selinux-policy/policy/modules/admin/logrotate.if

## <summary>Rotate and archive system logs</summary>

########################################
## <summary>
##	Execute logrotate in the logrotate domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`logrotate_domtrans',`
	gen_require(`
		type logrotate_t, logrotate_exec_t;
	')

	domtrans_pattern($1, logrotate_exec_t, logrotate_t)
')

########################################
## <summary>
##	Execute logrotate in the logrotate domain, and
##	allow the specified role the logrotate domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`logrotate_run',`
	gen_require(`
		type logrotate_t;
	')

	logrotate_domtrans($1)
	role $2 types logrotate_t;
')

########################################
## <summary>
##	Execute logrotate in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`logrotate_exec',`
	gen_require(`
		type logrotate_exec_t;
	')

	can_exec($1, logrotate_exec_t)
')

########################################
## <summary>
##	Inherit and use logrotate file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`logrotate_use_fds',`
	gen_require(`
		type logrotate_t;
	')

	allow $1 logrotate_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to inherit logrotate file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`logrotate_dontaudit_use_fds',`
	gen_require(`
		type logrotate_t;
	')

	dontaudit $1 logrotate_t:fd use;
')

########################################
## <summary>
##	Read a logrotate temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`logrotate_read_tmp_files',`
	gen_require(`
		type logrotate_tmp_t;
	')

	files_search_tmp($1)
	allow $1 logrotate_tmp_t:file read_file_perms;
')
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## <summary>Rotate and archive system logs</summary>`

			`########################################`
			`## <summary>`
			`## Execute logrotate in the logrotate domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## </param>`
			`#`
			interface(`logrotate_domtrans',`
			gen_require(`
			`type logrotate_t, logrotate_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, logrotate_exec_t, logrotate_t)`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Execute logrotate in the logrotate domain, and`
			`## allow the specified role the logrotate domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`#`
			interface(`logrotate_run',`
			gen_require(`
			`type logrotate_t;`
			`')`

			`logrotate_domtrans($1)`
			`role $2 types logrotate_t;`
			`')`

			`########################################`
			`## <summary>`
			`## Execute logrotate in the caller domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Interface documentation standardization patch from Dan Walsh. 2010-08-02 13:22:09 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## </param>`
			`#`
			interface(`logrotate_exec',`
			gen_require(`
			`type logrotate_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`can_exec($1, logrotate_exec_t)`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`')`

partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15 2005-10-13 20:59:36 +00:00			`########################################`
			`## <summary>`
			`## Inherit and use logrotate file descriptors.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15 2005-10-13 20:59:36 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15 2005-10-13 20:59:36 +00:00			`## </param>`
			`#`
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames. 2006-03-02 23:41:11 +00:00			interface(`logrotate_use_fds',`
partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15 2005-10-13 20:59:36 +00:00			gen_require(`
			`type logrotate_t;`
			`')`

			`allow $1 logrotate_t:fd use;`
			`')`

add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to inherit logrotate file descriptors.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Domain to not audit.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			`## </param>`
			`#`
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames. 2006-03-02 23:41:11 +00:00			interface(`logrotate_dontaudit_use_fds',`
add logrotate, more low-hanging fruit 2005-06-28 20:54:49 +00:00			gen_require(`
			`type logrotate_t;`
			`')`

			`dontaudit $1 logrotate_t:fd use;`
			`')`
fix up most of mta attribute insanity 2005-08-30 20:47:41 +00:00
			`########################################`
			`## <summary>`
			`## Read a logrotate temporary files.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
fix up most of mta attribute insanity 2005-08-30 20:47:41 +00:00			`## </param>`
			`#`
			interface(`logrotate_read_tmp_files',`
			gen_require(`
			`type logrotate_tmp_t;`
			`')`

			`files_search_tmp($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 logrotate_tmp_t:file read_file_perms;`
fix up most of mta attribute insanity 2005-08-30 20:47:41 +00:00			`')`