sys_admin;
	321	dontaudit klogd_t self:capability { sys_resource sys_tty_config };
	322	allow klogd_t self:process signal_perms;
	323
3f67f722 CP	324	manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
	325	manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
	326	files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
daa0e0b0	327
3f67f722 CP	328	manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
3f67f722 CP	329	files_pid_filetrans(klogd_t, klogd_var_run_t, file)
4ddc1abd	330
4ddc1abd	331	kernel_read_system_state(klogd_t)
219bcf7a	332	kernel_read_messages(klogd_t)
445522dc	333	kernel_read_kernel_sysctls(klogd_t)
219bcf7a CP	334	# Control syslog and console logging
	335	kernel_clear_ring_buffer(klogd_t)
	336	kernel_change_ring_buffer_level(klogd_t)
219bcf7a	337
1c1ac67f	338	files_read_kernel_symbol_table(klogd_t)
4ddc1abd	339
f0c985ca	340	dev_read_raw_memory(klogd_t)
d1b9d922	341	dev_read_sysfs(klogd_t)
4ddc1abd	342
0fd9dc55	343	fs_getattr_all_fs(klogd_t)
d1b9d922	344	fs_search_auto_mountpoints(klogd_t)
4ddc1abd	345
15722ec9	346	domain_use_interactive_fds(klogd_t)
b7e1825b	347
c9428d33	348	files_read_etc_runtime_files(klogd_t)
4ddc1abd	349	# read /etc/nsswitch.conf
8fd36732	350	files_read_etc_files(klogd_t)
4ddc1abd	351
c9428d33	352	logging_send_syslog_msg(klogd_t)
4ddc1abd	353
daa0e0b0 CP	354	miscfiles_read_localization(klogd_t)
daa0e0b0 CP	355
f8233ab7	356	mls_file_read_all_levels(klogd_t)
bf080a46	357
296273a7	358	userdom_dontaudit_search_user_home_dirs(klogd_t)
725926c5	359
12cf805e CP	360	ifdef(`distro_ubuntu',`
	361	optional_policy(`
	362	unconfined_domain(klogd_t)
	363	')
	364	')
	365
bb7170f6	366	optional_policy(`
d1b9d922	367	udev_read_db(klogd_t)
98a8ead4	368	')
d1b9d922	369
bb7170f6	370	optional_policy(`
725926c5 CP	371	seutil_sigchld_newrole(klogd_t)
	372	')
	373
4ddc1abd CP	374	########################################
	375	#
	376	# syslogd local policy
	377	#
219bcf7a	378
e9b9e452 CP	379	# chown fsetid for syslog-ng
e9b9e452 CP	380	# sys_admin for the integrated klog of syslog-ng and metalog
0907bda1	381	# cjp: why net_admin!
7a8f1d73	382	allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
55f4564e	383	dontaudit syslogd_t self:capability sys_tty_config;
bb1d4bb0	384	allow syslogd_t self:capability2 syslog;
e9b9e452	385	# setpgid for metalog
8c38fba0	386	# setrlimit for syslog-ng
97e70d54	387	allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit };
d115b247	388	# receive messages to be logged
cc41a97c CP	389	allow syslogd_t self:unix_dgram_socket create_socket_perms;
cc41a97c CP	390	allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
d115b247	391	allow syslogd_t self:unix_dgram_socket sendto;
7a8807b6	392	allow syslogd_t self:fifo_file rw_fifo_file_perms;
35a4b349	393	allow syslogd_t self:udp_socket create_socket_perms;
5c45eaed	394	allow syslogd_t self:tcp_socket create_stream_socket_perms;
219bcf7a	395
eaed904c CP	396	allow syslogd_t syslog_conf_t:file read_file_perms;
eaed904c CP	397
605ba285	398	# Create and bind to /dev/log or /var/run/log.
c0868a7a	399	allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
3f67f722	400	files_pid_filetrans(syslogd_t, devlog_t, sock_file)
605ba285	401
55f4564e	402	# create/append log files.
3f67f722 CP	403	manage_files_pattern(syslogd_t, var_log_t, var_log_t)
3f67f722 CP	404	rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
3f335a42	405	files_search_spool(syslogd_t)
14add30d	406
605ba285 CP	407	# Allow access for syslog-ng
605ba285 CP	408	allow syslogd_t var_log_t:dir { create setattr };
4ddc1abd	409
55f4564e	410	# manage temporary files
3f67f722 CP	411	manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
	412	manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
	413	files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
3b857eae	414
3eaa9939	415	manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
eaed904c CP	416	manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
	417	files_search_var_lib(syslogd_t)
	418
3eaa9939 DW	419	manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
	420	manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
	421	manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
	422	files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
	423
55f4564e	424	# manage pid file
3f67f722 CP	425	manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
3f67f722 CP	426	files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
55f4564e	427
c11057f7	428	kernel_read_system_state(syslogd_t)
445522dc	429	kernel_read_kernel_sysctls(syslogd_t)
a42ca7eb	430	kernel_read_proc_symlinks(syslogd_t)
605ba285	431	# Allow access to /proc/kmsg for syslog-ng
