1 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>
3 ########################################
5 ## Make the specified type usable for log files
10 ## Make the specified type usable for log files in a filesystem.
11 ## This will also make the type usable for files, making
12 ## calls to files_type() redundant. Failure to use this interface
13 ## for a log file type may result in problems with log
14 ## rotation, log analysis, and log monitoring programs.
17 ## Related interfaces:
20 ## <li>logging_log_filetrans()</li>
23 ## Example usage with a domain that can create
24 ## and append to a private log file stored in the
25 ## general directories (e.g., /var/log):
29 ## logging_log_file(mylogfile_t)
30 ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
31 ## logging_log_filetrans(mydomain_t, mylogfile_t, file)
34 ## <param name="type">
36 ## Type to be used for files.
39 ## <infoflow type="none"/>
41 interface(`logging_log_file',`
47 files_associate_tmp($1)
48 fs_associate_tmpfs($1)
49 typeattribute $1 logfile;
52 #######################################
54 ## Send audit messages.
56 ## <param name="domain">
58 ## Domain allowed access.
62 interface(`logging_send_audit_msgs',`
63 allow $1 self:capability audit_write;
64 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
67 #######################################
69 ## dontaudit attempts to send audit messages.
71 ## <param name="domain">
73 ## Domain to not audit.
77 interface(`logging_dontaudit_send_audit_msgs',`
78 dontaudit $1 self:capability audit_write;
79 dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
82 ########################################
86 ## <param name="domain">
88 ## Domain allowed access.
92 interface(`logging_set_loginuid',`
93 allow $1 self:capability audit_control;
94 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
97 ########################################
101 ## <param name="domain">
103 ## Domain allowed access.
107 interface(`logging_set_tty_audit',`
108 allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
111 ########################################
115 ## <param name="domain">
117 ## Domain allowed access.
121 interface(`logging_set_audit_parameters',`
122 allow $1 self:capability { audit_write audit_control };
123 allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
126 ########################################
128 ## Read the audit log.
130 ## <param name="domain">
132 ## Domain allowed access.
137 interface(`logging_read_audit_log',`
143 read_files_pattern($1, auditd_log_t, auditd_log_t)
144 allow $1 auditd_log_t:dir list_dir_perms;
147 ########################################
149 ## Execute auditctl in the auditctl domain.
151 ## <param name="domain">
153 ## Domain allowed to transition.
157 interface(`logging_domtrans_auditctl',`
159 type auditctl_t, auditctl_exec_t;
162 domtrans_pattern($1, auditctl_exec_t, auditctl_t)
165 ########################################
167 ## Execute auditctl in the auditctl domain, and
168 ## allow the specified role the auditctl domain.
170 ## <param name="domain">
172 ## Domain allowed to transition.
175 ## <param name="role">
177 ## Role allowed access.
182 interface(`logging_run_auditctl',`
187 logging_domtrans_auditctl($1)
188 role $2 types auditctl_t;
191 ########################################
193 ## Execute auditd in the auditd domain.
195 ## <param name="domain">
197 ## Domain allowed to transition.
201 interface(`logging_domtrans_auditd',`
203 type auditd_t, auditd_exec_t;
206 domtrans_pattern($1, auditd_exec_t, auditd_t)
209 ########################################
211 ## Execute auditd in the auditd domain, and
212 ## allow the specified role the auditd domain.
214 ## <param name="domain">
216 ## Domain allowed to transition.
219 ## <param name="role">
221 ## Role allowed access.
225 interface(`logging_run_auditd',`
230 logging_domtrans_auditd($1)
231 role $2 types auditd_t;
234 ########################################
236 ## Connect to auditdstored over an unix stream socket.
238 ## <param name="domain">
240 ## Domain allowed access.
244 interface(`logging_stream_connect_auditd',`
245 refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
246 logging_stream_connect_dispatcher($1)
249 ########################################
251 ## Execute a domain transition to run the audit dispatcher.
253 ## <param name="domain">
255 ## Domain allowed to transition.
259 interface(`logging_domtrans_dispatcher',`
261 type audisp_t, audisp_exec_t;
264 domtrans_pattern($1, audisp_exec_t, audisp_t)
267 ########################################
269 ## Signal the audit dispatcher.
271 ## <param name="domain">
273 ## Domain allowed access.
277 interface(`logging_signal_dispatcher',`
282 allow $1 audisp_t:process signal;
285 ########################################
287 ## Create a domain for processes
288 ## which can be started by the system audit dispatcher
290 ## <param name="domain">
292 ## Type to be used as a domain.
