1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
395 lines
10 KiB
Plaintext
395 lines
10 KiB
Plaintext
|
|
policy_module(logging,1.6.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute logfile;
|
|
|
|
type auditctl_t;
|
|
type auditctl_exec_t;
|
|
init_system_domain(auditctl_t,auditctl_exec_t)
|
|
role system_r types auditctl_t;
|
|
|
|
type auditd_etc_t;
|
|
files_security_file(auditd_etc_t)
|
|
|
|
type auditd_log_t;
|
|
files_security_file(auditd_log_t)
|
|
files_mountpoint(auditd_log_t)
|
|
|
|
type auditd_t;
|
|
type auditd_exec_t;
|
|
init_daemon_domain(auditd_t,auditd_exec_t)
|
|
|
|
type auditd_var_run_t;
|
|
files_pid_file(auditd_var_run_t)
|
|
|
|
type devlog_t;
|
|
files_type(devlog_t)
|
|
mls_trusted_object(devlog_t)
|
|
|
|
type klogd_t;
|
|
type klogd_exec_t;
|
|
init_daemon_domain(klogd_t,klogd_exec_t)
|
|
|
|
type klogd_tmp_t;
|
|
files_tmp_file(klogd_tmp_t)
|
|
|
|
type klogd_var_run_t;
|
|
files_pid_file(klogd_var_run_t)
|
|
|
|
type syslogd_t;
|
|
type syslogd_exec_t;
|
|
init_daemon_domain(syslogd_t,syslogd_exec_t)
|
|
|
|
type syslogd_tmp_t;
|
|
files_tmp_file(syslogd_tmp_t)
|
|
|
|
type syslogd_var_run_t;
|
|
files_pid_file(syslogd_var_run_t)
|
|
|
|
type var_log_t;
|
|
logging_log_file(var_log_t)
|
|
files_mountpoint(var_log_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Auditd local policy
|
|
#
|
|
|
|
allow auditctl_t self:capability { audit_write audit_control };
|
|
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
|
|
|
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
|
|
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
|
|
|
# Needed for adding watches
|
|
files_getattr_all_dirs(auditctl_t)
|
|
files_read_etc_files(auditctl_t)
|
|
|
|
kernel_read_kernel_sysctls(auditctl_t)
|
|
kernel_read_proc_symlinks(auditctl_t)
|
|
|
|
domain_read_all_domains_state(auditctl_t)
|
|
domain_use_interactive_fds(auditctl_t)
|
|
|
|
mls_file_read_up(auditctl_t)
|
|
|
|
term_use_all_terms(auditctl_t)
|
|
|
|
init_dontaudit_use_fds(auditctl_t)
|
|
|
|
libs_use_ld_so(auditctl_t)
|
|
libs_use_shared_libs(auditctl_t)
|
|
|
|
locallogin_dontaudit_use_fds(auditctl_t)
|
|
|
|
logging_send_syslog_msg(auditctl_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_use_generic_ptys(auditctl_t)
|
|
term_use_unallocated_ttys(auditctl_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Auditd local policy
|
|
#
|
|
|
|
allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
|
|
dontaudit auditd_t self:capability sys_tty_config;
|
|
allow auditd_t self:process { signal_perms setpgid setsched };
|
|
allow auditd_t self:file { getattr read write };
|
|
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
|
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
|
allow auditd_t self:fifo_file rw_file_perms;
|
|
|
|
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
|
allow auditd_t auditd_etc_t:file r_file_perms;
|
|
|
|
manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
|
|
manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
|
|
allow auditd_t var_log_t:dir search_dir_perms;
|
|
|
|
manage_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
|
|
manage_sock_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
|
|
files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
|
|
|
|
kernel_read_kernel_sysctls(auditd_t)
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
# Probably want a transition, and a new auditd_helper app
|
|
kernel_read_system_state(auditd_t)
|
|
|
|
dev_read_sysfs(auditd_t)
|
|
|
|
fs_getattr_all_fs(auditd_t)
|
|
fs_search_auto_mountpoints(auditd_t)
|
|
|
|
selinux_search_fs(auditctl_t)
|
|
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
# Probably want a transition, and a new auditd_helper app
|
|
corecmd_exec_bin(auditd_t)
|
|
corecmd_exec_shell(auditd_t)
|
|
|
|
domain_use_interactive_fds(auditd_t)
|
|
|
|
files_read_etc_files(auditd_t)
|
|
files_list_usr(auditd_t)
|
|
|
|
init_telinit(auditd_t)
|
|
|
|
logging_send_syslog_msg(auditd_t)
|
|
|
|
libs_use_ld_so(auditd_t)
|
|
libs_use_shared_libs(auditd_t)
|
|
|
|
miscfiles_read_localization(auditd_t)
|
|
|
|
mls_file_read_up(auditd_t)
|
|
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
|
mls_rangetrans_target(auditd_t)
|
|
mls_fd_use_all_levels(auditd_t)
|
|
|
|
seutil_dontaudit_read_config(auditd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
|
|
# cjp: this is questionable
|
|
userdom_use_sysadm_ttys(auditd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_generic_ptys(auditd_t)
|
|
term_dontaudit_use_unallocated_ttys(auditd_t)
|
|
unconfined_dontaudit_read_pipes(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(auditd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(auditd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# klogd local policy
|
|
#
|
|
|
|
allow klogd_t self:capability sys_admin;
|
|
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
|
|
allow klogd_t self:process signal_perms;
|
|
|
|
manage_dirs_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
|
|
manage_files_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
|
|
files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })
|
|
|
|
manage_files_pattern(klogd_t,klogd_var_run_t,klogd_var_run_t)
|
|
files_pid_filetrans(klogd_t,klogd_var_run_t,file)
|
|
|
|
kernel_read_system_state(klogd_t)
|
|
kernel_read_messages(klogd_t)
|
|
kernel_read_kernel_sysctls(klogd_t)
|
|
# Control syslog and console logging
|
|
kernel_clear_ring_buffer(klogd_t)
|
|
kernel_change_ring_buffer_level(klogd_t)
|
|
|
|
files_read_kernel_symbol_table(klogd_t)
|
|
|
|
dev_read_raw_memory(klogd_t)
|
|
dev_read_sysfs(klogd_t)
|
|
|
|
fs_getattr_all_fs(klogd_t)
|
|
fs_search_auto_mountpoints(klogd_t)
|
|
|
|
domain_use_interactive_fds(klogd_t)
|
|
|
|
files_read_etc_runtime_files(klogd_t)
|
|
# read /etc/nsswitch.conf
|
|
files_read_etc_files(klogd_t)
|
|
|
|
libs_use_ld_so(klogd_t)
|
|
libs_use_shared_libs(klogd_t)
|
|
|
|
logging_send_syslog_msg(klogd_t)
|
|
|
|
miscfiles_read_localization(klogd_t)
|
|
|
|
mls_file_read_up(klogd_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
|
|
|
|
optional_policy(`
|
|
udev_read_db(klogd_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_generic_ptys(klogd_t)
|
|
term_dontaudit_use_unallocated_ttys(klogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(klogd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# syslogd local policy
