190 lines
4.7 KiB
Plaintext
190 lines
4.7 KiB
Plaintext
|
|
policy_module(logrotate, 1.9.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type logrotate_t;
|
|
domain_type(logrotate_t)
|
|
domain_obj_id_change_exemption(logrotate_t)
|
|
domain_system_change_exemption(logrotate_t)
|
|
role system_r types logrotate_t;
|
|
|
|
type logrotate_exec_t;
|
|
domain_entry_file(logrotate_t, logrotate_exec_t)
|
|
|
|
type logrotate_lock_t;
|
|
files_lock_file(logrotate_lock_t)
|
|
|
|
type logrotate_tmp_t;
|
|
files_tmp_file(logrotate_tmp_t)
|
|
|
|
type logrotate_var_lib_t;
|
|
files_type(logrotate_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# Change ownership on log files.
|
|
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
|
|
# for mailx
|
|
dontaudit logrotate_t self:capability { setuid setgid };
|
|
|
|
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
|
# Set a context other than the default one for newly created files.
|
|
allow logrotate_t self:process setfscreate;
|
|
|
|
allow logrotate_t self:fd use;
|
|
allow logrotate_t self:fifo_file rw_fifo_file_perms;
|
|
allow logrotate_t self:unix_dgram_socket create_socket_perms;
|
|
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow logrotate_t self:unix_dgram_socket sendto;
|
|
allow logrotate_t self:unix_stream_socket connectto;
|
|
allow logrotate_t self:shm create_shm_perms;
|
|
allow logrotate_t self:sem create_sem_perms;
|
|
allow logrotate_t self:msgq create_msgq_perms;
|
|
allow logrotate_t self:msg { send receive };
|
|
|
|
allow logrotate_t logrotate_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
|
|
|
|
can_exec(logrotate_t, logrotate_tmp_t)
|
|
|
|
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
|
|
|
|
# for /var/lib/logrotate.status and /var/lib/logcheck
|
|
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
|
|
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
|
|
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
|
|
|
|
kernel_read_system_state(logrotate_t)
|
|
kernel_read_kernel_sysctls(logrotate_t)
|
|
|
|
dev_read_urand(logrotate_t)
|
|
|
|
fs_search_auto_mountpoints(logrotate_t)
|
|
fs_getattr_xattr_fs(logrotate_t)
|
|
|
|
mls_file_read_all_levels(logrotate_t)
|
|
mls_file_write_all_levels(logrotate_t)
|
|
mls_file_upgrade(logrotate_t)
|
|
|
|
selinux_get_fs_mount(logrotate_t)
|
|
selinux_get_enforce_mode(logrotate_t)
|
|
|
|
auth_manage_login_records(logrotate_t)
|
|
auth_use_nsswitch(logrotate_t)
|
|
|
|
# Run helper programs.
|
|
corecmd_exec_bin(logrotate_t)
|
|
corecmd_exec_shell(logrotate_t)
|
|
|
|
domain_signal_all_domains(logrotate_t)
|
|
domain_use_interactive_fds(logrotate_t)
|
|
domain_getattr_all_entry_files(logrotate_t)
|
|
# Read /proc/PID directories for all domains.
|
|
domain_read_all_domains_state(logrotate_t)
|
|
|
|
files_read_usr_files(logrotate_t)
|
|
files_read_etc_files(logrotate_t)
|
|
files_read_etc_runtime_files(logrotate_t)
|
|
files_read_all_pids(logrotate_t)
|
|
# Write to /var/spool/slrnpull - should be moved into its own type.
|
|
files_manage_generic_spool(logrotate_t)
|
|
files_manage_generic_spool_dirs(logrotate_t)
|
|
|
|
# cjp: why is this needed?
|
|
init_domtrans_script(logrotate_t)
|
|
|
|
logging_manage_all_logs(logrotate_t)
|
|
logging_send_syslog_msg(logrotate_t)
|
|
# cjp: why is this needed?
|
|
logging_exec_all_logs(logrotate_t)
|
|
|
|
libs_use_ld_so(logrotate_t)
|
|
libs_use_shared_libs(logrotate_t)
|
|
|
|
miscfiles_read_localization(logrotate_t)
|
|
|
|
seutil_dontaudit_read_config(logrotate_t)
|
|
|
|
userdom_use_unpriv_users_fds(logrotate_t)
|
|
|
|
cron_system_entry(logrotate_t, logrotate_exec_t)
|
|
cron_search_spool(logrotate_t)
|
|
|
|
mta_send_mail(logrotate_t)
|
|
|
|
sysadm_dontaudit_search_home_dirs(logrotate_t)
|
|
|
|
ifdef(`distro_debian', `
|
|
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
|
|
# for savelog
|
|
can_exec(logrotate_t, logrotate_exec_t)
|
|
|
|
# for syslogd-listfiles
|
|
logging_read_syslog_config(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
acct_domtrans(logrotate_t)
|
|
acct_manage_data(logrotate_t)
|
|
acct_exec_data(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_read_config(logrotate_t)
|
|
apache_domtrans(logrotate_t)
|
|
apache_signull(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_exec(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cups_domtrans(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_exec_log(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_exec(logrotate_t)
|
|
mailman_search_data(logrotate_t)
|
|
mailman_manage_log(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
munin_read_config(logrotate_t)
|
|
munin_stream_connect(logrotate_t)
|
|
munin_search_lib(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_read_config(logrotate_t)
|
|
mysql_search_db(logrotate_t)
|
|
mysql_stream_connect(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
slrnpull_manage_spool(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# cjp: why?
|
|
squid_domtrans(logrotate_t)
|
|
')
|