151 lines
4.7 KiB
Plaintext
151 lines
4.7 KiB
Plaintext
|
#DESC Logrotate - Rotate log files
|
||
|
#
|
||
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
|
||
|
# Russell Coker <rcoker@redhat.com>
|
||
|
# X-Debian-Packages: logrotate
|
||
|
# Depends: crond.te
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the logrotate_t domain.
|
||
|
#
|
||
|
# logrotate_t is the domain for the logrotate program.
|
||
|
# logrotate_exec_t is the type of the corresponding program.
|
||
|
#
|
||
|
type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
|
||
|
role system_r types logrotate_t;
|
||
|
role sysadm_r types logrotate_t;
|
||
|
uses_shlib(logrotate_t)
|
||
|
general_domain_access(logrotate_t)
|
||
|
type logrotate_exec_t, file_type, sysadmfile, exec_type;
|
||
|
|
||
|
system_crond_entry(logrotate_exec_t, logrotate_t)
|
||
|
allow logrotate_t cron_spool_t:dir search;
|
||
|
allow crond_t logrotate_var_lib_t:dir search;
|
||
|
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
|
||
|
allow logrotate_t self:unix_stream_socket create_socket_perms;
|
||
|
allow logrotate_t devtty_t:chr_file rw_file_perms;
|
||
|
|
||
|
ifdef(`distro_debian', `
|
||
|
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
|
||
|
# for savelog
|
||
|
can_exec(logrotate_t, logrotate_exec_t)
|
||
|
')
|
||
|
|
||
|
# for perl
|
||
|
allow logrotate_t usr_t:file { getattr read ioctl };
|
||
|
allow logrotate_t usr_t:lnk_file read;
|
||
|
|
||
|
# access files in /etc
|
||
|
allow logrotate_t etc_t:file { getattr read ioctl };
|
||
|
allow logrotate_t etc_t:lnk_file { getattr read };
|
||
|
allow logrotate_t etc_runtime_t:file r_file_perms;
|
||
|
|
||
|
# it should not require this
|
||
|
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
|
||
|
|
||
|
# create lock files
|
||
|
lock_domain(logrotate)
|
||
|
|
||
|
# Create temporary files.
|
||
|
tmp_domain(logrotate)
|
||
|
can_exec(logrotate_t, logrotate_tmp_t)
|
||
|
|
||
|
# Run helper programs.
|
||
|
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
|
||
|
allow logrotate_t { bin_t sbin_t }:lnk_file read;
|
||
|
can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
|
||
|
|
||
|
# Read PID files.
|
||
|
allow logrotate_t pidfile:file r_file_perms;
|
||
|
|
||
|
# Read /proc/PID directories for all domains.
|
||
|
read_sysctl(logrotate_t)
|
||
|
allow logrotate_t proc_t:dir r_dir_perms;
|
||
|
allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
|
||
|
allow logrotate_t domain:notdevfile_class_set r_file_perms;
|
||
|
allow logrotate_t domain:dir r_dir_perms;
|
||
|
allow logrotate_t exec_type:file getattr;
|
||
|
|
||
|
# Read /dev directories and any symbolic links.
|
||
|
allow logrotate_t device_t:dir r_dir_perms;
|
||
|
allow logrotate_t device_t:lnk_file r_file_perms;
|
||
|
|
||
|
# Signal processes.
|
||
|
allow logrotate_t domain:process signal;
|
||
|
|
||
|
# Modify /var/log and other log dirs.
|
||
|
allow logrotate_t var_t:dir r_dir_perms;
|
||
|
allow logrotate_t logfile:dir rw_dir_perms;
|
||
|
allow logrotate_t logfile:lnk_file read;
|
||
|
|
||
|
# Create, rename, and truncate log files.
|
||
|
allow logrotate_t logfile:file create_file_perms;
|
||
|
allow logrotate_t wtmp_t:file create_file_perms;
|
||
|
ifdef(`squid.te', `
|
||
|
allow squid_t { system_crond_t crond_t }:fd use;
|
||
|
allow squid_t crond_t:fifo_file { read write };
|
||
|
allow squid_t system_crond_t:fifo_file write;
|
||
|
allow squid_t self:capability kill;
|
||
|
')
|
||
|
|
||
|
# Set a context other than the default one for newly created files.
|
||
|
can_setfscreate(logrotate_t)
|
||
|
|
||
|
# Change ownership on log files.
|
||
|
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
|
||
|
# for mailx
|
||
|
dontaudit logrotate_t self:capability { setuid setgid };
|
||
|
|
||
|
ifdef(`mta.te', `
|
||
|
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
|
||
|
')
|
||
|
|
||
|
# Access /var/run
|
||
|
allow logrotate_t var_run_t:dir r_dir_perms;
|
||
|
|
||
|
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||
|
var_lib_domain(logrotate)
|
||
|
allow logrotate_t logrotate_var_lib_t:dir create;
|
||
|
|
||
|
# Write to /var/spool/slrnpull - should be moved into its own type.
|
||
|
create_dir_file(logrotate_t, var_spool_t)
|
||
|
|
||
|
allow logrotate_t urandom_device_t:chr_file { getattr read };
|
||
|
|
||
|
# Access terminals.
|
||
|
allow logrotate_t admin_tty_type:chr_file rw_file_perms;
|
||
|
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
|
||
|
allow logrotate_t privfd:fd use;
|
||
|
|
||
|
# for /var/backups on Debian
|
||
|
ifdef(`backup.te', `
|
||
|
rw_dir_create_file(logrotate_t, backup_store_t)
|
||
|
')
|
||
|
|
||
|
read_locale(logrotate_t)
|
||
|
|
||
|
allow logrotate_t fs_t:filesystem getattr;
|
||
|
can_exec(logrotate_t, shell_exec_t)
|
||
|
ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
|
||
|
can_exec(logrotate_t,logfile)
|
||
|
allow logrotate_t net_conf_t:file { getattr read };
|
||
|
|
||
|
ifdef(`consoletype.te', `
|
||
|
can_exec(logrotate_t, consoletype_exec_t)
|
||
|
dontaudit consoletype_t logrotate_t:fd use;
|
||
|
')
|
||
|
|
||
|
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
|
||
|
|
||
|
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
|
||
|
|
||
|
# Supress libselinux initialization denials
|
||
|
dontaudit logrotate_t selinux_config_t:dir search;
|
||
|
dontaudit logrotate_t selinux_config_t:file { read getattr };
|
||
|
|
||
|
# Allow selinux_getenforce
|
||
|
allow logrotate_t security_t:dir search;
|
||
|
allow logrotate_t security_t:file { getattr read };
|