302 lines
7.8 KiB
Plaintext
302 lines
7.8 KiB
Plaintext
|
|
policy_module(logging,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute logfile;
|
|
|
|
type auditd_log_t;
|
|
logging_make_log_file(auditd_t,auditd_log_t)
|
|
|
|
type auditd_t;
|
|
type auditd_exec_t;
|
|
init_make_daemon_domain(auditd_t,auditd_exec_t)
|
|
|
|
type auditd_var_run_t;
|
|
files_make_daemon_runtime_file(auditd_var_run_t)
|
|
|
|
type devlog_t;
|
|
files_make_file(devlog_t)
|
|
|
|
type klogd_t;
|
|
type klogd_exec_t;
|
|
init_make_daemon_domain(klogd_t,klogd_exec_t)
|
|
|
|
type klogd_tmp_t;
|
|
files_make_temporary_file(klogd_tmp_t)
|
|
|
|
type klogd_var_run_t;
|
|
files_make_daemon_runtime_file(klogd_var_run_t)
|
|
|
|
type syslogd_t;
|
|
type syslogd_exec_t;
|
|
init_make_daemon_domain(syslogd_t,syslogd_exec_t)
|
|
|
|
type syslogd_tmp_t;
|
|
files_make_temporary_file(syslogd_tmp_t)
|
|
|
|
type syslogd_var_run_t;
|
|
files_make_daemon_runtime_file(syslogd_var_run_t)
|
|
|
|
type var_log_t, logfile;
|
|
files_make_file(var_log_t)
|
|
|
|
########################################
|
|
#
|
|
# Auditd local policy
|
|
#
|
|
|
|
allow auditd_t self:capability { audit_write audit_control };
|
|
dontaudit auditd_t self:capability sys_tty_config;
|
|
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
|
|
|
allow auditd_t auditd_log_t:file create_file_perms;
|
|
|
|
allow auditd_t auditd_var_run_t:file create_file_perms;
|
|
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
|
|
|
kernel_read_kernel_sysctl(auditd_t)
|
|
kernel_read_hardware_state(auditd_t)
|
|
|
|
fs_getattr_all_fs(auditd_t)
|
|
|
|
term_dontaudit_use_console(auditd_t)
|
|
|
|
init_use_file_descriptors(auditd_t)
|
|
init_script_use_pseudoterminal(auditd_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(auditd_t)
|
|
|
|
files_read_general_system_config(auditd_t)
|
|
|
|
logging_send_system_log_message(auditd_t)
|
|
|
|
libraries_use_dynamic_loader(auditd_t)
|
|
libraries_use_shared_libraries(auditd_t)
|
|
|
|
miscfiles_read_localization(auditd_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_tty(auditd_t)
|
|
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
|
files_ignore_read_rootfs_file(auditd_t)
|
|
')
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_newrole_sigchld(auditd_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_database(auditd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
allow auditd_t proc_t:dir r_dir_perms;
|
|
allow auditd_t proc_t:lnk_file read;
|
|
dontaudit auditd_t unpriv_userdomain:fd use;
|
|
allow auditd_t autofs_t:dir { search getattr };
|
|
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
|
optional_policy(`rhgb.te', `
|
|
allow auditd_t rhgb_t:process sigchld;
|
|
allow auditd_t rhgb_t:fd use;
|
|
allow auditd_t rhgb_t:fifo_file { read write };
|
|
')
|
|
|
|
# cjp: this is questionable:
|
|
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# klogd local policy
|
|
#
|
|
|
|
allow klogd_t klogd_tmp_t:file create_file_perms;
|
|
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
|
|
|
|
allow klogd_t klogd_var_run_t:file create_file_perms;
|
|
|
|
allow klogd_t self:capability sys_admin;
|
|
dontaudit klogd_t self:capability sys_resource;
|
|
|
|
kernel_read_system_state(klogd_t)
|
|
kernel_read_messages(klogd_t)
|
|
# Control syslog and console logging
|
|
kernel_clear_ring_buffer(klogd_t)
|
|
kernel_change_ring_buffer_level(klogd_t)
|
|
|
|
bootloader_read_kernel_symbol_table(klogd_t)
|
|
|
|
dev_read_raw_memory(klogd_t)
|
|
|
|
fs_getattr_all_fs(klogd_t)
|
|
|
|
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
|
|
files_read_runtime_system_config(klogd_t)
|
|
# read /etc/nsswitch.conf
|
|
files_read_general_system_config(klogd_t)
|
|
|
|
init_use_file_descriptors(klogd_t)
|
|
|
|
libraries_use_dynamic_loader(klogd_t)
|
|
libraries_use_shared_libraries(klogd_t)
|
|
|
|
logging_send_system_log_message(klogd_t)
|
|
|
|
miscfiles_read_localization(klogd_t)
|
|
|
|
########################################
|
|
#
|
|
# syslogd local policy
|
|
#
|
|
|
|
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
|
|
dontaudit syslogd_t self:capability sys_tty_config;
|
|
allow syslogd_t self:process signal_perms;
|
|
|
|
# receive messages to be logged
|
|
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow syslogd_t self:unix_dgram_socket sendto;
|
|
allow syslogd_t self:fifo_file rw_file_perms;
|
|
allow syslogd_t self:udp_socket { connected_socket_perms connect };
