policy/modules/system/logging.te

   1
   2 policy_module(logging, 1.15.3)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 attribute logfile;
  10
  11 type auditctl_t;
  12 type auditctl_exec_t;
  13 init_system_domain(auditctl_t, auditctl_exec_t)
  14 role system_r types auditctl_t;
  15
  16 type auditd_etc_t;
  17 files_security_file(auditd_etc_t)
  18
  19 type auditd_log_t;
  20 files_security_file(auditd_log_t)
  21 files_security_mountpoint(auditd_log_t)
  22
  23 type auditd_t;
  24 type auditd_exec_t;
  25 init_daemon_domain(auditd_t, auditd_exec_t)
  26
  27 type auditd_initrc_exec_t;
  28 init_script_file(auditd_initrc_exec_t)
  29
  30 type auditd_var_run_t;
  31 files_pid_file(auditd_var_run_t)
  32
  33 type audisp_t;
  34 type audisp_exec_t;
  35 init_system_domain(audisp_t, audisp_exec_t)
  36
  37 type audisp_var_run_t;
  38 files_pid_file(audisp_var_run_t)
  39
  40 type audisp_remote_t;
  41 type audisp_remote_exec_t;
  42 logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
  43
  44 type devlog_t;
  45 files_type(devlog_t)
  46 mls_trusted_object(devlog_t)
  47
  48 type klogd_t;
  49 type klogd_exec_t;
  50 init_daemon_domain(klogd_t, klogd_exec_t)
  51
  52 type klogd_tmp_t;
  53 files_tmp_file(klogd_tmp_t)
  54
  55 type klogd_var_run_t;
  56 files_pid_file(klogd_var_run_t)
  57
  58 type syslog_conf_t;
  59 files_type(syslog_conf_t)
  60
  61 type syslogd_t;
  62 type syslogd_exec_t;
  63 init_daemon_domain(syslogd_t, syslogd_exec_t)
  64
  65 type syslogd_initrc_exec_t;
  66 init_script_file(syslogd_initrc_exec_t)
  67
  68 type syslogd_tmp_t;
  69 files_tmp_file(syslogd_tmp_t)
  70
  71 type syslogd_var_lib_t;
  72 files_type(syslogd_var_lib_t)
  73
  74 type syslogd_var_run_t;
  75 files_pid_file(syslogd_var_run_t)
  76
  77 type var_log_t;
  78 logging_log_file(var_log_t)
  79 files_mountpoint(var_log_t)
  80
  81 ifdef(`enable_mls',`
  82         init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
  83         init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
  84 ')
  85
  86 ########################################
  87 #
  88 # Auditctl local policy
  89 #
  90
  91 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
  92 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
  93
  94 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
  95 allow auditctl_t auditd_etc_t:dir list_dir_perms;
  96
  97 # Needed for adding watches
  98 files_getattr_all_dirs(auditctl_t)
  99 files_getattr_all_files(auditctl_t)
 100 files_read_etc_files(auditctl_t)
 101
 102 kernel_read_kernel_sysctls(auditctl_t)
 103 kernel_read_proc_symlinks(auditctl_t)
 104 kernel_setsched(auditctl_t)
 105
 106 domain_read_all_domains_state(auditctl_t)
 107 domain_use_interactive_fds(auditctl_t)
 108
 109 mls_file_read_all_levels(auditctl_t)
 110
 111 term_use_all_terms(auditctl_t)
 112
 113 init_dontaudit_use_fds(auditctl_t)
 114
 115 locallogin_dontaudit_use_fds(auditctl_t)
 116
 117 logging_set_audit_parameters(auditctl_t)
 118 logging_send_syslog_msg(auditctl_t)
 119
 120 ########################################
 121 #
 122 # Auditd local policy
 123 #
 124
 125 allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
 126 dontaudit auditd_t self:capability sys_tty_config;
 127 allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
 128 allow auditd_t self:file rw_file_perms;
 129 allow auditd_t self:unix_dgram_socket create_socket_perms;
 130 allow auditd_t self:fifo_file rw_fifo_file_perms;
 131 allow auditd_t self:tcp_socket create_stream_socket_perms;
 132
 133 allow auditd_t auditd_etc_t:dir list_dir_perms;