d3f715d2 CP	432	kernel_read_messages(syslogd_t)
	433	kernel_clear_ring_buffer(syslogd_t)
	434	kernel_change_ring_buffer_level(syslogd_t)
219bcf7a	435
19006686 CP	436	corenet_all_recvfrom_unlabeled(syslogd_t)
19006686 CP	437	corenet_all_recvfrom_netlabel(syslogd_t)
668b3093	438	corenet_udp_sendrecv_generic_if(syslogd_t)
c1262146	439	corenet_udp_sendrecv_generic_node(syslogd_t)
0fd9dc55	440	corenet_udp_sendrecv_all_ports(syslogd_t)
c1262146	441	corenet_udp_bind_generic_node(syslogd_t)
a524921a	442	corenet_udp_bind_syslogd_port(syslogd_t)
6b19be33	443	# syslog-ng can listen and connect on tcp port 514 (rsh)
668b3093	444	corenet_tcp_sendrecv_generic_if(syslogd_t)
c1262146	445	corenet_tcp_sendrecv_generic_node(syslogd_t)
6b19be33	446	corenet_tcp_sendrecv_all_ports(syslogd_t)
c1262146	447	corenet_tcp_bind_generic_node(syslogd_t)
6b19be33 CP	448	corenet_tcp_bind_rsh_port(syslogd_t)
6b19be33 CP	449	corenet_tcp_connect_rsh_port(syslogd_t)
5f5b7a1e CP	450	# Allow users to define additional syslog ports to connect to
	451	corenet_tcp_bind_syslogd_port(syslogd_t)
	452	corenet_tcp_connect_syslogd_port(syslogd_t)
c11057f7 CP	453	corenet_tcp_connect_postgresql_port(syslogd_t)
c11057f7 CP	454	corenet_tcp_connect_mysqld_port(syslogd_t)
6b19be33	455
35a4b349 CP	456	# syslog-ng can send or receive logs
	457	corenet_sendrecv_syslogd_client_packets(syslogd_t)
	458	corenet_sendrecv_syslogd_server_packets(syslogd_t)
c11057f7 CP	459	corenet_sendrecv_postgresql_client_packets(syslogd_t)
c11057f7 CP	460	corenet_sendrecv_mysqld_client_packets(syslogd_t)
219bcf7a	461
3f67f722	462	dev_filetrans(syslogd_t, devlog_t, sock_file)
c11057f7	463	dev_read_sysfs(syslogd_t)
3eaa9939	464	dev_read_rand(syslogd_t)
6712da05 MG	465	# relating to systemd-kmsg-syslogd
6712da05 MG	466	dev_write_kmsg(syslogd_t)
55f4564e	467
24eccc63	468	domain_read_all_domains_state(syslogd_t)
15722ec9	469	domain_use_interactive_fds(syslogd_t)
15b2e336	470	domain_read_all_domains_state(syslogd_t)
25baab18	471
8fd36732	472	files_read_etc_files(syslogd_t)
c11057f7	473	files_read_usr_files(syslogd_t)
14add30d	474	files_read_var_files(syslogd_t)
77f6e2cd	475	files_read_etc_runtime_files(syslogd_t)
605ba285	476	# /initrd is not umounted before minilog starts
9e04f5c5	477	files_dontaudit_search_isid_type_dirs(syslogd_t)
c11057f7 CP	478	files_read_kernel_symbol_table(syslogd_t)
	479
	480	fs_getattr_all_fs(syslogd_t)
	481	fs_search_auto_mountpoints(syslogd_t)
	482
	483	mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
	484
	485	term_write_console(syslogd_t)
	486	# Allow syslog to a terminal
	487	term_write_unallocated_ttys(syslogd_t)
	488
1ac1e26d	489	init_stream_connect(syslogd_t)
c11057f7 CP	490	# for sending messages to logged in users
	491	init_read_utmp(syslogd_t)
	492	init_dontaudit_write_utmp(syslogd_t)
c3c753f7	493	term_write_all_ttys(syslogd_t)
c11057f7 CP	494
	495	auth_use_nsswitch(syslogd_t)
	496
	497	init_use_fds(syslogd_t)
219bcf7a	498
b0bdeb03 CP	499	# cjp: this doesnt make sense
	500	logging_send_syslog_msg(syslogd_t)
	501
219bcf7a CP	502	miscfiles_read_localization(syslogd_t)
219bcf7a CP	503
15722ec9	504	userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
296273a7	505	userdom_dontaudit_search_user_home_dirs(syslogd_t)
daa0e0b0	506
ce6bf7cc CP	507	ifdef(`distro_gentoo',`
	508	# default gentoo syslog-ng config appends kernel
	509	# and high priority messages to /dev/tty12
	510	term_append_unallocated_ttys(syslogd_t)
	511	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
	512	')
	513
605ba285	514	ifdef(`distro_suse',`
a5f339f1	515	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
3f67f722	516	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
a5f339f1 CP	517	')
a5f339f1 CP	518
12cf805e CP	519	ifdef(`distro_ubuntu',`
	520	optional_policy(`
	521	unconfined_domain(syslogd_t)
	522	')
	523	')
	524
7a8807b6 CP	525	optional_policy(`
	526	bind_search_cache(syslogd_t)
	527	')
	528
bb7170f6	529	optional_policy(`
9b06402e CP	530	inn_manage_log(syslogd_t)
	531	')
	532
7a8807b6 CP	533	optional_policy(`
	534	mysql_stream_connect(syslogd_t)
	535	')
	536
5505450b DW	537	optional_policy(`
	538	plymouthd_manage_log(syslogd_t)
	539	')
	540
bb7170f6	541	optional_policy(`
c11057f7	542	postgresql_stream_connect(syslogd_t)
77f6e2cd CP	543	')
77f6e2cd CP	544
bb7170f6	545	optional_policy(`
8fd36732	546	seutil_sigchld_newrole(syslogd_t)
25baab18 CP	547	')
25baab18 CP	548
3eaa9939 DW	549	optional_policy(`
	550	daemontools_search_svc_dir(syslogd_t)
	551	')
	552
bb7170f6	553	optional_policy(`
c9428d33	554	udev_read_db(syslogd_t)
25baab18 CP	555	')
25baab18 CP	556
413982c6 CP	557	optional_policy(`
	558	# log to the xconsole
	559	xserver_rw_console(syslogd_t)
	560	')