selinux-refpolicy/policy/modules/system/logging.if

1456 lines
30 KiB
Plaintext
Raw Normal View History

2005-06-01 14:17:43 +00:00
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
2005-04-20 19:07:16 +00:00
########################################
2005-09-16 19:36:10 +00:00
## <summary>
## Make the specified type usable for log files
## in a filesystem.
2005-09-16 19:36:10 +00:00
## </summary>
## <desc>
## <p>
## Make the specified type usable for log files in a filesystem.
2016-12-06 12:28:10 +00:00
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a log file type may result in problems with log
## rotation, log analysis, and log monitoring programs.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>logging_log_filetrans()</li>
## </ul>
## <p>
## Example usage with a domain that can create
## and append to a private log file stored in the
## general directories (e.g., /var/log):
## </p>
## <p>
## type mylogfile_t;
## logging_log_file(mylogfile_t)
## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
## logging_log_filetrans(mydomain_t, mylogfile_t, file)
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used for files.
## </summary>
2005-09-16 19:36:10 +00:00
## </param>
## <infoflow type="none"/>
2005-04-14 20:18:17 +00:00
#
interface(`logging_log_file',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute logfile;
')
files_type($1)
2005-09-19 21:17:45 +00:00
files_associate_tmp($1)
2005-09-16 19:36:10 +00:00
fs_associate_tmpfs($1)
typeattribute $1 logfile;
2005-04-14 20:18:17 +00:00
')
#######################################
## <summary>
## Send audit messages.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_send_audit_msgs',`
allow $1 self:capability audit_write;
2007-11-05 19:35:08 +00:00
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
#######################################
## <summary>
## dontaudit attempts to send audit messages.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2007-11-05 19:35:08 +00:00
## </summary>
## </param>
#
interface(`logging_dontaudit_send_audit_msgs',`
dontaudit $1 self:capability audit_write;
dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
########################################
## <summary>
## Set login uid
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_set_loginuid',`
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
2010-03-17 18:40:06 +00:00
########################################
## <summary>
## Set tty auditing
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_set_tty_audit',`
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
')
2007-11-05 19:35:08 +00:00
########################################
## <summary>
## Set up audit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_set_audit_parameters',`
allow $1 self:capability { audit_control audit_write };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
2006-01-06 22:51:40 +00:00
########################################
## <summary>
## Read the audit log.
## </summary>
## <param name="domain">
## <summary>
2006-01-06 22:51:40 +00:00
## Domain allowed access.
## </summary>
2006-01-06 22:51:40 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-01-06 22:51:40 +00:00
#
interface(`logging_read_audit_log',`
gen_require(`
type auditd_log_t;
')
files_search_var($1)
2009-06-26 14:40:13 +00:00
read_files_pattern($1, auditd_log_t, auditd_log_t)
2006-12-12 20:08:08 +00:00
allow $1 auditd_log_t:dir list_dir_perms;
dontaudit $1 auditd_log_t:file map;
2006-01-06 22:51:40 +00:00
')
2005-10-26 16:00:13 +00:00
########################################
## <summary>
## Execute auditctl in the auditctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-10-26 16:00:13 +00:00
## </param>
#
interface(`logging_domtrans_auditctl',`
gen_require(`
type auditctl_t, auditctl_exec_t;
')
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, auditctl_exec_t, auditctl_t)
2005-10-26 16:00:13 +00:00
')
2006-04-03 19:49:47 +00:00
########################################
## <summary>
## Execute auditctl in the auditctl domain, and
## allow the specified role the auditctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2006-04-03 19:49:47 +00:00
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
2006-04-03 19:49:47 +00:00
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-04-03 19:49:47 +00:00
#
interface(`logging_run_auditctl',`
gen_require(`
type auditctl_t;
')
logging_domtrans_auditctl($1)
role $2 types auditctl_t;
')
########################################
## <summary>
## Execute auditd in the auditd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`logging_domtrans_auditd',`
gen_require(`
type auditd_t, auditd_exec_t;
')
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, auditd_exec_t, auditd_t)
')
########################################
## <summary>
## Execute auditd in the auditd domain, and
## allow the specified role the auditd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`logging_run_auditd',`
gen_require(`
type auditd_t;
')
logging_domtrans_auditd($1)
role $2 types auditd_t;
')
########################################
## <summary>
## Execute a domain transition to run the audit dispatcher.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`logging_domtrans_dispatcher',`
gen_require(`
type audisp_t, audisp_exec_t;
')
domtrans_pattern($1, audisp_exec_t, audisp_t)
')
########################################
## <summary>
## Signal the audit dispatcher.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_signal_dispatcher',`
gen_require(`
type audisp_t;