 134 allow auditd_t auditd_etc_t:file read_file_perms;
 135
 136 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 137 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 138 allow auditd_t var_log_t:dir search_dir_perms;
 139
 140 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 141 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 142 files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
 143
 144 kernel_read_kernel_sysctls(auditd_t)
 145 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 146 # Probably want a transition, and a new auditd_helper app
 147 kernel_read_system_state(auditd_t)
 148
 149 dev_read_sysfs(auditd_t)
 150
 151 fs_getattr_all_fs(auditd_t)
 152 fs_search_auto_mountpoints(auditd_t)
 153 fs_rw_anon_inodefs_files(auditd_t)
 154
 155 selinux_search_fs(auditctl_t)
 156
 157 corenet_all_recvfrom_unlabeled(auditd_t)
 158 corenet_all_recvfrom_netlabel(auditd_t)
 159 corenet_tcp_sendrecv_generic_if(auditd_t)
 160 corenet_tcp_sendrecv_generic_node(auditd_t)
 161 corenet_tcp_sendrecv_all_ports(auditd_t)
 162 corenet_tcp_bind_generic_node(auditd_t)
 163 corenet_tcp_bind_audit_port(auditd_t)
 164 corenet_sendrecv_audit_server_packets(auditd_t)
 165
 166 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 167 # Probably want a transition, and a new auditd_helper app
 168 corecmd_exec_bin(auditd_t)
 169 corecmd_exec_shell(auditd_t)
 170
 171 domain_use_interactive_fds(auditd_t)
 172
 173 files_read_etc_files(auditd_t)
 174 files_list_usr(auditd_t)
 175
 176 init_telinit(auditd_t)
 177
 178 logging_set_audit_parameters(auditd_t)
 179 logging_send_syslog_msg(auditd_t)
 180 logging_domtrans_dispatcher(auditd_t)
 181 logging_signal_dispatcher(auditd_t)
 182
 183 miscfiles_read_localization(auditd_t)
 184
 185 mls_file_read_all_levels(auditd_t)
 186 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
 187
 188 seutil_dontaudit_read_config(auditd_t)
 189
 190 sysnet_dns_name_resolve(auditd_t)
 191
 192 userdom_use_user_terminals(auditd_t)
 193 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 194 userdom_dontaudit_search_user_home_dirs(auditd_t)
 195
 196 ifdef(`distro_ubuntu',`
 197         optional_policy(`
 198                 unconfined_domain(auditd_t)
 199         ')
 200 ')
 201
 202 optional_policy(`
 203         mta_send_mail(auditd_t)
 204 ')
 205
 206 optional_policy(`
 207         seutil_sigchld_newrole(auditd_t)
 208 ')
 209
 210 optional_policy(`
 211         udev_read_db(auditd_t)
 212 ')
 213
 214 ########################################
 215 #
 216 # audit dispatcher local policy
 217 #
 218
 219 allow audisp_t self:capability { dac_override setpcap sys_nice };
 220 allow audisp_t self:process { getcap signal_perms setcap setsched };
 221 allow audisp_t self:fifo_file rw_fifo_file_perms;
 222 allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 223 allow audisp_t self:unix_dgram_socket create_socket_perms;
 224
 225 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 226
 227 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 228 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
 229
 230 corecmd_exec_bin(audisp_t)
 231 corecmd_exec_shell(audisp_t)
 232
 233 domain_use_interactive_fds(audisp_t)
 234
 235 files_read_etc_files(audisp_t)
 236 files_read_etc_runtime_files(audisp_t)
 237
 238 mls_file_write_all_levels(audisp_t)
 239
 240 logging_send_syslog_msg(audisp_t)
 241
 242 miscfiles_read_localization(audisp_t)
 243
 244 sysnet_dns_name_resolve(audisp_t)
 245
 246 optional_policy(`
 247         dbus_system_bus_client(audisp_t)
 248 ')
 249
 250 ########################################
