2021-01-13 20:20:47 +00:00
|
|
|
policy_module(logging, 1.32.3)
|
2005-04-26 17:00:25 +00:00
|
|
|
|
2005-06-07 14:27:19 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Declarations
|
|
|
|
|
#
|
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
attribute logfile;
|
|
|
|
|
|
2005-10-25 20:06:27 +00:00
|
|
|
type auditctl_t;
|
2005-09-15 15:34:31 +00:00
|
|
|
type auditctl_exec_t;
|
2009-06-26 14:40:13 +00:00
|
|
|
init_system_domain(auditctl_t, auditctl_exec_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
role system_r types auditctl_t;
|
|
|
|
|
|
2005-09-28 19:07:22 +00:00
|
|
|
type auditd_etc_t;
|
|
|
|
|
files_security_file(auditd_etc_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2005-09-28 19:07:22 +00:00
|
|
|
type auditd_log_t;
|
|
|
|
|
files_security_file(auditd_log_t)
|
2008-07-31 14:05:46 +00:00
|
|
|
files_security_mountpoint(auditd_log_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2011-04-14 15:36:56 +00:00
|
|
|
type audit_spool_t;
|
|
|
|
|
files_security_file(audit_spool_t)
|
|
|
|
|
files_security_mountpoint(audit_spool_t)
|
|
|
|
|
|
2005-06-07 14:27:19 +00:00
|
|
|
type auditd_t;
|
2006-10-04 17:25:34 +00:00
|
|
|
type auditd_exec_t;
|
2009-06-26 14:40:13 +00:00
|
|
|
init_daemon_domain(auditd_t, auditd_exec_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2008-09-18 13:20:57 +00:00
|
|
|
type auditd_initrc_exec_t;
|
|
|
|
|
init_script_file(auditd_initrc_exec_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type auditd_runtime_t alias auditd_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(auditd_runtime_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type auditd_unit_t;
|
|
|
|
|
init_unit_file(auditd_unit_t)
|
|
|
|
|
|
2008-08-22 15:17:01 +00:00
|
|
|
type audisp_t;
|
|
|
|
|
type audisp_exec_t;
|
|
|
|
|
init_system_domain(audisp_t, audisp_exec_t)
|
|
|
|
|
|
|
|
|
|
type audisp_remote_t;
|
|
|
|
|
type audisp_remote_exec_t;
|
|
|
|
|
logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
|
|
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type audisp_runtime_t alias audisp_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(audisp_runtime_t)
|
2019-09-11 00:05:46 +00:00
|
|
|
|
2005-09-26 20:26:32 +00:00
|
|
|
type devlog_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(devlog_t)
|
2005-09-26 20:26:32 +00:00
|
|
|
mls_trusted_object(devlog_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2005-09-26 20:26:32 +00:00
|
|
|
type klogd_t;
|
2005-04-19 20:44:52 +00:00
|
|
|
type klogd_exec_t;
|
2009-06-26 14:40:13 +00:00
|
|
|
init_daemon_domain(klogd_t, klogd_exec_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type klogd_runtime_t alias klogd_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(klogd_runtime_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type klogd_tmp_t;
|
|
|
|
|
files_tmp_file(klogd_tmp_t)
|
|
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
type syslog_conf_t;
|
2011-04-14 15:36:56 +00:00
|
|
|
files_config_file(syslog_conf_t)
|
2007-11-05 19:35:08 +00:00
|
|
|
|
2005-04-19 20:44:52 +00:00
|
|
|
type syslogd_t;
|
|
|
|
|
type syslogd_exec_t;
|
2009-06-26 14:40:13 +00:00
|
|
|
init_daemon_domain(syslogd_t, syslogd_exec_t)
|
2019-09-08 20:55:02 +00:00
|
|
|
init_named_socket_activation(syslogd_t, syslogd_runtime_t)
|
2016-04-06 21:53:20 +00:00
|
|
|
mls_trusted_socket(syslogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2008-09-18 13:20:57 +00:00
|
|
|
type syslogd_initrc_exec_t;
|
|
|
|
|
init_script_file(syslogd_initrc_exec_t)
|
|
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type syslogd_runtime_t alias syslogd_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(syslogd_runtime_t)
|
2019-09-11 00:05:46 +00:00
|
|
|
|
2005-04-19 20:44:52 +00:00
|
|
|
type syslogd_tmp_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
files_tmp_file(syslogd_tmp_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2015-10-20 18:33:56 +00:00
|
|
|
type syslogd_unit_t;
|
|
|
|
|
init_unit_file(syslogd_unit_t)
|
|
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
type syslogd_var_lib_t;
|
|
|
|
|
files_type(syslogd_var_lib_t)
|
|
|
|
|
|
2005-11-01 15:45:00 +00:00
|
|
|
type var_log_t;
|
|
|
|
|