')
allow $1 audisp_t:process signal;
')
########################################
## <summary>
## Create a domain for processes
## which can be started by the system audit dispatcher
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`logging_dispatcher_domain',`
gen_require(`
type audisp_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(audisp_t, $2, $1)
2008-09-18 13:20:57 +00:00
allow audisp_t $1:process { sigkill sigstop signull signal };
allow audisp_t $2:file getattr;
allow $1 audisp_t:unix_stream_socket rw_socket_perms;
')
########################################
## <summary>
## Connect to the audit dispatcher over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_stream_connect_dispatcher',`
gen_require(`
type audisp_t, audisp_runtime_t;
')
files_search_runtime($1)
stream_connect_pattern($1, audisp_runtime_t, audisp_runtime_t, audisp_t)
')
########################################
## <summary>
## Manage the auditd configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`logging_manage_audit_config',`
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
dontaudit $1 auditd_etc_t:file map;
')
########################################
## <summary>
## Manage the audit log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`logging_manage_audit_log',`
gen_require(`
type auditd_log_t;
')
files_search_var($1)
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
dontaudit $1 auditd_log_t:file map;
')
2007-09-12 14:53:39 +00:00
########################################
## <summary>
## Execute klogd in the klog domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2007-09-12 14:53:39 +00:00
## </summary>
## </param>
#
interface(`logging_domtrans_klog',`
gen_require(`
type klogd_t, klogd_exec_t;
')
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, klogd_exec_t, klogd_t)
2007-09-12 14:53:39 +00:00
')
########################################
## <summary>
## Check if syslogd is executable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_check_exec_syslog',`
gen_require(`
2008-09-03 15:37:24 +00:00
type syslogd_exec_t;
')
corecmd_list_bin($1)
allow $1 syslogd_exec_t:file execute;
')
########################################
## <summary>
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`logging_domtrans_syslog',`
gen_require(`
type syslogd_t, syslogd_exec_t;
')
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, syslogd_exec_t, syslogd_t)
ifdef(`enable_mls',`
range_transition $1 syslogd_exec_t:process mls_systemhigh;
')
')
########################################
## <summary>
## Allow specified domain to start/stop syslog units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_startstop_syslog',`
gen_require(`
type syslogd_unit_t;
class service { start stop };
')
allow $1 syslogd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to check status of syslog unit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_status_syslog',`
gen_require(`
type syslogd_unit_t;
class service status;
')
allow $1 syslogd_unit_t:service status;
')
########################################
## <summary>
## Set the attributes of syslog temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_setattr_syslogd_tmp_files',`
gen_require(`
type syslogd_tmp_t;
')
allow $1 syslogd_tmp_t:file setattr;
')
########################################
## <summary>
## Allow the domain to create the audit socket
## for syslogd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_audit_socket_activation', `
gen_require(`
type syslogd_t;
')
allow $1 syslogd_t:netlink_audit_socket create_socket_perms;
')
########################################
## <summary>
## Relabel to and from syslog temporary file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_relabel_syslogd_tmp_files',`
gen_require(`
type syslogd_tmp_t;
')
allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Set the attributes of syslog temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_setattr_syslogd_tmp_dirs',`
gen_require(`
type syslogd_tmp_t;
')
allow $1 syslogd_tmp_t:dir setattr;
')
########################################
## <summary>
## Relabel to and from syslog temporary directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_relabel_syslogd_tmp_dirs',`
gen_require(`
type syslogd_tmp_t;
')
allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
')
2005-05-11 20:54:14 +00:00
########################################
## <summary>
## Create an object in the log directory, with a private type.
## </summary>
## <desc>
## <p>
## Allow the specified domain to create an object
## in the general system log directories (e.g., /var/log)
## with a private type. Typically this is used for creating
## private log files in /var/log with the private type instead
## of the general system log type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>logging_log_file()</li>
## </ul>
## <p>
## Example usage with a domain that can create
## and append to a private log file stored in the
## general directories (e.g., /var/log):
## </p>
## <p>
## type mylogfile_t;
## logging_log_file(mylogfile_t)
## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
## logging_log_filetrans(mydomain_t, mylogfile_t, file)
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
2005-05-11 20:54:14 +00:00
#
2006-02-21 18:40:44 +00:00
interface(`logging_log_filetrans',`
2005-06-17 17:59:26 +00:00
gen_require(`
type var_log_t;
')
files_search_var($1)
filetrans_pattern($1, var_log_t, $2, $3, $4)
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-05-11 20:54:14 +00:00
')