 251 #
 252 # Audit remote logger local policy
 253 #
 254
 255 allow audisp_remote_t self:tcp_socket create_socket_perms;
 256
 257 corenet_all_recvfrom_unlabeled(audisp_remote_t)
 258 corenet_all_recvfrom_netlabel(audisp_remote_t)
 259 corenet_tcp_sendrecv_generic_if(audisp_remote_t)
 260 corenet_tcp_sendrecv_generic_node(audisp_remote_t)
 261 corenet_tcp_sendrecv_all_ports(audisp_remote_t)
 262 corenet_tcp_bind_audit_port(audisp_remote_t)
 263 corenet_tcp_bind_generic_node(audisp_remote_t)
 264 corenet_tcp_connect_audit_port(audisp_remote_t)
 265 corenet_sendrecv_audit_client_packets(audisp_remote_t)
 266
 267 files_read_etc_files(audisp_remote_t)
 268
 269 logging_send_syslog_msg(audisp_remote_t)
 270
 271 miscfiles_read_localization(audisp_remote_t)
 272
 273 sysnet_dns_name_resolve(audisp_remote_t)
 274
 275 ########################################
 276 #
 277 # klogd local policy
 278 #
 279
 280 allow klogd_t self:capability sys_admin;
 281 dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 282 allow klogd_t self:process signal_perms;
 283
 284 manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
 285 manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
 286 files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
 287
 288 manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
 289 files_pid_filetrans(klogd_t, klogd_var_run_t, file)
 290
 291 kernel_read_system_state(klogd_t)
 292 kernel_read_messages(klogd_t)
 293 kernel_read_kernel_sysctls(klogd_t)
 294 # Control syslog and console logging
 295 kernel_clear_ring_buffer(klogd_t)
 296 kernel_change_ring_buffer_level(klogd_t)
 297
 298 files_read_kernel_symbol_table(klogd_t)
 299
 300 dev_read_raw_memory(klogd_t)
 301 dev_read_sysfs(klogd_t)
 302
 303 fs_getattr_all_fs(klogd_t)
 304 fs_search_auto_mountpoints(klogd_t)
 305
 306 domain_use_interactive_fds(klogd_t)
 307
 308 files_read_etc_runtime_files(klogd_t)
 309 # read /etc/nsswitch.conf
 310 files_read_etc_files(klogd_t)
 311
 312 logging_send_syslog_msg(klogd_t)
 313
 314 miscfiles_read_localization(klogd_t)
 315
 316 mls_file_read_all_levels(klogd_t)
 317
 318 userdom_dontaudit_search_user_home_dirs(klogd_t)
 319
 320 ifdef(`distro_ubuntu',`
 321         optional_policy(`
 322                 unconfined_domain(klogd_t)
 323         ')
 324 ')
 325
 326 optional_policy(`
 327         udev_read_db(klogd_t)
 328 ')
 329
 330 optional_policy(`
 331         seutil_sigchld_newrole(klogd_t)
 332 ')
 333
 334 ########################################
 335 #
 336 # syslogd local policy
 337 #
 338
 339 # chown fsetid for syslog-ng
 340 # sys_admin for the integrated klog of syslog-ng and metalog
 341 # cjp: why net_admin!
 342 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 343 dontaudit syslogd_t self:capability sys_tty_config;
 344 # setpgid for metalog
 345 # setrlimit for syslog-ng
 346 allow syslogd_t self:process { signal_perms setpgid setrlimit };
 347 # receive messages to be logged
 348 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 349 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 350 allow syslogd_t self:unix_dgram_socket sendto;
 351 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 352 allow syslogd_t self:udp_socket create_socket_perms;
 353 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 354
 355 allow syslogd_t syslog_conf_t:file read_file_perms;
 356
 357 # Create and bind to /dev/log or /var/run/log.
 358 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 359 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 360
 361 # create/append log files.
