selinux-policy/mls/domains/program/logrotate.te
2005-11-22 19:28:03 +00:00

151 lines
4.7 KiB
Plaintext

#DESC Logrotate - Rotate log files
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
# Russell Coker <rcoker@redhat.com>
# X-Debian-Packages: logrotate
# Depends: crond.te
#
#################################
#
# Rules for the logrotate_t domain.
#
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
#
type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
role system_r types logrotate_t;
role sysadm_r types logrotate_t;
uses_shlib(logrotate_t)
general_domain_access(logrotate_t)
type logrotate_exec_t, file_type, sysadmfile, exec_type;
system_crond_entry(logrotate_exec_t, logrotate_t)
allow logrotate_t cron_spool_t:dir search;
allow crond_t logrotate_var_lib_t:dir search;
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
allow logrotate_t self:unix_stream_socket create_socket_perms;
allow logrotate_t devtty_t:chr_file rw_file_perms;
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
')
# for perl
allow logrotate_t usr_t:file { getattr read ioctl };
allow logrotate_t usr_t:lnk_file read;
# access files in /etc
allow logrotate_t etc_t:file { getattr read ioctl };
allow logrotate_t etc_t:lnk_file { getattr read };
allow logrotate_t etc_runtime_t:file r_file_perms;
# it should not require this
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
# create lock files
lock_domain(logrotate)
# Create temporary files.
tmp_domain(logrotate)
can_exec(logrotate_t, logrotate_tmp_t)
# Run helper programs.
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
allow logrotate_t { bin_t sbin_t }:lnk_file read;
can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
# Read PID files.
allow logrotate_t pidfile:file r_file_perms;
# Read /proc/PID directories for all domains.
read_sysctl(logrotate_t)
allow logrotate_t proc_t:dir r_dir_perms;
allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
allow logrotate_t domain:notdevfile_class_set r_file_perms;
allow logrotate_t domain:dir r_dir_perms;
allow logrotate_t exec_type:file getattr;
# Read /dev directories and any symbolic links.
allow logrotate_t device_t:dir r_dir_perms;
allow logrotate_t device_t:lnk_file r_file_perms;
# Signal processes.
allow logrotate_t domain:process signal;
# Modify /var/log and other log dirs.
allow logrotate_t var_t:dir r_dir_perms;
allow logrotate_t logfile:dir rw_dir_perms;
allow logrotate_t logfile:lnk_file read;
# Create, rename, and truncate log files.
allow logrotate_t logfile:file create_file_perms;
allow logrotate_t wtmp_t:file create_file_perms;
ifdef(`squid.te', `
allow squid_t { system_crond_t crond_t }:fd use;
allow squid_t crond_t:fifo_file { read write };
allow squid_t system_crond_t:fifo_file write;
allow squid_t self:capability kill;
')
# Set a context other than the default one for newly created files.
can_setfscreate(logrotate_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
dontaudit logrotate_t self:capability { setuid setgid };
ifdef(`mta.te', `
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
')
# Access /var/run
allow logrotate_t var_run_t:dir r_dir_perms;
# for /var/lib/logrotate.status and /var/lib/logcheck
var_lib_domain(logrotate)
allow logrotate_t logrotate_var_lib_t:dir create;
# Write to /var/spool/slrnpull - should be moved into its own type.
create_dir_file(logrotate_t, var_spool_t)
allow logrotate_t urandom_device_t:chr_file { getattr read };
# Access terminals.
allow logrotate_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
allow logrotate_t privfd:fd use;
# for /var/backups on Debian
ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t)
')
read_locale(logrotate_t)
allow logrotate_t fs_t:filesystem getattr;
can_exec(logrotate_t, shell_exec_t)
ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
can_exec(logrotate_t,logfile)
allow logrotate_t net_conf_t:file { getattr read };
ifdef(`consoletype.te', `
can_exec(logrotate_t, consoletype_exec_t)
dontaudit consoletype_t logrotate_t:fd use;
')
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
# Supress libselinux initialization denials
dontaudit logrotate_t selinux_config_t:dir search;
dontaudit logrotate_t selinux_config_t:file { read getattr };
# Allow selinux_getenforce
allow logrotate_t security_t:dir search;
allow logrotate_t security_t:file { getattr read };