295 ## <param name="entry_point">
297 ## Type of the program to be used as an entry point to this domain.
301 interface(`logging_dispatcher_domain',`
308 domain_entry_file($1, $2)
310 role system_r types $1;
312 domtrans_pattern(audisp_t, $2, $1)
313 allow audisp_t $1:process { sigkill sigstop signull signal };
315 allow audisp_t $2:file getattr;
316 allow $1 audisp_t:unix_stream_socket rw_socket_perms;
319 ########################################
321 ## Connect to the audit dispatcher over an unix stream socket.
323 ## <param name="domain">
325 ## Domain allowed access.
329 interface(`logging_stream_connect_dispatcher',`
331 type audisp_t, audisp_var_run_t;
334 files_search_pids($1)
335 stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
338 ########################################
340 ## Manage the auditd configuration files.
342 ## <param name="domain">
344 ## Domain allowed access.
349 interface(`logging_manage_audit_config',`
355 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
358 ########################################
360 ## Manage the audit log.
362 ## <param name="domain">
364 ## Domain allowed access.
369 interface(`logging_manage_audit_log',`
375 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
376 manage_files_pattern($1, auditd_log_t, auditd_log_t)
379 ########################################
381 ## Execute klogd in the klog domain.
383 ## <param name="domain">
385 ## Domain allowed to transition.
389 interface(`logging_domtrans_klog',`
391 type klogd_t, klogd_exec_t;
394 corecmd_search_bin($1)
395 domtrans_pattern($1, klogd_exec_t, klogd_t)
398 ########################################
400 ## Check if syslogd is executable.
402 ## <param name="domain">
404 ## Domain allowed access.
408 interface(`logging_check_exec_syslog',`
414 corecmd_read_bin_symlinks($1)
415 allow $1 syslogd_exec_t:file execute;
418 ########################################
420 ## Execute syslogd in the syslog domain.
422 ## <param name="domain">
424 ## Domain allowed to transition.
428 interface(`logging_domtrans_syslog',`
430 type syslogd_t, syslogd_exec_t;
433 corecmd_search_bin($1)
434 domtrans_pattern($1, syslogd_exec_t, syslogd_t)
437 ########################################
439 ## Create an object in the log directory, with a private type.
443 ## Allow the specified domain to create an object
444 ## in the general system log directories (e.g., /var/log)
445 ## with a private type. Typically this is used for creating
446 ## private log files in /var/log with the private type instead
447 ## of the general system log type. To accomplish this goal,
448 ## either the program must be SELinux-aware, or use this interface.
451 ## Related interfaces:
454 ## <li>logging_log_file()</li>
457 ## Example usage with a domain that can create
458 ## and append to a private log file stored in the
459 ## general directories (e.g., /var/log):
463 ## logging_log_file(mylogfile_t)
464 ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
465 ## logging_log_filetrans(mydomain_t, mylogfile_t, file)
468 ## <param name="domain">
470 ## Domain allowed access.
473 ## <param name="private type">
475 ## The type of the object to be created.
478 ## <param name="object">
480 ## The object class of the object being created.
483 ## <infoflow type="write" weight="10"/>
485 interface(`logging_log_filetrans',`
491 filetrans_pattern($1, var_log_t, $2, $3)
494 ########################################
496 ## Send system log messages.
500 ## Allow the specified domain to connect to the
501 ## system log service (syslog), to send messages be added to
502 ## the system logs. Typically this is used by services
503 ## that do not have their own log file in /var/log.
506 ## This does not allow messages to be sent to
507 ## the auditing system.
510 ## Programs which use the libc function syslog() will
511 ## require this access.
514 ## Related interfaces:
517 ## <li>logging_send_audit_msgs()</li>
520 ## <param name="domain">
522 ## Domain allowed access.
526 interface(`logging_send_syslog_msg',`
528 type syslogd_t, devlog_t;
531 allow $1 devlog_t:lnk_file read_lnk_file_perms;
532 allow $1 devlog_t:sock_file write_sock_file_perms;
534 # the type of socket depends on the syslog daemon
535 allow $1 syslogd_t:unix_dgram_socket sendto;
536 allow $1 syslogd_t:unix_stream_socket connectto;
537 allow $1 self:unix_dgram_socket create_socket_perms;
538 allow $1 self:unix_stream_socket create_socket_perms;
540 # If syslog is down, the glibc syslog() function
541 # will write to the console.
