policy/modules/admin/logrotate.te

   1 policy_module(logrotate, 1.13.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type logrotate_t;
   9 domain_type(logrotate_t)
  10 domain_obj_id_change_exemption(logrotate_t)
  11 domain_system_change_exemption(logrotate_t)
  12 role system_r types logrotate_t;
  13
  14 type logrotate_exec_t;
  15 domain_entry_file(logrotate_t, logrotate_exec_t)
  16
  17 type logrotate_lock_t;
  18 files_lock_file(logrotate_lock_t)
  19
  20 type logrotate_tmp_t;
  21 files_tmp_file(logrotate_tmp_t)
  22
  23 type logrotate_var_lib_t;
  24 files_type(logrotate_var_lib_t)
  25
  26 ########################################
  27 #
  28 # Local policy
  29 #
  30
  31 # Change ownership on log files.
  32 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
  33 # for mailx
  34 dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
  35
  36 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  37
  38 # Set a context other than the default one for newly created files.
  39 allow logrotate_t self:process setfscreate;
  40
  41 allow logrotate_t self:fd use;
  42 allow logrotate_t self:fifo_file rw_fifo_file_perms;
  43 allow logrotate_t self:unix_dgram_socket create_socket_perms;
  44 allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
  45 allow logrotate_t self:unix_dgram_socket sendto;
  46 allow logrotate_t self:unix_stream_socket connectto;
  47 allow logrotate_t self:shm create_shm_perms;
  48 allow logrotate_t self:sem create_sem_perms;
  49 allow logrotate_t self:msgq create_msgq_perms;
  50 allow logrotate_t self:msg { send receive };
  51
  52 allow logrotate_t logrotate_lock_t:file manage_file_perms;
  53 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  54
  55 can_exec(logrotate_t, logrotate_tmp_t)
  56
  57 manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
  58 manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
  59 files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
  60
  61 # for /var/lib/logrotate.status and /var/lib/logcheck
  62 create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
  63 manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
  64 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
  65
  66 kernel_read_system_state(logrotate_t)
  67 kernel_read_kernel_sysctls(logrotate_t)
  68
  69 dev_read_urand(logrotate_t)
  70
  71 fs_search_auto_mountpoints(logrotate_t)
  72 fs_getattr_xattr_fs(logrotate_t)
  73 fs_list_inotifyfs(logrotate_t)
  74
  75 mls_file_read_all_levels(logrotate_t)
  76 mls_file_write_all_levels(logrotate_t)
  77 mls_file_upgrade(logrotate_t)
  78
  79 selinux_get_fs_mount(logrotate_t)
  80 selinux_get_enforce_mode(logrotate_t)
  81
  82 auth_manage_login_records(logrotate_t)
  83 auth_use_nsswitch(logrotate_t)
  84
  85 # Run helper programs.
  86 corecmd_exec_bin(logrotate_t)
  87 corecmd_exec_shell(logrotate_t)
  88
  89 domain_signal_all_domains(logrotate_t)
  90 domain_use_interactive_fds(logrotate_t)
  91 domain_getattr_all_entry_files(logrotate_t)
  92 # Read /proc/PID directories for all domains.
  93 domain_read_all_domains_state(logrotate_t)
  94
  95 files_read_usr_files(logrotate_t)
  96 files_read_etc_files(logrotate_t)
  97 files_read_etc_runtime_files(logrotate_t)
  98 files_read_all_pids(logrotate_t)
  99 files_search_all(logrotate_t)
 100 files_read_var_lib_files(logrotate_t)
 101 # Write to /var/spool/slrnpull - should be moved into its own type.
 102 files_manage_generic_spool(logrotate_t)
 103 files_manage_generic_spool_dirs(logrotate_t)
 104 files_getattr_generic_locks(logrotate_t)
 105
 106 # cjp: why is this needed?
 107 init_domtrans_script(logrotate_t)
 108
 109 logging_manage_all_logs(logrotate_t)
 110 logging_send_syslog_msg(logrotate_t)
 111 logging_send_audit_msgs(logrotate_t)
 112 # cjp: why is this needed?
 113 logging_exec_all_logs(logrotate_t)
 114
 115 miscfiles_read_localization(logrotate_t)
 116
 117 seutil_dontaudit_read_config(logrotate_t)
 118
 119 userdom_use_user_terminals(logrotate_t)
 120 userdom_list_user_home_dirs(logrotate_t)
 121 userdom_use_unpriv_users_fds(logrotate_t)
 122 userdom_dontaudit_list_admin_dir(logrotate_t)
 123
 124 cron_system_entry(logrotate_t, logrotate_exec_t)
 125 cron_search_spool(logrotate_t)
 126
 127 mta_send_mail(logrotate_t)
 128
 129 ifdef(`distro_debian', `
 130         allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
 131         # for savelog
 132         can_exec(logrotate_t, logrotate_exec_t)
 133
 134         # for syslogd-listfiles
 135         logging_read_syslog_config(logrotate_t)
 136
 137         # for "test -x /sbin/syslogd"
 138         logging_check_exec_syslog(logrotate_t)
 139 ')
 140
 141 optional_policy(`
 142         abrt_cache_manage(logrotate_t)
 143 ')
 144
 145 optional_policy(`
 146         acct_domtrans(logrotate_t)
 147         acct_manage_data(logrotate_t)
 148         acct_exec_data(logrotate_t)
 149 ')
 150
 151 optional_policy(`
 152         apache_read_config(logrotate_t)
 153         apache_domtrans(logrotate_t)
 154         apache_signull(logrotate_t)
 155 ')
 156
 157 optional_policy(`
 158         asterisk_domtrans(logrotate_t)
 159 ')
 160
 161 optional_policy(`
 162         bind_manage_cache(logrotate_t)
 163 ')
 164
 165 optional_policy(`
 166         consoletype_exec(logrotate_t)
 167 ')
 168
 169 optional_policy(`
 170         cups_domtrans(logrotate_t)
 171 ')
 172
 173 optional_policy(`
 174         fail2ban_stream_connect(logrotate_t)
 175 ')
 176
 177 optional_policy(`
 178         hostname_exec(logrotate_t)
 179 ')
 180
 181 optional_policy(`
 182         icecast_signal(logrotate_t)
 183 ')
 184
 185 optional_policy(`
 186         mailman_domtrans(logrotate_t)
 187         mailman_search_data(logrotate_t)
 188         mailman_manage_log(logrotate_t)
 189 ')
 190
 191 optional_policy(`
 192         munin_read_config(logrotate_t)
 193         munin_stream_connect(logrotate_t)
 194         munin_search_lib(logrotate_t)
 195 ')
 196
 197 optional_policy(`
 198         mysql_read_config(logrotate_t)
 199         mysql_search_db(logrotate_t)
 200         mysql_stream_connect(logrotate_t)
 201 ')
 202
 203 optional_policy(`
 204         psad_domtrans(logrotate_t)
 205 ')
 206
 207
 208 optional_policy(`
 209         samba_exec_log(logrotate_t)
 210 ')
 211
 212 optional_policy(`
 213         sssd_domtrans(logrotate_t)
 214 ')
 215
 216 optional_policy(`
 217         slrnpull_manage_spool(logrotate_t)
 218 ')
 219
 220 optional_policy(`
 221         squid_domtrans(logrotate_t)
 222 ')
 223
 224 optional_policy(`
 225         #Red Hat bug 564565
 226         su_exec(logrotate_t)
 227 ')
 228
 229 optional_policy(`
 230         varnishd_manage_log(logrotate_t)
 231 ')