########################################
## <summary>
## Send system log messages.
## </summary>
## <desc>
## <p>
## Allow the specified domain to connect to the
## system log service (syslog), to send messages be added to
## the system logs. Typically this is used by services
## that do not have their own log file in /var/log.
## </p>
## <p>
## This does not allow messages to be sent to
## the auditing system.
## </p>
## <p>
## Programs which use the libc function syslog() will
## require this access.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>logging_send_audit_msgs()</li>
## </ul>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-19 20:44:07 +00:00
#
interface(`logging_send_syslog_msg',`
2005-06-17 17:59:26 +00:00
gen_require(`
type syslogd_t, syslogd_runtime_t, devlog_t;
2005-06-17 17:59:26 +00:00
')
allow $1 devlog_t:sock_file write_sock_file_perms;
# systemd journal socket is in /run/systemd/journal/dev-log
init_search_run($1)
allow $1 syslogd_runtime_t:dir search_dir_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
allow $1 syslogd_t:unix_stream_socket connectto;
2005-06-09 18:08:26 +00:00
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_socket_perms;
# If syslog is down, the glibc syslog() function
# will write to the console.
term_write_console($1)
2010-02-18 01:33:53 +00:00
term_dontaudit_read_console($1)
2019-02-23 19:55:17 +00:00
ifdef(`init_systemd',`
# Allow systemd-journald to check whether the process died
allow syslogd_t $1:process signull;
ifdef(`distro_redhat',`
kernel_dgram_send($1)
')
2019-02-23 19:55:17 +00:00
')
2005-04-19 20:44:07 +00:00
')
########################################
## <summary>
## Allow domain to use a file descriptor
## from syslogd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_use_syslogd_fd', `
gen_require(`
type syslogd_t;
')
allow $1 syslogd_t:fd use;
')
########################################
## <summary>
## Allow domain to relabelto devlog sock_files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_relabelto_devlog_sock_files',`
gen_require(`
type devlog_t;
')
allow $1 devlog_t:sock_file relabelto_sock_file_perms;
')
########################################
## <summary>
## Connect to the syslog control unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_create_devlog',`
gen_require(`
type devlog_t;
')
allow $1 devlog_t:sock_file manage_sock_file_perms;
dev_filetrans($1, devlog_t, sock_file)
init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
')
2005-09-15 15:34:31 +00:00
########################################
## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-15 15:34:31 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`logging_read_audit_config',`
2005-09-15 15:34:31 +00:00
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
read_files_pattern($1, auditd_etc_t, auditd_etc_t)
2006-12-12 20:08:08 +00:00
allow $1 auditd_etc_t:dir list_dir_perms;
dontaudit $1 auditd_etc_t:file map;
2005-09-15 15:34:31 +00:00
')
2007-09-04 18:57:58 +00:00
########################################
## <summary>
## dontaudit search of auditd configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2007-09-04 18:57:58 +00:00
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_dontaudit_search_audit_config',`
gen_require(`
type auditd_etc_t;
')
dontaudit $1 auditd_etc_t:dir search_dir_perms;
')
########################################
## <summary>
## Read syslog configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_read_syslog_config',`
gen_require(`
type syslog_conf_t;
')
allow $1 syslog_conf_t:file read_file_perms;
')
########################################
## <summary>
## Watch syslog runtime dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_watch_runtime_dirs',`
gen_require(`
type syslogd_runtime_t;
')
allow $1 syslogd_runtime_t:dir watch;
')
########################################
## <summary>
## Create, read, write, and delete syslog PID sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_manage_pid_sockets',`
refpolicywarn(`$0($*) has been deprecated, please use logging_manage_runtime_sockets() instead.')