 362 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
 363 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
 364
 365 # Allow access for syslog-ng
 366 allow syslogd_t var_log_t:dir { create setattr };
 367
 368 # manage temporary files
 369 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 370 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 371 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 372
 373 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 374 files_search_var_lib(syslogd_t)
 375
 376 allow syslogd_t syslogd_var_run_t:file manage_file_perms;
 377 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 378
 379 # manage pid file
 380 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 381 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 382
 383 kernel_read_system_state(syslogd_t)
 384 kernel_read_kernel_sysctls(syslogd_t)
 385 kernel_read_proc_symlinks(syslogd_t)
 386 # Allow access to /proc/kmsg for syslog-ng
 387 kernel_read_messages(syslogd_t)
 388 kernel_clear_ring_buffer(syslogd_t)
 389 kernel_change_ring_buffer_level(syslogd_t)
 390
 391 corenet_all_recvfrom_unlabeled(syslogd_t)
 392 corenet_all_recvfrom_netlabel(syslogd_t)
 393 corenet_udp_sendrecv_generic_if(syslogd_t)
 394 corenet_udp_sendrecv_generic_node(syslogd_t)
 395 corenet_udp_sendrecv_all_ports(syslogd_t)
 396 corenet_udp_bind_generic_node(syslogd_t)
 397 corenet_udp_bind_syslogd_port(syslogd_t)
 398 # syslog-ng can listen and connect on tcp port 514 (rsh)
 399 corenet_tcp_sendrecv_generic_if(syslogd_t)
 400 corenet_tcp_sendrecv_generic_node(syslogd_t)
 401 corenet_tcp_sendrecv_all_ports(syslogd_t)
 402 corenet_tcp_bind_generic_node(syslogd_t)
 403 corenet_tcp_bind_rsh_port(syslogd_t)
 404 corenet_tcp_connect_rsh_port(syslogd_t)
 405 # Allow users to define additional syslog ports to connect to
 406 corenet_tcp_bind_syslogd_port(syslogd_t)
 407 corenet_tcp_connect_syslogd_port(syslogd_t)
 408 corenet_tcp_connect_postgresql_port(syslogd_t)
 409 corenet_tcp_connect_mysqld_port(syslogd_t)
 410
 411 # syslog-ng can send or receive logs
 412 corenet_sendrecv_syslogd_client_packets(syslogd_t)
 413 corenet_sendrecv_syslogd_server_packets(syslogd_t)
 414 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 415 corenet_sendrecv_mysqld_client_packets(syslogd_t)
 416
 417 dev_filetrans(syslogd_t, devlog_t, sock_file)
 418 dev_read_sysfs(syslogd_t)
 419
 420 domain_use_interactive_fds(syslogd_t)
 421
 422 files_read_etc_files(syslogd_t)
 423 files_read_usr_files(syslogd_t)
 424 files_read_var_files(syslogd_t)
 425 files_read_etc_runtime_files(syslogd_t)
 426 # /initrd is not umounted before minilog starts
 427 files_dontaudit_search_isid_type_dirs(syslogd_t)
 428 files_read_kernel_symbol_table(syslogd_t)
 429
 430 fs_getattr_all_fs(syslogd_t)
 431 fs_search_auto_mountpoints(syslogd_t)
 432
 433 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
 434
 435 term_write_console(syslogd_t)
 436 # Allow syslog to a terminal
 437 term_write_unallocated_ttys(syslogd_t)
 438
 439 # for sending messages to logged in users
 440 init_read_utmp(syslogd_t)
 441 init_dontaudit_write_utmp(syslogd_t)
 442 term_write_all_ttys(syslogd_t)
 443
 444 auth_use_nsswitch(syslogd_t)
 445
 446 init_use_fds(syslogd_t)
 447
 448 # cjp: this doesnt make sense
 449 logging_send_syslog_msg(syslogd_t)
 450
 451 miscfiles_read_localization(syslogd_t)
 452
 453 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 454 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 455
 456 ifdef(`distro_gentoo',`
 457         # default gentoo syslog-ng config appends kernel
 458         # and high priority messages to /dev/tty12
 459         term_append_unallocated_ttys(syslogd_t)
 460         term_dontaudit_setattr_unallocated_ttys(syslogd_t)
 461 ')
 462
 463 ifdef(`distro_suse',`
 464         # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 465         files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
 466 ')
 467
 468 ifdef(`distro_ubuntu',`
 469         optional_policy(`
 470                 unconfined_domain(syslogd_t)
 471         ')
 472 ')
 473
 474 optional_policy(`
 475         bind_search_cache(syslogd_t)
 476 ')
 477
 478 optional_policy(`
 479         inn_manage_log(syslogd_t)
 480 ')
 481
 482 optional_policy(`
 483         mysql_stream_connect(syslogd_t)
 484 ')
 485
 486 optional_policy(`
 487         postgresql_stream_connect(syslogd_t)
 488 ')
 489
 490 optional_policy(`
 491         seutil_sigchld_newrole(syslogd_t)
 492 ')
 493
 494 optional_policy(`
 495         udev_read_db(syslogd_t)
 496 ')
 497
 498 optional_policy(`
 499         # log to the xconsole
 500         xserver_rw_console(syslogd_t)
 501 ')