542 term_write_console($1)
543 term_dontaudit_read_console($1)
546 ########################################
548 ## Connect to the syslog control unix stream socket.
550 ## <param name="domain">
552 ## Domain allowed access.
556 interface(`logging_create_devlog_dev',`
561 allow $1 devlog_t:sock_file manage_sock_file_perms;
562 dev_filetrans($1, devlog_t, sock_file)
565 ########################################
567 ## Connect to the syslog control unix stream socket.
569 ## <param name="domain">
571 ## Domain allowed access.
575 interface(`logging_stream_connect_syslog',`
577 type syslogd_t, syslogd_var_run_t;
580 files_search_pids($1)
581 stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
584 ########################################
586 ## Read the auditd configuration files.
588 ## <param name="domain">
590 ## Domain allowed access.
595 interface(`logging_read_audit_config',`
601 read_files_pattern($1, auditd_etc_t, auditd_etc_t)
602 allow $1 auditd_etc_t:dir list_dir_perms;
605 ########################################
607 ## dontaudit search of auditd configuration files.
609 ## <param name="domain">
611 ## Domain to not audit.
616 interface(`logging_dontaudit_search_audit_config',`
621 dontaudit $1 auditd_etc_t:dir search_dir_perms;
624 ########################################
626 ## Read syslog configuration files.
628 ## <param name="domain">
630 ## Domain allowed access.
635 interface(`logging_read_syslog_config',`
640 allow $1 syslog_conf_t:file read_file_perms;
643 ########################################
645 ## Allows the domain to open a file in the
646 ## log directory, but does not allow the listing
647 ## of the contents of the log directory.
649 ## <param name="domain">
651 ## Domain allowed access.
655 interface(`logging_search_logs',`
661 allow $1 var_log_t:dir search_dir_perms;
664 #######################################
666 ## Do not audit attempts to search the var log directory.
668 ## <param name="domain">
670 ## Domain not to audit.
674 interface(`logging_dontaudit_search_logs',`
679 dontaudit $1 var_log_t:dir search_dir_perms;
682 #######################################
684 ## List the contents of the generic log directory (/var/log).
686 ## <param name="domain">
688 ## Domain allowed access.
692 interface(`logging_list_logs',`
698 allow $1 var_log_t:dir list_dir_perms;
701 #######################################
703 ## Read and write the generic log directory (/var/log).
705 ## <param name="domain">
707 ## Domain allowed access.
711 interface(`logging_rw_generic_log_dirs',`
717 allow $1 var_log_t:dir rw_dir_perms;
720 #######################################
722 ## Set attributes on all log dirs.
724 ## <param name="domain">
726 ## Domain allowed access.
731 interface(`logging_setattr_all_log_dirs',`
736 allow $1 logfile:dir setattr;
739 ########################################
741 ## Do not audit attempts to get the atttributes
744 ## <param name="domain">
746 ## Domain to not audit.
750 interface(`logging_dontaudit_getattr_all_logs',`
755 dontaudit $1 logfile:file getattr;
758 ########################################
760 ## Append to all log files.
762 ## <param name="domain">
764 ## Domain allowed access.
768 interface(`logging_append_all_logs',`
775 append_files_pattern($1, logfile, logfile)
778 ########################################
780 ## Append to all log files.
782 ## <param name="domain">
784 ## Domain allowed access.
788 interface(`logging_inherit_append_all_logs',`
793 allow $1 logfile:file { getattr append ioctl lock };
796 ########################################
798 ## Read all log files.
800 ## <param name="domain">
802 ## Domain allowed access.
807 interface(`logging_read_all_logs',`
813 allow $1 logfile:dir list_dir_perms;
814 read_files_pattern($1, logfile, logfile)
817 ########################################
819 ## Execute all log files in the caller domain.
821 ## <param name="domain">
823 ## Domain allowed access.
827 # cjp: not sure why this is needed. This was added
828 # because of logrotate.
829 interface(`logging_exec_all_logs',`
835 allow $1 logfile:dir list_dir_perms;
836 can_exec($1, logfile)
839 ########################################
841 ## read/write to all log files.
843 ## <param name="domain">
845 ## Domain allowed access.
849 interface(`logging_rw_all_logs',`
855 rw_files_pattern($1, logfile, logfile)
858 ########################################
860 ## Create, read, write, and delete all log files.
862 ## <param name="domain">
864 ## Domain allowed access.
869 interface(`logging_manage_all_logs',`
875 manage_files_pattern($1, logfile, logfile)
876 manage_lnk_files_pattern($1, logfile, logfile)
879 ########################################
881 ## Read generic log files.