logging_manage_runtime_sockets($1)
')
########################################
## <summary>
## Create, read, write, and delete syslog PID sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_manage_runtime_sockets',`
gen_require(`
type syslogd_runtime_t;
')
manage_sock_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t)
files_search_runtime($1)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`logging_search_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
type var_log_t;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
2006-03-21 18:07:53 +00:00
#######################################
## <summary>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to search the var log directory.
2006-03-21 18:07:53 +00:00
## </summary>
## <param name="domain">
2008-12-03 19:16:20 +00:00
## <summary>
## Domain not to audit.
## </summary>
2006-03-21 18:07:53 +00:00
## </param>
#
interface(`logging_dontaudit_search_logs',`
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:dir search_dir_perms;
2006-03-21 18:07:53 +00:00
')
2005-10-10 18:50:08 +00:00
#######################################
## <summary>
## List the contents of the generic log directory (/var/log).
## </summary>
## <param name="domain">
## <summary>
2005-10-10 18:50:08 +00:00
## Domain allowed access.
## </summary>
2005-10-10 18:50:08 +00:00
## </param>
#
interface(`logging_list_logs',`
gen_require(`
type var_log_t;
')
files_search_var($1)
2006-12-12 20:08:08 +00:00
allow $1 var_log_t:dir list_dir_perms;
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-10-10 18:50:08 +00:00
')
2005-06-28 20:54:49 +00:00
#######################################
## <summary>
## Read and write the generic log directory (/var/log).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-28 20:54:49 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`logging_rw_generic_log_dirs',`
2005-06-28 20:54:49 +00:00
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-06-28 20:54:49 +00:00
')
#######################################
## <summary>
## Search through all log dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_search_all_logs',`
gen_require(`
attribute logfile;
')
allow $1 logfile:dir search_dir_perms;
')
#######################################
## <summary>
## Set attributes on all log dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_setattr_all_log_dirs',`
gen_require(`
attribute logfile;
')
allow $1 logfile:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of any log files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`logging_dontaudit_getattr_all_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute logfile;
')
dontaudit $1 logfile:file getattr;
')
########################################
## <summary>
## Read the atttributes of any log file
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`logging_getattr_all_logs',`
gen_require(`
attribute logfile;
')
allow $1 logfile:file getattr;
')
########################################
## <summary>
## Append to all log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`logging_append_all_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute logfile;
type var_log_t;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
append_files_pattern($1, var_log_t, logfile)
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-04-14 20:18:17 +00:00
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## Append to all log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_append_all_inherited_logs',`
gen_require(`
attribute logfile;
')
allow $1 logfile:file { getattr append ioctl lock };
')
########################################
## <summary>
## Read all log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`logging_read_all_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute logfile;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
2007-11-05 19:35:08 +00:00
allow $1 logfile:dir list_dir_perms;
read_files_pattern($1, logfile, logfile)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Execute all log files in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-06-28 20:54:49 +00:00
#
# cjp: not sure why this is needed. This was added
# because of logrotate.
2005-06-28 20:54:49 +00:00
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
')
files_search_var($1)
2006-12-12 20:08:08 +00:00
allow $1 logfile:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
can_exec($1, logfile)
2005-06-28 20:54:49 +00:00
')
########################################
## <summary>
## read/write to all log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_rw_all_logs',`
gen_require(`
attribute logfile;
')
files_search_var($1)
rw_files_pattern($1, logfile, logfile)
')
########################################
## <summary>
## Create, read, write, and delete all log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-06-28 20:54:49 +00:00
#
interface(`logging_manage_all_logs',`
gen_require(`
attribute logfile;
')
files_search_var($1)
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, logfile, logfile)
read_lnk_files_pattern($1, logfile, logfile)
2005-06-28 20:54:49 +00:00
')
########################################
## <summary>
## Create, read, write, and delete generic log directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_manage_generic_log_dirs',`
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir manage_dir_perms;
')
########################################
## <summary>
## Relabel from and to generic log directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_relabel_generic_log_dirs',`
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir { relabelfrom relabelto };
')
########################################
## <summary>
## Read generic log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-11 19:05:15 +00:00
#
interface(`logging_read_generic_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
type var_log_t;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
2006-12-12 20:08:08 +00:00
allow $1 var_log_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, var_log_t, var_log_t)
2005-05-11 19:05:15 +00:00
')
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
########################################
## <summary>
## Map generic log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_mmap_generic_logs',`
gen_require(`
type var_log_t;
')
allow $1 var_log_t:file map;
')
########################################
## <summary>
## Write generic log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-26 20:38:45 +00:00
#
interface(`logging_write_generic_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
type var_log_t;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
2006-12-12 20:08:08 +00:00
allow $1 var_log_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
write_files_pattern($1, var_log_t, var_log_t)
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-05-26 20:38:45 +00:00
')
########################################
## <summary>
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`logging_dontaudit_write_generic_logs',`
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:file write;
')