logging_log_file(var_log_t)
|
2006-12-04 20:10:56 +00:00
|
|
|
files_mountpoint(var_log_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
ifdef(`enable_mls',`
|
2008-08-22 15:17:01 +00:00
|
|
|
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
|
|
|
|
|
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-07 14:27:19 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
2007-09-12 14:53:39 +00:00
|
|
|
# Auditctl local policy
|
2005-06-07 14:27:19 +00:00
|
|
|
#
|
|
|
|
|
|
2017-02-15 23:47:33 +00:00
|
|
|
allow auditctl_t self:capability { dac_override dac_read_search fsetid };
|
2017-01-05 10:53:06 +00:00
|
|
|
allow auditctl_t self:process getcap;
|
2007-11-05 19:35:08 +00:00
|
|
|
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
2017-09-12 02:40:46 +00:00
|
|
|
dontaudit auditctl_t auditd_etc_t:file map;
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2018-12-07 00:20:11 +00:00
|
|
|
corecmd_search_bin(auditctl_t)
|
|
|
|
|
|
2006-05-17 14:50:31 +00:00
|
|
|
# Needed for adding watches
|
|
|
|
|
files_getattr_all_dirs(auditctl_t)
|
2007-09-12 14:53:39 +00:00
|
|
|
files_getattr_all_files(auditctl_t)
|
2006-05-17 14:50:31 +00:00
|
|
|
files_read_etc_files(auditctl_t)
|
|
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(auditctl_t)
|
2005-12-06 15:23:59 +00:00
|
|
|
kernel_read_proc_symlinks(auditctl_t)
|
2010-03-17 18:40:06 +00:00
|
|
|
kernel_setsched(auditctl_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2005-12-06 15:23:59 +00:00
|
|
|
domain_read_all_domains_state(auditctl_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(auditctl_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2007-08-20 18:26:08 +00:00
|
|
|
mls_file_read_all_levels(auditctl_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
|
2006-02-13 22:05:08 +00:00
|
|
|
term_use_all_terms(auditctl_t)
|
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
init_dontaudit_use_fds(auditctl_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
logging_set_audit_parameters(auditctl_t)
|
2005-10-24 00:54:39 +00:00
|
|
|
logging_send_syslog_msg(auditctl_t)
|
|
|
|
|
|
2017-08-13 23:52:16 +00:00
|
|
|
miscfiles_read_localization(auditctl_t)
|
|
|
|
|
|
2015-10-20 18:48:38 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
|
init_rw_stream_sockets(auditctl_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-18 14:39:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
locallogin_dontaudit_use_fds(auditctl_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Auditd local policy
|
|
|
|
|
#
|
|
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
|
2005-06-07 14:27:19 +00:00
|
|
|
dontaudit auditd_t self:capability sys_tty_config;
|
2010-03-17 18:40:06 +00:00
|
|
|
allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
|
2008-10-16 16:09:20 +00:00
|
|
|
allow auditd_t self:file rw_file_perms;
|
2005-09-15 15:34:31 +00:00
|
|
|
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
2010-03-17 18:40:06 +00:00
|
|
|
allow auditd_t self:fifo_file rw_fifo_file_perms;
|
2008-10-09 18:06:24 +00:00
|
|
|
allow auditd_t self:tcp_socket create_stream_socket_perms;
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
2007-10-09 17:29:48 +00:00
|
|
|
allow auditd_t auditd_etc_t:file read_file_perms;
|
2017-09-12 02:40:46 +00:00
|
|
|
dontaudit auditd_t auditd_etc_t:file map;
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
2017-01-05 10:53:06 +00:00
|
|
|
allow auditd_t auditd_log_t:dir setattr;
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow auditd_t var_log_t:dir search_dir_perms;
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
|
|
|
|
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(auditd_t, auditd_runtime_t, { file sock_file })
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(auditd_t)
|
2006-06-07 17:43:10 +00:00
|
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
|
|
|
# Probably want a transition, and a new auditd_helper app
|
|
|
|
|
kernel_read_system_state(auditd_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
2005-06-14 19:56:46 +00:00
|
|
|
dev_read_sysfs(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
fs_getattr_all_fs(auditd_t)
|
2005-06-27 16:30:55 +00:00
|
|
|
