#DESC Klogd - Kernel log daemon
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: klogd
#

#################################
#
# Rules for the klogd_t domain.
#
daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')

tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
allow klogd_t proc_t:lnk_file r_file_perms;
allow klogd_t proc_t:file { getattr read };
allow klogd_t self:dir r_dir_perms;
allow klogd_t self:lnk_file r_file_perms;

# read /etc/nsswitch.conf
allow klogd_t etc_t:lnk_file read;
allow klogd_t etc_t:file r_file_perms;

read_locale(klogd_t)

allow klogd_t etc_runtime_t:file { getattr read };

# Create unix sockets
allow klogd_t self:unix_dgram_socket create_socket_perms;

# Use the sys_admin and sys_rawio capabilities.
allow klogd_t self:capability { sys_admin sys_rawio };
dontaudit klogd_t self:capability sys_resource;


# Read /proc/kmsg and /dev/mem.
allow klogd_t proc_kmsg_t:file r_file_perms;
allow klogd_t memory_device_t:chr_file r_file_perms;

# Control syslog and console logging
allow klogd_t kernel_t:system { syslog_mod syslog_console };

# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
ifdef(`targeted_policy', `
allow klogd_t unconfined_t:system syslog_mod;
')