2005-09-13 13:06:07 +00:00
########################################
## <summary>
## Read and write generic log files.
## </summary>
## <param name="domain">
## <summary>
2005-09-13 13:06:07 +00:00
## Domain allowed access.
## </summary>
2005-09-13 13:06:07 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`logging_rw_generic_logs',`
2005-06-17 17:59:26 +00:00
gen_require(`
type var_log_t;
')
2005-06-13 17:35:46 +00:00
files_search_var($1)
2006-12-12 20:08:08 +00:00
allow $1 var_log_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, var_log_t, var_log_t)
allow $1 var_log_t:lnk_file read_lnk_file_perms;
2005-04-14 20:18:17 +00:00
')
2005-09-13 13:06:07 +00:00
########################################
## <summary>
## Create, read, write, and delete
## generic log files.
## </summary>
## <param name="domain">
## <summary>
2005-09-13 13:06:07 +00:00
## Domain allowed access.
## </summary>
2005-09-13 13:06:07 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-13 13:06:07 +00:00
#
interface(`logging_manage_generic_logs',`
gen_require(`
type var_log_t;
')
files_search_var($1)
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, var_log_t, var_log_t)
2005-09-13 13:06:07 +00:00
')
2007-11-05 19:35:08 +00:00
########################################
## <summary>
## Watch generic log dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_watch_generic_logs_dir',`
gen_require(`
type var_log_t;
')
allow $1 var_log_t:dir watch;
')
2007-11-05 19:35:08 +00:00
########################################
## <summary>
## All of the rules required to administrate
## the audit environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## User role allowed access.
## </summary>
## </param>
2007-11-05 19:35:08 +00:00
## <rolecap/>
#
interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_runtime_t;
type auditd_initrc_exec_t, auditd_unit_t;
2007-11-05 19:35:08 +00:00
')
allow $1 auditd_t:process { ptrace signal_perms };
ps_process_pattern($1, auditd_t)
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
manage_dirs_pattern($1, auditd_runtime_t, auditd_runtime_t)
manage_files_pattern($1, auditd_runtime_t, auditd_runtime_t)
2008-11-14 13:53:21 +00:00
logging_run_auditctl($1, $2)
2008-10-09 18:06:24 +00:00
init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
dontaudit $1 auditd_etc_t:file map;
dontaudit $1 auditd_log_t:file map;
2007-11-05 19:35:08 +00:00
')
########################################
## <summary>
## All of the rules required to administrate
## the syslog environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2008-10-09 18:06:24 +00:00
## <param name="role">
## <summary>
## User role allowed access.
## </summary>
## </param>
2007-11-05 19:35:08 +00:00
## <rolecap/>
#
interface(`logging_admin_syslog',`
gen_require(`
type syslogd_t, klogd_t, syslog_conf_t;
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_runtime_t, klogd_runtime_t;
type klogd_tmp_t;
type syslogd_initrc_exec_t, syslogd_unit_t;
2007-11-05 19:35:08 +00:00
')
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
ps_process_pattern($1, klogd_t)
manage_dirs_pattern($1, klogd_runtime_t, klogd_runtime_t)
manage_files_pattern($1, klogd_runtime_t, klogd_runtime_t)
2007-11-05 19:35:08 +00:00
manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
2007-11-05 19:35:08 +00:00
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_dirs_pattern($1, syslogd_runtime_t, syslogd_runtime_t)
manage_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t)
2007-11-05 19:35:08 +00:00
logging_manage_all_logs($1)
2008-10-09 18:06:24 +00:00
init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
2007-11-05 19:35:08 +00:00
')
########################################
## <summary>
## All of the rules required to administrate
## the logging environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## User role allowed access.
## </summary>
## </param>
2007-11-05 19:35:08 +00:00
## <rolecap/>
#
interface(`logging_admin',`
2008-11-14 13:53:21 +00:00
logging_admin_audit($1, $2)
2008-10-09 18:06:24 +00:00
logging_admin_syslog($1, $2)
2007-11-05 19:35:08 +00:00
')
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
#######################################
## <summary>
## Map files in /run/log/journal/ directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_mmap_journal',`
gen_require(`
type syslogd_runtime_t;
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
')
allow $1 syslogd_runtime_t:file map;
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
')