fs_search_auto_mountpoints(auditd_t)
|
2008-10-09 18:06:24 +00:00
|
|
|
fs_rw_anon_inodefs_files(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2006-10-31 21:01:48 +00:00
|
|
|
selinux_search_fs(auditctl_t)
|
|
|
|
|
|
2008-10-09 18:06:24 +00:00
|
|
|
corenet_all_recvfrom_netlabel(auditd_t)
|
|
|
|
|
corenet_tcp_sendrecv_generic_if(auditd_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node(auditd_t)
|
|
|
|
|
corenet_tcp_bind_generic_node(auditd_t)
|
2008-10-09 18:06:24 +00:00
|
|
|
corenet_tcp_bind_audit_port(auditd_t)
|
|
|
|
|
corenet_sendrecv_audit_server_packets(auditd_t)
|
|
|
|
|
|
2006-06-07 17:43:10 +00:00
|
|
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
|
|
|
|
# Probably want a transition, and a new auditd_helper app
|
|
|
|
|
corecmd_exec_bin(auditd_t)
|
2006-07-28 15:13:58 +00:00
|
|
|
corecmd_exec_shell(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(auditd_t)
|
2005-09-05 18:17:17 +00:00
|
|
|
files_list_usr(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
2007-03-20 18:47:18 +00:00
|
|
|
init_telinit(auditd_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
logging_set_audit_parameters(auditd_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(auditd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
logging_domtrans_dispatcher(auditd_t)
|
|
|
|
|
logging_signal_dispatcher(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
|
|
|
|
|
miscfiles_read_localization(auditd_t)
|
|
|
|
|
|
2007-08-20 18:26:08 +00:00
|
|
|
mls_file_read_all_levels(auditd_t)
|
|
|
|
|
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
2005-10-24 00:54:39 +00:00
|
|
|
|
|
|
|
|
seutil_dontaudit_read_config(auditd_t)
|
2005-09-26 20:26:32 +00:00
|
|
|
|
2008-08-22 15:17:01 +00:00
|
|
|
sysnet_dns_name_resolve(auditd_t)
|
|
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_use_user_terminals(auditd_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_search_user_home_dirs(auditd_t)
|
2005-10-26 16:00:13 +00:00
|
|
|
|
2008-02-05 18:24:43 +00:00
|
|
|
ifdef(`distro_ubuntu',`
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_domain(auditd_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2008-08-22 15:17:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
mta_send_mail(auditd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-29 14:26:41 +00:00
|
|
|
seutil_sigchld_newrole(auditd_t)
|
2005-06-07 14:27:19 +00:00
|
|
|
')
|
|
|
|
|
|
2020-01-22 12:35:42 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
init_list_unit_dirs(auditd_t)
|
|
|
|
|
systemd_start_power_units(auditd_t)
|
|
|
|
|
systemd_status_power_units(auditd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2008-08-22 15:17:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# audit dispatcher local policy
|
|
|
|
|
#
|
|
|
|
|
|
2010-03-17 18:40:06 +00:00
|
|
|
allow audisp_t self:capability { dac_override setpcap sys_nice };
|
|
|
|
|
allow audisp_t self:process { getcap signal_perms setcap setsched };
|
|
|
|
|
allow audisp_t self:fifo_file rw_fifo_file_perms;
|
2008-08-22 15:17:01 +00:00
|
|
|
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
allow audisp_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
2008-10-16 16:09:20 +00:00
|
|
|
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
|
2008-08-22 15:17:01 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_sock_files_pattern(audisp_t, audisp_runtime_t, audisp_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(audisp_t, audisp_runtime_t, sock_file)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
2011-02-16 06:29:17 +00:00
|
|
|
kernel_read_system_state(audisp_t)
|
|
|
|
|
|
2010-03-17 18:40:06 +00:00
|
|
|
corecmd_exec_bin(audisp_t)
|
|
|
|
|
corecmd_exec_shell(audisp_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
domain_use_interactive_fds(audisp_t)
|
|
|
|
|
|
2018-02-15 22:10:34 +00:00
|
|
|
files_map_etc_files(audisp_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
files_read_etc_files(audisp_t)
|
2010-03-17 18:40:06 +00:00
|
|
|
files_read_etc_runtime_files(audisp_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
mls_file_write_all_levels(audisp_t)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(audisp_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(audisp_t)
|
|
|
|
|
|
2008-10-09 18:06:24 +00:00
|
|
|
sysnet_dns_name_resolve(audisp_t)
|
|
|
|
|
|
2010-03-17 18:40:06 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_system_bus_client(audisp_t)
|
|
|
|
|
')
|
|
|
|
|
|
2008-08-22 15:17:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Audit remote logger local policy
|
|
|
|
|
#
|
|
|
|
|
|
2017-02-15 23:47:33 +00:00
|
|
|
allow audisp_remote_t self:capability { setpcap setuid };
|
2011-04-14 15:36:56 +00:00
|
|
|
allow audisp_remote_t self:process { getcap setcap };
|
2008-08-22 15:17:01 +00:00
|
|
|
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
2011-04-14 15:36:56 +00:00
|
|
|
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
|
|
|
|
|
|
|
|
|
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
|
|
|
|
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
|
|
|
|
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
|
|
|
|
|
|
|
|
|
corecmd_exec_bin(audisp_remote_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
|
2010-03-17 18:40:06 +00:00
|
|
|
corenet_tcp_bind_audit_port(audisp_remote_t)
|
|
|
|
|
corenet_tcp_bind_generic_node(audisp_remote_t)
|
2008-10-09 18:06:24 +00:00
|
|
|
corenet_tcp_connect_audit_port(audisp_remote_t)
|
|
|
|
|
corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
files_read_etc_files(audisp_remote_t)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(audisp_remote_t)
|
2011-04-14 15:36:56 +00:00
|
|
|
logging_send_audit_msgs(audisp_remote_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
miscfiles_read_localization(audisp_remote_t)
|
|
|
|
|
|
|
|
|
|
sysnet_dns_name_resolve(audisp_remote_t)
|
|
|
|
|
|
2005-04-19 20:44:52 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# klogd local policy
|
|
|
|
|
#
|
|
|
|
|
|
2005-11-10 21:37:54 +00:00
|
|
|
allow klogd_t self:capability sys_admin;
|
|
|
|
|
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
|
|
|
|
|
allow klogd_t self:process signal_perms;
|
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
|
|
|
|
|
manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
|
|
|
|
|
files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_files_pattern(klogd_t, klogd_runtime_t, klogd_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(klogd_t, klogd_runtime_t, file)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
|
|
|
|
kernel_read_system_state(klogd_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
kernel_read_messages(klogd_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(klogd_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
# Control syslog and console logging
|
|
|
|
|
kernel_clear_ring_buffer(klogd_t)
|
|
|
|
|
kernel_change_ring_buffer_level(klogd_t)
|
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
files_read_kernel_symbol_table(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
Make raw memory access tunable
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-02-22 15:49:24 +00:00
|
|
|
dev_read_raw_memory_cond(klogd_t, allow_raw_memory_access)
|
2005-10-26 18:07:20 +00:00
|
|
|
dev_read_sysfs(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
fs_getattr_all_fs(klogd_t)
|
2005-10-26 18:07:20 +00:00
|
|
|
fs_search_auto_mountpoints(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(klogd_t)
|
2005-10-25 19:20:56 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_etc_runtime_files(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
# read /etc/nsswitch.conf
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(klogd_t)
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
miscfiles_read_localization(klogd_t)
|
|
|
|
|
|
2007-08-20 18:26:08 +00:00
|
|
|
mls_file_read_all_levels(klogd_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_search_user_home_dirs(klogd_t)
|
2005-11-08 22:00:30 +00:00
|
|
|
|
2008-02-05 18:24:43 +00:00
|
|
|
ifdef(`distro_ubuntu',`
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_domain(klogd_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-08 22:00:30 +00:00
|
|
|
seutil_sigchld_newrole(klogd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-19 20:44:52 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# syslogd local policy
|
|
|
|
|
#
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2006-08-18 18:20:22 +00:00
|
|
|
# chown fsetid for syslog-ng
|
|
|
|
|
# sys_admin for the integrated klog of syslog-ng and metalog
|
2013-01-12 21:32:24 +00:00
|
|
|
# sys_nice for rsyslog
|
2005-09-13 13:06:07 +00:00
|
|
|
# cjp: why net_admin!
|
2017-02-18 14:39:01 +00:00
|
|
|
allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
|
|
|
|
dontaudit syslogd_t self:capability { sys_ptrace };
|
2006-08-18 18:20:22 +00:00
|
|
|
# setpgid for metalog
|
2010-04-16 06:29:10 +00:00
|
|
|
# setrlimit for syslog-ng
|
2012-05-01 08:13:14 +00:00
|
|
|
# getsched for syslog-ng
|
2013-01-12 21:32:24 +00:00
|
|
|
# setsched for rsyslog
|
2013-11-13 14:26:38 +00:00
|
|
|
# getcap/setcap for syslog-ng
|
2013-10-21 18:52:05 +00:00
|
|
|
allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
|
2005-05-31 23:02:11 +00:00
|
|
|
# receive messages to be logged
|
2005-06-09 18:08:26 +00:00
|
|
|
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
2005-05-31 23:02:11 +00:00
|
|
|
allow syslogd_t self:unix_dgram_socket sendto;
|
2010-03-17 18:40:06 +00:00
|
|
|
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
2006-05-29 15:04:49 +00:00
|
|
|
allow syslogd_t self:udp_socket create_socket_perms;
|
2007-02-23 20:19:29 +00:00
|
|
|
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
allow syslogd_t syslog_conf_t:file read_file_perms;
|
2017-09-09 02:30:37 +00:00
|
|
|
allow syslogd_t syslog_conf_t:dir list_dir_perms;
|
2007-11-05 19:35:08 +00:00
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
# Create and bind to /dev/log or /var/run/log.
|
2006-12-12 20:08:08 +00:00
|
|
|
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
|
|
|
|
|
init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
|
2005-09-15 15:34:31 +00:00
|
|
|
|
2005-04-27 21:56:41 +00:00
|
|
|
# create/append log files.
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
|
2017-05-24 19:40:18 +00:00
|
|
|
allow syslogd_t var_log_t:file map;
|
2009-06-26 14:40:13 +00:00
|
|
|
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
2013-01-12 21:32:24 +00:00
|
|
|
files_search_spool(syslogd_t)
|
2007-09-12 14:53:39 +00:00
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
# Allow access for syslog-ng
|
|
|
|
|
allow syslogd_t var_log_t:dir { create setattr };
|
2005-04-19 20:44:52 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# for systemd but can not be conditional
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2005-04-27 21:56:41 +00:00
|
|
|
# manage temporary files
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
|
|
|
|
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
2018-02-15 22:10:34 +00:00
|
|
|
allow syslogd_t syslogd_tmp_t:file map;
|
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2007-11-05 19:35:08 +00:00
|
|
|
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
2017-09-15 17:16:13 +00:00
|
|
|
allow syslogd_t syslogd_var_lib_t:file map;
|
2007-11-05 19:35:08 +00:00
|
|
|
files_search_var_lib(syslogd_t)
|
|
|
|
|
|
2019-11-23 15:26:50 +00:00
|
|
|
# manage runtime files
|
2019-09-08 20:55:02 +00:00
|
|
|
allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
|
2020-03-15 13:59:58 +00:00
|
|
|
allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
|
2019-11-23 15:26:50 +00:00
|
|
|
allow syslogd_t syslogd_runtime_t:file map;
|
|
|
|
|
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
|
2019-11-17 04:48:46 +00:00
|
|
|
|
2018-04-16 20:08:55 +00:00
|
|
|
kernel_read_crypto_sysctls(syslogd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
kernel_read_system_state(syslogd_t)
|
2013-01-12 21:32:24 +00:00
|
|
|
kernel_read_network_state(syslogd_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(syslogd_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
kernel_read_proc_symlinks(syslogd_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
# Allow access to /proc/kmsg for syslog-ng
|
2005-11-09 15:51:22 +00:00
|
|
|
kernel_read_messages(syslogd_t)
|
2015-12-16 18:19:30 +00:00
|
|
|
# rsyslog
|
|
|
|
|
kernel_read_vm_overcommit_sysctl(syslogd_t)
|
2005-11-09 15:51:22 +00:00
|
|
|
kernel_clear_ring_buffer(syslogd_t)
|
|
|
|
|
kernel_change_ring_buffer_level(syslogd_t)
|
2014-09-12 13:54:11 +00:00
|
|
|
# Read ring buffer for journald
|
2014-09-07 21:28:14 +00:00
|
|
|
kernel_read_ring_buffer(syslogd_t)
|
2014-01-16 16:24:25 +00:00
|
|
|
# /initrd is not umounted before minilog starts
|
|
|
|
|
kernel_dontaudit_search_unlabeled(syslogd_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_netlabel(syslogd_t)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_udp_sendrecv_generic_if(syslogd_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_udp_sendrecv_generic_node(syslogd_t)
|
|
|
|
|
corenet_udp_bind_generic_node(syslogd_t)
|
2006-01-25 15:53:35 +00:00
|
|
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
# syslog-ng can listen and connect on tcp port 514 (rsh)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if(syslogd_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node(syslogd_t)
|
|
|
|
|
corenet_tcp_bind_generic_node(syslogd_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
corenet_tcp_bind_rsh_port(syslogd_t)
|
|
|
|
|
corenet_tcp_connect_rsh_port(syslogd_t)
|
2007-03-22 14:33:00 +00:00
|
|
|
# Allow users to define additional syslog ports to connect to
|
|
|
|
|
corenet_tcp_bind_syslogd_port(syslogd_t)
|
|
|
|
|
corenet_tcp_connect_syslogd_port(syslogd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
corenet_tcp_connect_postgresql_port(syslogd_t)
|
|
|
|
|
corenet_tcp_connect_mysqld_port(syslogd_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
|
2006-05-29 15:04:49 +00:00
|
|
|
# syslog-ng can send or receive logs
|
|
|
|
|
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
|
|
|
|
corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
corenet_sendrecv_postgresql_client_packets(syslogd_t)
|
|
|
|
|
corenet_sendrecv_mysqld_client_packets(syslogd_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
dev_filetrans(syslogd_t, devlog_t, sock_file)
|
2008-08-22 15:17:01 +00:00
|
|
|
dev_read_sysfs(syslogd_t)
|
2016-12-04 16:42:52 +00:00
|
|
|
dev_read_urand(syslogd_t)
|
2014-09-07 21:28:14 +00:00
|
|
|
# Allow access to /dev/kmsg for journald
|
|
|
|
|
dev_rw_kmsg(syslogd_t)
|
2005-04-27 21:56:41 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(syslogd_t)
|
2014-09-07 21:28:15 +00:00
|
|
|
# Allow access to /proc/ information for journald
|
|
|
|
|
domain_read_all_domains_state(syslogd_t)
|
2005-05-02 19:22:58 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(syslogd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
files_read_usr_files(syslogd_t)
|
2007-09-12 14:53:39 +00:00
|
|
|
files_read_var_files(syslogd_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
files_read_etc_runtime_files(syslogd_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
# /initrd is not umounted before minilog starts
|
2008-08-22 15:17:01 +00:00
|
|
|
files_read_kernel_symbol_table(syslogd_t)
|
2012-09-08 15:45:51 +00:00
|
|
|
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
fs_getattr_all_fs(syslogd_t)
|
|
|
|
|
fs_search_auto_mountpoints(syslogd_t)
|
|
|
|
|
|
|
|
|
|
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
|
|
|
|
|
|
|
|
|
term_write_console(syslogd_t)
|
|
|
|
|
# Allow syslog to a terminal
|
|
|
|
|
term_write_unallocated_ttys(syslogd_t)
|
|
|
|
|
|
|
|
|
|
# for sending messages to logged in users
|
|
|
|
|
init_read_utmp(syslogd_t)
|
|
|
|
|
init_dontaudit_write_utmp(syslogd_t)
|
2010-02-11 19:20:10 +00:00
|
|
|
term_write_all_ttys(syslogd_t)
|
2008-08-22 15:17:01 +00:00
|
|
|
|
|
|
|
|
auth_use_nsswitch(syslogd_t)
|
|
|
|
|
|
|
|
|
|
init_use_fds(syslogd_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2005-10-25 15:52:08 +00:00
|
|
|
# cjp: this doesnt make sense
|
|
|
|
|
logging_send_syslog_msg(syslogd_t)
|
|
|
|
|
|
2005-04-25 19:54:27 +00:00
|
|
|
miscfiles_read_localization(syslogd_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
seutil_read_config(syslogd_t)
|
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_search_user_home_dirs(syslogd_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2015-10-20 18:48:38 +00:00
|
|
|
ifdef(`init_systemd',`
|
2017-02-24 01:03:23 +00:00
|
|
|
# for systemd-journal
|
|
|
|
|
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
|
|
|
|
allow syslogd_t self:capability2 audit_read;
|
|
|
|
|
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
2020-08-13 09:08:43 +00:00
|
|
|
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
|
2015-10-20 18:48:38 +00:00
|
|
|
|
2020-02-18 15:13:29 +00:00
|
|
|
# remove /run/log/journal when switching to permanent storage
|
|
|
|
|
allow syslogd_t var_log_t:dir rmdir;
|
|
|
|
|
|
2015-10-20 18:48:38 +00:00
|
|
|
kernel_getattr_dgram_sockets(syslogd_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
kernel_read_ring_buffer(syslogd_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
kernel_rw_stream_sockets(syslogd_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
kernel_rw_unix_dgram_sockets(syslogd_t)
|
|
|
|
|
kernel_use_fds(syslogd_t)
|
|
|
|
|
|
|
|
|
|
dev_read_kmsg(syslogd_t)
|
|
|
|
|
dev_read_urand(syslogd_t)
|
|
|
|
|
dev_write_kmsg(syslogd_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
|
2019-01-04 07:51:18 +00:00
|
|
|
domain_getattr_all_domains(syslogd_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_read_all_domains_state(syslogd_t)
|
|
|
|
|
|
2019-01-11 20:07:57 +00:00
|
|
|
init_create_runtime_dirs(syslogd_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
|
2019-01-04 07:51:18 +00:00
|
|
|
init_getattr(syslogd_t)
|
2019-01-11 20:07:57 +00:00
|
|
|
init_rename_runtime_files(syslogd_t)
|
|
|
|
|
init_delete_runtime_files(syslogd_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
init_dgram_send(syslogd_t)
|
2019-01-11 20:07:57 +00:00
|
|
|
init_read_runtime_pipes(syslogd_t)
|
2019-01-05 21:45:46 +00:00
|
|
|
init_read_runtime_symlinks(syslogd_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
init_read_state(syslogd_t)
|
|
|
|
|
|
|
|
|
|
systemd_manage_journal_files(syslogd_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(syslogd_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
')
|
|
|
|
|
|
2006-08-28 02:46:20 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
|
# default gentoo syslog-ng config appends kernel
|
|
|
|
|
# and high priority messages to /dev/tty12
|
2014-09-07 21:28:16 +00:00
|
|
|
# and chown/chgrp/chmod /dev/tty12, which is denied
|
2006-08-28 02:46:20 +00:00
|
|
|
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
ifdef(`distro_suse',`
|
2005-07-18 18:31:49 +00:00
|
|
|
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
2009-06-26 14:40:13 +00:00
|
|
|
files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
|
2005-07-18 18:31:49 +00:00
|
|
|
')
|
|
|
|
|
|
2008-02-05 18:24:43 +00:00
|
|
|
ifdef(`distro_ubuntu',`
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_domain(syslogd_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2010-03-17 18:40:06 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
bind_search_cache(syslogd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2012-12-17 09:42:45 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
cron_manage_log_files(syslogd_t)
|
|
|
|
|
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-08 13:23:11 +00:00
|
|
|
inn_manage_log(syslogd_t)
|
2012-10-31 16:05:09 +00:00
|
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
|
|
|
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
|
|
|
|
|
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
|
2005-09-08 13:23:11 +00:00
|
|
|
')
|
|
|
|
|
|
2010-03-17 18:40:06 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
mysql_stream_connect(syslogd_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2008-08-22 15:17:01 +00:00
|
|
|
postgresql_stream_connect(syslogd_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-29 14:26:41 +00:00
|
|
|
seutil_sigchld_newrole(syslogd_t)
|
2005-05-02 19:22:58 +00:00
|
|
|
')
|
|
|
|
|
|
2006-04-06 19:27:41 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
# log to the xconsole
|
|
|
|
|
xserver_rw_console(syslogd_t)
|
|
|
|
|
')
|
