#DESC Syslogd - System log daemon # # Authors: Stephen Smalley and Timothy Fraser # X-Debian-Packages: sysklogd syslog-ng # ################################# # # Rules for the syslogd_t domain. # # syslogd_t is the domain of syslogd. # syslogd_exec_t is the type of the syslogd executable. # devlog_t is the type of the Unix domain socket created # by syslogd. # ifdef(`klogd.te', ` daemon_domain(syslogd, `, privkmsg, nscd_client_domain') ', ` daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain') ') # can_network is for the UDP socket can_network_udp(syslogd_t) can_ypbind(syslogd_t) r_dir_file(syslogd_t, sysfs_t) type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; # if something can log to syslog they should be able to log to the console allow privlog console_device_t:chr_file { ioctl read write getattr }; tmp_domain(syslogd) # read files in /etc allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms; # Use capabilities. allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; # Modify/create log files. create_append_log_file(syslogd_t, var_log_t) # Create and bind to /dev/log or /var/run/log. file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) ifdef(`distro_suse', ` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) ') allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t devlog_t:unix_stream_socket name_bind; allow syslogd_t devlog_t:unix_dgram_socket name_bind; # log to the xconsole allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; # Domains with the privlog attribute may log to syslogd. allow privlog devlog_t:sock_file rw_file_perms; can_unix_send(privlog,syslogd_t) can_unix_connect(privlog,syslogd_t) # allow /dev/log to be a link elsewhere for chroot setup allow privlog devlog_t:lnk_file read; ifdef(`crond.te', ` # for daemon re-start allow system_crond_t syslogd_t:lnk_file read; ') ifdef(`logrotate.te', ` allow logrotate_t syslogd_exec_t:file r_file_perms; ') # for sending messages to logged in users allow syslogd_t initrc_var_run_t:file { read lock }; dontaudit syslogd_t initrc_var_run_t:file write; allow syslogd_t ttyfile:chr_file { getattr write }; # # Special case to handle crashes # allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; # Allow syslog to a terminal allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; # Allow name_bind for remote logging allow syslogd_t syslogd_port_t:udp_socket name_bind; # # /initrd is not umounted before minilog starts # dontaudit syslogd_t file_t:dir search; allow syslogd_t { tmpfs_t devpts_t }:dir search; dontaudit syslogd_t unlabeled_t:file { getattr read }; dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; ifdef(`targeted_policy', ` allow syslogd_t var_run_t:fifo_file { ioctl read write }; allow syslogd_t ttyfile:chr_file { getattr write ioctl append }; ') # Allow access to /proc/kmsg for syslog-ng allow syslogd_t proc_t:dir search; allow syslogd_t proc_kmsg_t:file { getattr read }; allow syslogd_t kernel_t:system { syslog_mod syslog_console }; allow syslogd_t self:capability { sys_admin chown fsetid }; allow syslogd_t var_log_t:dir { create setattr }; allow syslogd_t syslogd_port_t:tcp_socket name_bind; allow syslogd_t rsh_port_t:tcp_socket name_connect;