|
|
#
|
|
|
|
# chown fsetid for syslog-ng
|
|
# sys_admin for the integrated klog of syslog-ng and metalog
|
|
# cjp: why net_admin!
|
|
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
|
|
dontaudit syslogd_t self:capability sys_tty_config;
|
|
# setpgid for metalog
|
|
allow syslogd_t self:process { signal_perms setpgid };
|
|
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
# receive messages to be logged
|
|
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow syslogd_t self:unix_dgram_socket sendto;
|
|
allow syslogd_t self:fifo_file rw_file_perms;
|
|
allow syslogd_t self:udp_socket create_socket_perms;
|
|
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
# Create and bind to /dev/log or /var/run/log.
|
|
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
|
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
|
|
|
# create/append log files.
|
|
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
|
|
# Allow access for syslog-ng
|
|
allow syslogd_t var_log_t:dir { create setattr };
|
|
|
|
# manage temporary files
|
|
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
|
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
|
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
|
|
|
|
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
|
|
|
|
# manage pid file
|
|
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
|
|
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(syslogd_t)
|
|
kernel_read_proc_symlinks(syslogd_t)
|
|
# Allow access to /proc/kmsg for syslog-ng
|
|
kernel_read_messages(syslogd_t)
|
|
kernel_clear_ring_buffer(syslogd_t)
|
|
kernel_change_ring_buffer_level(syslogd_t)
|
|
|
|
dev_filetrans(syslogd_t,devlog_t,sock_file)
|
|
dev_read_sysfs(syslogd_t)
|
|
|
|
fs_search_auto_mountpoints(syslogd_t)
|
|
|
|
term_write_console(syslogd_t)
|
|
# Allow syslog to a terminal
|
|
term_write_unallocated_ttys(syslogd_t)
|
|
|
|
# for sending messages to logged in users
|
|
init_read_utmp(syslogd_t)
|
|
init_dontaudit_write_utmp(syslogd_t)
|
|
term_write_all_user_ttys(syslogd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(syslogd_t)
|
|
corenet_all_recvfrom_netlabel(syslogd_t)
|
|
corenet_udp_sendrecv_all_if(syslogd_t)
|
|
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
|
corenet_udp_sendrecv_all_ports(syslogd_t)
|
|
corenet_udp_bind_all_nodes(syslogd_t)
|
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
|
corenet_tcp_sendrecv_all_if(syslogd_t)
|
|
corenet_tcp_sendrecv_all_nodes(syslogd_t)
|
|
corenet_tcp_sendrecv_all_ports(syslogd_t)
|
|
corenet_tcp_bind_all_nodes(syslogd_t)
|
|
corenet_tcp_bind_rsh_port(syslogd_t)
|
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
|
# Allow users to define additional syslog ports to connect to
|
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
|
|
|
# syslog-ng can send or receive logs
|
|
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
|
corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
|
|
|
fs_getattr_all_fs(syslogd_t)
|
|
|
|
init_use_fds(syslogd_t)
|
|
|
|
domain_use_interactive_fds(syslogd_t)
|
|
|
|
files_read_etc_files(syslogd_t)
|
|
files_read_etc_runtime_files(syslogd_t)
|
|
# /initrd is not umounted before minilog starts
|
|
files_dontaudit_search_isid_type_dirs(syslogd_t)
|
|
|
|
libs_use_ld_so(syslogd_t)
|
|
libs_use_shared_libs(syslogd_t)
|
|
|
|
# cjp: this doesnt make sense
|
|
logging_send_syslog_msg(syslogd_t)
|
|
|
|
sysnet_read_config(syslogd_t)
|
|
|
|
miscfiles_read_localization(syslogd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
# default gentoo syslog-ng config appends kernel
|
|
# and high priority messages to /dev/tty12
|
|
term_append_unallocated_ttys(syslogd_t)
|
|
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
|
|
')
|
|
|
|
ifdef(`distro_suse',`
|
|
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
|
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
allow syslogd_t var_run_t:fifo_file { ioctl read write };
|
|
term_dontaudit_use_unallocated_ttys(syslogd_t)
|
|
term_dontaudit_use_generic_ptys(syslogd_t)
|
|
files_dontaudit_read_root_files(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inn_manage_log(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(syslogd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# log to the xconsole
|
|
xserver_rw_console(syslogd_t)
|
|
')
|