883 ## <param name="domain">
885 ## Domain allowed access.
890 interface(`logging_read_generic_logs',`
896 allow $1 var_log_t:dir list_dir_perms;
897 read_files_pattern($1, var_log_t, var_log_t)
900 ########################################
902 ## Link generic log files.
904 ## <param name="domain">
906 ## Domain allowed access.
911 interface(`logging_link_generic_logs',`
916 allow $1 var_log_t:file link;
919 ########################################
921 ## Delete generic log files.
923 ## <param name="domain">
925 ## Domain allowed access.
930 interface(`logging_delete_generic_logs',`
935 allow $1 var_log_t:file unlink;
938 ########################################
940 ## Write generic log files.
942 ## <param name="domain">
944 ## Domain allowed access.
948 interface(`logging_write_generic_logs',`
954 allow $1 var_log_t:dir list_dir_perms;
955 write_files_pattern($1, var_log_t, var_log_t)
958 ########################################
960 ## Dontaudit Write generic log files.
962 ## <param name="domain">
964 ## Domain to not audit.
968 interface(`logging_dontaudit_write_generic_logs',`
973 dontaudit $1 var_log_t:file write;
976 ########################################
978 ## Read and write generic log files.
980 ## <param name="domain">
982 ## Domain allowed access.
986 interface(`logging_rw_generic_logs',`
992 allow $1 var_log_t:dir list_dir_perms;
993 rw_files_pattern($1, var_log_t, var_log_t)
996 ########################################
998 ## Create, read, write, and delete
999 ## generic log files.
1001 ## <param name="domain">
1003 ## Domain allowed access.
1008 interface(`logging_manage_generic_logs',`
1013 files_search_var($1)
1014 manage_files_pattern($1, var_log_t, var_log_t)
1017 ########################################
1019 ## All of the rules required to administrate
1020 ## the audit environment
1022 ## <param name="domain">
1024 ## Domain allowed access.
1027 ## <param name="role">
1029 ## User role allowed access.
1034 interface(`logging_admin_audit',`
1036 type auditd_t, auditd_etc_t, auditd_log_t;
1037 type auditd_var_run_t;
1038 type auditd_initrc_exec_t;
1041 allow $1 auditd_t:process { ptrace signal_perms };
1042 ps_process_pattern($1, auditd_t)
1044 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
1045 manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
1047 manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
1048 manage_files_pattern($1, auditd_log_t, auditd_log_t)
1050 manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
1051 manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
1053 logging_run_auditctl($1, $2)
1055 init_labeled_script_domtrans($1, auditd_initrc_exec_t)
1056 domain_system_change_exemption($1)
1057 role_transition $2 auditd_initrc_exec_t system_r;
1061 ########################################
1063 ## All of the rules required to administrate
1064 ## the syslog environment
1066 ## <param name="domain">
1068 ## Domain allowed access.
1071 ## <param name="role">
1073 ## User role allowed access.
1078 interface(`logging_admin_syslog',`
1080 type syslogd_t, klogd_t, syslog_conf_t;
1081 type syslogd_tmp_t, syslogd_var_lib_t;
1082 type syslogd_var_run_t, klogd_var_run_t;
1083 type klogd_tmp_t, var_log_t;
1084 type syslogd_initrc_exec_t;
1087 allow $1 self:capability2 syslog;
1088 allow $1 syslogd_t:process { ptrace signal_perms };
1089 allow $1 klogd_t:process { ptrace signal_perms };
1090 ps_process_pattern($1, syslogd_t)
1091 ps_process_pattern($1, klogd_t)
1093 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
1094 manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
1096 manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
1097 manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
1099 manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1100 manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
1102 manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
1103 manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
1104 files_etc_filetrans($1, syslog_conf_t, file)
1106 manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1107 manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
1109 manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1110 manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1112 logging_manage_all_logs($1)
1113 allow $1 logfile:dir relabel_dir_perms;
1114 allow $1 logfile:file relabel_file_perms;
1116 init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
1117 domain_system_change_exemption($1)
1118 role_transition $2 syslogd_initrc_exec_t system_r;
1122 ########################################
1124 ## All of the rules required to administrate
1125 ## the logging environment
1127 ## <param name="domain">
1129 ## Domain allowed access.
1132 ## <param name="role">
1134 ## User role allowed access.
1139 interface(`logging_admin',`
1140 logging_admin_audit($1, $2)
1141 logging_admin_syslog($1, $2)