|
|
|
|
# create/append log files.
|
|
allow syslogd_t var_log_t:dir rw_dir_perms;
|
|
allow syslogd_t var_log_t:file create_file_perms;
|
|
|
|
# manage temporary files
|
|
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
|
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
|
|
|
|
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
|
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
|
|
|
|
# Create and bind to /dev/log or /var/run/log.
|
|
allow syslogd_t devlog_t:sock_file create_file_perms;
|
|
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
|
|
# I belive these are not needed:
|
|
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
|
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
|
|
|
# manage pid file
|
|
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
|
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
|
|
|
|
kernel_read_hardware_state(syslogd_t)
|
|
kernel_read_kernel_sysctl(syslogd_t)
|
|
|
|
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
|
|
|
term_dontaudit_use_console(syslogd_t)
|
|
# Allow syslog to a terminal
|
|
term_write_unallocated_ttys(syslogd_t)
|
|
|
|
# for sending messages to logged in users
|
|
init_script_read_runtime_data(syslogd_t)
|
|
init_script_ignore_write_runtime_data(syslogd_t)
|
|
term_write_all_user_ttys(syslogd_t)
|
|
|
|
corenet_raw_sendrecv_all_if(syslogd_t)
|
|
corenet_udp_sendrecv_all_if(syslogd_t)
|
|
corenet_raw_sendrecv_all_nodes(syslogd_t)
|
|
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
|
corenet_udp_sendrecv_all_ports(syslogd_t)
|
|
corenet_udp_bind_all_nodes(syslogd_t)
|
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
|
|
|
fs_getattr_all_fs(syslogd_t)
|
|
|
|
init_use_file_descriptors(syslogd_t)
|
|
init_script_use_pseudoterminal(syslogd_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(syslogd_t)
|
|
|
|
files_read_general_system_config(syslogd_t)
|
|
|
|
libraries_use_dynamic_loader(syslogd_t)
|
|
libraries_use_shared_libraries(syslogd_t)
|
|
|
|
sysnetwork_read_network_config(syslogd_t)
|
|
|
|
miscfiles_read_localization(syslogd_t)
|
|
|
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
|
|
|
|
#
|
|
# /initrd is not umounted before minilog starts
|
|
#
|
|
files_ignore_search_isid_type_dir(syslogd_t)
|
|
#allow syslogd_t tmpfs_t:dir search;
|
|
#dontaudit syslogd_t unlabeled_t:file read;
|
|
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
|
allow syslogd_t self:capability net_admin;
|
|
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
ifdef(`klogd.te', `', `
|
|
# Allow access to /proc/kmsg for syslog-ng
|
|
kernel_read_messages(syslogd_t)
|
|
kernel_clear_ring_buffer(syslogd_t)
|
|
kernel_change_ring_buffer_level(syslogd_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_tty(syslogd_t)
|
|
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
|
files_ignore_read_rootfs_file(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_newrole_sigchld(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_database(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`cron.te',`
|
|
cron_modify_log(syslogd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
allow syslogd_t proc_t:lnk_file read;
|
|
allow syslogd_t autofs_t:dir { search getattr };
|
|
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
|
optional_policy(`rhgb.te', `
|
|
allow syslogd_t rhgb_t:process sigchld;
|
|
allow syslogd_t rhgb_t:fd use;
|
|
allow syslogd_t rhgb_t:fifo_file { read write };
|
|
')
|
|
tunable_policy(`direct_sysadm_daemon',`
|
|
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
|
')
|
|
|
|
ifdef(`distro_suse', `
|
|
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
|
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
|
')
|
|
|
|
# can_network is for the UDP socket
|
|
can_ypbind(syslogd_t)
|
|
|
|
# log to the xconsole
|
|
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
|
|
|
ifdef(`crond.te', `
|
|
# for daemon re-start
|
|
allow system_crond_t syslogd_t:lnk_file read;
|
|
')
|
|
|
|
ifdef(`logrotate.te', `
|
|
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
|
')
|
|
|
|
#
|
|
# Special case to handle crashes
|
|
#
|
|
allow syslogd_t { device_t file_t }:sock_file unlink;
|
|
') dnl end TODO
|