## Policy for the kernel message logger and system logging daemon. ####################################### ## ## Make the specified type a file ## used for logs. ## ## ## ## Type of the file to be used as a log. ## ## # interface(`logging_log_file',` gen_require(` attribute logfile; ') files_type($1) files_associate_tmp($1) fs_associate_tmpfs($1) typeattribute $1 logfile; ') ####################################### ## ## Send audit messages. ## ## ## ## Domain allowed access. ## ## # interface(`logging_send_audit_msgs',` allow $1 self:capability audit_write; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ') ######################################## ## ## Read the audit log. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_audit_log',` gen_require(` type auditd_log_t; ') files_search_var($1) read_files_pattern($1,auditd_log_t,auditd_log_t) allow $1 auditd_log_t:dir list_dir_perms; ') ######################################## ## ## Execute auditctl in the auditctl domain. ## ## ## ## Domain allowed access. ## ## # interface(`logging_domtrans_auditctl',` gen_require(` type auditctl_t, auditctl_exec_t; ') domtrans_pattern($1,auditctl_exec_t,auditctl_t) ') ######################################## ## ## Execute auditctl in the auditctl domain, and ## allow the specified role the auditctl domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the auditctl domain. ## ## ## ## ## The type of the terminal allow the auditctl domain to use. ## ## ## # interface(`logging_run_auditctl',` gen_require(` type auditctl_t; ') logging_domtrans_auditctl($1) role $2 types auditctl_t; allow auditctl_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute auditd in the auditd domain. ## ## ## ## Domain allowed access. ## ## # interface(`logging_domtrans_auditd',` gen_require(` type auditd_t, auditd_exec_t; ') domtrans_pattern($1,auditd_exec_t,auditd_t) ') ######################################## ## ## Execute auditd in the auditd domain, and ## allow the specified role the auditd domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the auditd domain. ## ## ## ## ## The type of the terminal allow the auditd domain to use. ## ## # interface(`logging_run_auditd',` gen_require(` type auditd_t; ') logging_domtrans_auditd($1) role $2 types auditd_t; allow auditd_t $3:chr_file rw_term_perms; ') ######################################## ## ## Connect to auditdstored over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`logging_stream_connect_auditd',` gen_require(` type auditd_t, auditd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t) ') ######################################## ## ## Manage the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_audit_config',` gen_require(` type auditd_etc_t; ') files_search_etc($1) manage_files_pattern($1,auditd_etc_t,auditd_etc_t) ') ######################################## ## ## Manage the audit log. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_audit_log',` gen_require(` type auditd_log_t; ') files_search_var($1) manage_dirs_pattern($1,auditd_log_t,auditd_log_t) manage_files_pattern($1,auditd_log_t,auditd_log_t) ') ######################################## ## ## Execute syslogd in the syslog domain. ## ## ## ## Domain allowed access. ## ## # interface(`logging_domtrans_syslog',` gen_require(` type syslogd_t, syslogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1,syslogd_exec_t,syslogd_t) ') ######################################## ## ## Create an object in the log directory, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## # interface(`logging_log_filetrans',` gen_require(` type var_log_t; ') files_search_var($1) filetrans_pattern($1,var_log_t,$2,$3) ') ######################################## ## ## Send system log messages. ## ## ## ## Domain allowed access. ## ## # interface(`logging_send_syslog_msg',` gen_require(` type syslogd_t, devlog_t; ') allow $1 devlog_t:lnk_file read; allow $1 devlog_t:sock_file rw_file_perms; # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_socket_perms; # cjp: this should most likely be removed: term_use_console($1) ') ######################################## ## ## Read the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_audit_config',` gen_require(` type auditd_etc_t; ') files_search_etc($1) read_files_pattern($1,auditd_etc_t,auditd_etc_t) allow $1 auditd_etc_t:dir list_dir_perms; ') ######################################## ## ## dontaudit search of auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_dontaudit_search_audit_config',` gen_require(` type auditd_etc_t; ') dontaudit $1 auditd_etc_t:dir search_dir_perms; ') ######################################## ## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. ## ## ## ## Domain allowed access. ## ## # interface(`logging_search_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir search_dir_perms; ') ####################################### ## ## Do not audit attempts to search the var log directory. ## ## ## ## Domain not to audit. ## ## # interface(`logging_dontaudit_search_logs',` gen_require(` type var_log_t; ') dontaudit $1 var_log_t:dir search_dir_perms; ') ####################################### ## ## List the contents of the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # interface(`logging_list_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; ') ####################################### ## ## Read and write the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # interface(`logging_rw_generic_log_dirs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; ') ######################################## ## ## Do not audit attempts to get the atttributes ## of any log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_dontaudit_getattr_all_logs',` gen_require(` attribute logfile; ') dontaudit $1 logfile:file getattr; ') ######################################## ## ## Append to all log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_append_all_logs',` gen_require(` attribute logfile; type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; allow $1 logfile:file { getattr append }; ') ######################################## ## ## Read all log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_all_logs',` gen_require(` attribute logfile; type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; read_files_pattern($1,var_log_t,logfile) ') ######################################## ## ## Execute all log files in the caller domain. ## ## ## ## Domain allowed access. ## ## # # cjp: not sure why this is needed. This was added # because of logrotate. interface(`logging_exec_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) allow $1 logfile:dir list_dir_perms; can_exec($1,logfile) ') ######################################## ## ## Create, read, write, and delete all log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_all_logs',` gen_require(` attribute logfile; ') files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) ') ######################################## ## ## Read generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_read_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; read_files_pattern($1,var_log_t,var_log_t) ') ######################################## ## ## Write generic log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_write_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; write_files_pattern($1,var_log_t,var_log_t) ') ######################################## ## ## Read and write generic log files. ## ## ## ## Domain allowed access. ## ## # interface(`logging_rw_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; rw_files_pattern($1,var_log_t,var_log_t) ') ######################################## ## ## Create, read, write, and delete ## generic log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`logging_manage_generic_logs',` gen_require(` type var_log_t; ') files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ')