1 policy_module(logrotate, 1.13.0)
3 ########################################
9 domain_type(logrotate_t)
10 domain_obj_id_change_exemption(logrotate_t)
11 domain_system_change_exemption(logrotate_t)
12 role system_r types logrotate_t;
14 type logrotate_exec_t;
15 domain_entry_file(logrotate_t, logrotate_exec_t)
17 type logrotate_lock_t;
18 files_lock_file(logrotate_lock_t)
21 files_tmp_file(logrotate_tmp_t)
23 type logrotate_var_lib_t;
24 files_type(logrotate_var_lib_t)
26 ########################################
31 # Change ownership on log files.
32 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
34 dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
36 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
38 # Set a context other than the default one for newly created files.
39 allow logrotate_t self:process setfscreate;
41 allow logrotate_t self:fd use;
42 allow logrotate_t self:fifo_file rw_fifo_file_perms;
43 allow logrotate_t self:unix_dgram_socket create_socket_perms;
44 allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
45 allow logrotate_t self:unix_dgram_socket sendto;
46 allow logrotate_t self:unix_stream_socket connectto;
47 allow logrotate_t self:shm create_shm_perms;
48 allow logrotate_t self:sem create_sem_perms;
49 allow logrotate_t self:msgq create_msgq_perms;
50 allow logrotate_t self:msg { send receive };
52 allow logrotate_t logrotate_lock_t:file manage_file_perms;
53 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
55 can_exec(logrotate_t, logrotate_tmp_t)
57 manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
58 manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
59 files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
61 # for /var/lib/logrotate.status and /var/lib/logcheck
62 create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
63 manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
64 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
66 kernel_read_system_state(logrotate_t)
67 kernel_read_kernel_sysctls(logrotate_t)
69 dev_read_urand(logrotate_t)
71 fs_search_auto_mountpoints(logrotate_t)
72 fs_getattr_xattr_fs(logrotate_t)
73 fs_list_inotifyfs(logrotate_t)
75 mls_file_read_all_levels(logrotate_t)
76 mls_file_write_all_levels(logrotate_t)
77 mls_file_upgrade(logrotate_t)
79 selinux_get_fs_mount(logrotate_t)
80 selinux_get_enforce_mode(logrotate_t)
82 auth_manage_login_records(logrotate_t)
83 auth_use_nsswitch(logrotate_t)
85 # Run helper programs.
86 corecmd_exec_bin(logrotate_t)
87 corecmd_exec_shell(logrotate_t)
89 domain_signal_all_domains(logrotate_t)
90 domain_use_interactive_fds(logrotate_t)
91 domain_getattr_all_entry_files(logrotate_t)
92 # Read /proc/PID directories for all domains.
93 domain_read_all_domains_state(logrotate_t)
95 files_read_usr_files(logrotate_t)
96 files_read_etc_files(logrotate_t)
97 files_read_etc_runtime_files(logrotate_t)
98 files_read_all_pids(logrotate_t)
99 files_search_all(logrotate_t)
100 files_read_var_lib_files(logrotate_t)
101 # Write to /var/spool/slrnpull - should be moved into its own type.
102 files_manage_generic_spool(logrotate_t)
103 files_manage_generic_spool_dirs(logrotate_t)
104 files_getattr_generic_locks(logrotate_t)
106 # cjp: why is this needed?
107 init_domtrans_script(logrotate_t)
109 logging_manage_all_logs(logrotate_t)
110 logging_send_syslog_msg(logrotate_t)
111 logging_send_audit_msgs(logrotate_t)
112 # cjp: why is this needed?
113 logging_exec_all_logs(logrotate_t)
115 miscfiles_read_localization(logrotate_t)
117 seutil_dontaudit_read_config(logrotate_t)
119 userdom_use_user_terminals(logrotate_t)
120 userdom_list_user_home_dirs(logrotate_t)
121 userdom_use_unpriv_users_fds(logrotate_t)
122 userdom_dontaudit_list_admin_dir(logrotate_t)
124 cron_system_entry(logrotate_t, logrotate_exec_t)
125 cron_search_spool(logrotate_t)
127 mta_send_mail(logrotate_t)
129 ifdef(`distro_debian', `
130 allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
132 can_exec(logrotate_t, logrotate_exec_t)
134 # for syslogd-listfiles
135 logging_read_syslog_config(logrotate_t)
137 # for "test -x /sbin/syslogd"
138 logging_check_exec_syslog(logrotate_t)
142 abrt_cache_manage(logrotate_t)
146 acct_domtrans(logrotate_t)
147 acct_manage_data(logrotate_t)
148 acct_exec_data(logrotate_t)
152 apache_read_config(logrotate_t)
153 apache_domtrans(logrotate_t)
154 apache_signull(logrotate_t)
158 asterisk_domtrans(logrotate_t)
162 bind_manage_cache(logrotate_t)
166 consoletype_exec(logrotate_t)
170 cups_domtrans(logrotate_t)
174 fail2ban_stream_connect(logrotate_t)
178 hostname_exec(logrotate_t)
182 icecast_signal(logrotate_t)
186 mailman_domtrans(logrotate_t)
187 mailman_search_data(logrotate_t)
188 mailman_manage_log(logrotate_t)
192 munin_read_config(logrotate_t)
193 munin_stream_connect(logrotate_t)
194 munin_search_lib(logrotate_t)
198 mysql_read_config(logrotate_t)
199 mysql_search_db(logrotate_t)
200 mysql_stream_connect(logrotate_t)
204 psad_domtrans(logrotate_t)
209 samba_exec_log(logrotate_t)
213 sssd_domtrans(logrotate_t)
217 slrnpull_manage_spool(logrotate_t)
221 squid_domtrans(logrotate_t)
230 varnishd_manage_log(logrotate_t)