## Policy for the kernel message logger and system logging daemon. ####################################### # # logging_log_file(domain) # interface(`logging_log_file',` gen_require(` attribute logfile; ') files_type($1) typeattribute $1 logfile; ') ######################################## ## ## Execute syslogd in the syslog domain. ## ## ## The type of the process performing this action. ## # interface(`logging_domtrans_syslog',` gen_require(` type syslogd_t, syslogd_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') corecmd_search_sbin($1) domain_auto_trans($1,syslogd_exec_t,syslogd_t) allow $1 syslogd_t:fd use; allow syslogd_t $1:fd use; allow syslogd_t $1:fifo_file rw_file_perms; allow syslogd_t $1:process sigchld; ') ######################################## # # logging_create_log(domain,privatetype,[class(es)]) # interface(`logging_create_log',` gen_require(` type var_log_t; class dir rw_dir_perms; ') allow $1 var_log_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 var_log_t:file $2; ',` type_transition $1 var_log_t:$3 $2; ') ') ####################################### # # logging_send_syslog_msg(domain) # interface(`logging_send_syslog_msg',` gen_require(` type syslogd_t, devlog_t; class lnk_file read; class sock_file rw_file_perms; class unix_dgram_socket { create_socket_perms sendto }; class unix_stream_socket { create_socket_perms connectto }; ') allow $1 devlog_t:lnk_file read; allow $1 devlog_t:sock_file rw_file_perms; # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_socket_perms; # cjp: this should most likely be removed: term_use_console($1) ') ######################################## ## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. ## ## ## The type of the process performing this action. ## # interface(`logging_search_logs',` gen_require(` type var_log_t; class dir search; ') files_search_var($1) allow $1 var_log_t:dir search; ') ####################################### ## ## Read and write the generic log directory (/var/log). ## ## ## The type of the process performing this action. ## # interface(`logging_rw_log_dir',` gen_require(` type var_log_t; class dir rw_dir_perms; ') files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; ') ####################################### # # logging_dontaudit_getattr_all_logs(domain) # interface(`logging_dontaudit_getattr_all_logs',` gen_require(` attribute logfile; class file getattr; ') dontaudit $1 logfile:file getattr; ') ####################################### # # logging_append_all_logs(domain) # interface(`logging_append_all_logs',` gen_require(` attribute logfile; type var_log_t; class dir r_dir_perms; class file { getattr append }; ') files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 logfile:file { getattr append }; ') ####################################### # # logging_read_all_logs(domain) # interface(`logging_read_all_logs',` gen_require(` attribute logfile; type var_log_t; class dir r_dir_perms; class file r_file_perms; ') files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 logfile:file r_file_perms; ') ######################################## ## ## Execute all log files in the caller domain. ## ## ## The type of the process performing this action. ## # # cjp: not sure why this is needed. This was added # because of logrotate. interface(`logging_exec_all_logs',` gen_require(` attribute logfile; class dir r_dir_perms; ') files_search_var($1) allow $1 logfile:dir r_dir_perms; can_exec($1,logfile) ') ####################################### # # logging_manage_all_logs(domain) # interface(`logging_manage_all_logs',` gen_require(` attribute logfile; class dir rw_dir_perms; class file create_file_perms; ') files_search_var($1) allow $1 logfile:dir rw_dir_perms; allow $1 logfile:lnk_file read; allow $1 logfile:file create_file_perms; ') ####################################### # # logging_read_generic_logs(domain) # interface(`logging_read_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; class file r_file_perms; ') files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file r_file_perms; ') ####################################### # # logging_write_generic_logs(domain) # interface(`logging_write_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; class file { getattr write }; ') files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file { getattr write }; ') ######################################## ## ## Read and write generic log files. ## ## ## Domain allowed access. ## # interface(`logging_rw_generic_logs',` gen_require(` type var_log_t; class dir r_dir_perms; class file rw_file_perms; ') files_search_var($1) allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete ## generic log files. ## ## ## Domain allowed access. ## # interface(`logging_manage_generic_logs',` gen_require(` type var_log_t; class dir rw_dir_perms; class file create_file_perms; ') files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; allow $1 var_log_t:file create_file_perms; ')