]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/ulogd.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710
[people/stevee/selinux-policy.git] / policy / modules / services / ulogd.if
1 ## <summary>Iptables/netfilter userspace logging daemon.</summary>
2
3 ########################################
4 ## <summary>
5 ## Execute a domain transition to run ulogd.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## Domain allowed to transition.
10 ## </summary>
11 ## </param>
12 #
13 interface(`ulogd_domtrans',`
14 gen_require(`
15 type ulogd_t, ulogd_exec_t;
16 ')
17
18 domtrans_pattern($1, ulogd_exec_t, ulogd_t)
19 ')
20
21 ########################################
22 ## <summary>
23 ## Allow the specified domain to read
24 ## ulogd configuration files.
25 ## </summary>
26 ## <param name="domain">
27 ## <summary>
28 ## Domain allowed access.
29 ## </summary>
30 ## </param>
31 ## <rolecap/>
32 #
33 interface(`ulogd_read_config',`
34 gen_require(`
35 type ulogd_etc_t;
36 ')
37
38 files_search_etc($1)
39 read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
40 ')
41
42 ########################################
43 ## <summary>
44 ## Allow the specified domain to read ulogd's log files.
45 ## </summary>
46 ## <param name="domain">
47 ## <summary>
48 ## Domain allowed access.
49 ## </summary>
50 ## </param>
51 ## <rolecap/>
52 #
53 interface(`ulogd_read_log',`
54 gen_require(`
55 type ulogd_var_log_t;
56 ')
57
58 logging_search_logs($1)
59 allow $1 ulogd_var_log_t:dir list_dir_perms;
60 read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
61 ')
62
63 #######################################
64 ## <summary>
65 ## Allow the specified domain to search ulogd's log files.
66 ## </summary>
67 ## <param name="domain">
68 ## <summary>
69 ## Domain allowed access.
70 ## </summary>
71 ## </param>
72 #
73 interface(`ulogd_search_log',`
74 gen_require(`
75 type ulogd_var_log_t;
76 ')
77
78 logging_search_logs($1)
79 allow $1 ulogd_var_log_t:dir search_dir_perms;
80 ')
81
82 ########################################
83 ## <summary>
84 ## Allow the specified domain to append to ulogd's log files.
85 ## </summary>
86 ## <param name="domain">
87 ## <summary>
88 ## Domain allowed access.
89 ## </summary>
90 ## </param>
91 ## <rolecap/>
92 #
93 interface(`ulogd_append_log',`
94 gen_require(`
95 type ulogd_var_log_t;
96 ')
97
98 logging_search_logs($1)
99 allow $1 ulogd_var_log_t:dir list_dir_perms;
100 allow $1 ulogd_var_log_t:file append_file_perms;
101 ')
102
103 ########################################
104 ## <summary>
105 ## All of the rules required to administrate
106 ## an ulogd environment
107 ## </summary>
108 ## <param name="domain">
109 ## <summary>
110 ## Domain allowed access.
111 ## </summary>
112 ## </param>
113 ## <param name="role">
114 ## <summary>
115 ## The role to be allowed to manage the syslog domain.
116 ## </summary>
117 ## </param>
118 ## <rolecap/>
119 #
120 interface(`ulogd_admin',`
121 gen_require(`
122 type ulogd_t, ulogd_etc_t;
123 type ulogd_var_log_t, ulogd_initrc_exec_t;
124 type ulogd_modules_t;
125 ')
126
127 allow $1 ulogd_t:process { ptrace signal_perms };
128 ps_process_pattern($1, ulogd_t)
129
130 init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
131 domain_system_change_exemption($1)
132 role_transition $2 ulogd_initrc_exec_t system_r;
133 allow $2 system_r;
134
135 files_search_etc($1)
136 admin_pattern($1, ulogd_etc_t)
137
138 logging_list_logs($1)
139 admin_pattern($1, ulogd_var_log_t)
140
141 files_search_usr($1)
142 admin_pattern($1, ulogd_modules_t)
143 ')
The IPFire selinux policy.