policy_module(logging, 1.29.2) ######################################## # # Declarations # attribute logfile; type auditctl_t; type auditctl_exec_t; init_system_domain(auditctl_t, auditctl_exec_t) role system_r types auditctl_t; type auditd_etc_t; files_security_file(auditd_etc_t) type auditd_log_t; files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) type auditd_t; type auditd_exec_t; init_daemon_domain(auditd_t, auditd_exec_t) type auditd_initrc_exec_t; init_script_file(auditd_initrc_exec_t) type auditd_unit_t; init_unit_file(auditd_unit_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) type audisp_t; type audisp_exec_t; init_system_domain(audisp_t, audisp_exec_t) type audisp_var_run_t; files_pid_file(audisp_var_run_t) type audisp_remote_t; type audisp_remote_exec_t; logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) type devlog_t; files_type(devlog_t) mls_trusted_object(devlog_t) type klogd_t; type klogd_exec_t; init_daemon_domain(klogd_t, klogd_exec_t) type klogd_tmp_t; files_tmp_file(klogd_tmp_t) type klogd_var_run_t; files_pid_file(klogd_var_run_t) type syslog_conf_t; files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) init_named_socket_activation(syslogd_t, syslogd_var_run_t) mls_trusted_socket(syslogd_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) type syslogd_unit_t; init_unit_file(syslogd_unit_t) type syslogd_var_lib_t; files_type(syslogd_var_lib_t) type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) type var_log_t; logging_log_file(var_log_t) files_mountpoint(var_log_t) ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') ######################################## # # Auditctl local policy # allow auditctl_t self:capability { dac_override dac_read_search fsetid }; allow auditctl_t self:process getcap; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; dontaudit auditctl_t auditd_etc_t:file map; corecmd_search_bin(auditctl_t) # Needed for adding watches files_getattr_all_dirs(auditctl_t) files_getattr_all_files(auditctl_t) files_read_etc_files(auditctl_t) kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) kernel_setsched(auditctl_t) domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) term_use_all_terms(auditctl_t) init_dontaudit_use_fds(auditctl_t) logging_set_audit_parameters(auditctl_t) logging_send_syslog_msg(auditctl_t) miscfiles_read_localization(auditctl_t) ifdef(`init_systemd',` init_rw_stream_sockets(auditctl_t) ') optional_policy(` locallogin_dontaudit_use_fds(auditctl_t) ') ######################################## # # Auditd local policy # allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { getcap signal_perms setcap setpgid setsched }; allow auditd_t self:file rw_file_perms; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; dontaudit auditd_t auditd_etc_t:file map; manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t var_log_t:dir search_dir_perms; manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) dev_read_sysfs(auditd_t) fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) selinux_search_fs(auditctl_t) corenet_all_recvfrom_unlabeled(auditd_t) corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) corenet_tcp_sendrecv_all_ports(auditd_t) corenet_tcp_bind_generic_node(auditd_t) corenet_tcp_bind_audit_port(auditd_t) corenet_sendrecv_audit_server_packets(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app corecmd_exec_bin(auditd_t) corecmd_exec_shell(auditd_t) domain_use_interactive_fds(auditd_t) files_read_etc_files(auditd_t) files_list_usr(auditd_t) init_telinit(auditd_t) logging_set_audit_parameters(auditd_t) logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory seutil_dontaudit_read_config(auditd_t) sysnet_dns_name_resolve(auditd_t) userdom_use_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(auditd_t) ') ') optional_policy(` mta_send_mail(auditd_t) ') optional_policy(` seutil_sigchld_newrole(auditd_t) ') optional_policy(` udev_read_db(auditd_t) ') ######################################## # # audit dispatcher local policy # allow audisp_t self:capability { dac_override setpcap sys_nice }; allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) kernel_read_system_state(audisp_t) corecmd_exec_bin(audisp_t) corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) files_map_etc_files(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) mls_file_write_all_levels(audisp_t) logging_send_syslog_msg(audisp_t) miscfiles_read_localization(audisp_t) sysnet_dns_name_resolve(audisp_t) ifdef(`init_systemd',` kernel_dgram_send(audisp_t) ') optional_policy(` dbus_system_bus_client(audisp_t) ') ######################################## # # Audit remote logger local policy # allow audisp_remote_t self:capability { setpcap setuid }; allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; allow audisp_remote_t var_log_t:dir search_dir_perms; manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_sendrecv_all_ports(audisp_remote_t) corenet_tcp_bind_audit_port(audisp_remote_t) corenet_tcp_bind_generic_node(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) logging_send_audit_msgs(audisp_remote_t) miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) ######################################## # # klogd local policy # allow klogd_t self:capability sys_admin; dontaudit klogd_t self:capability { sys_resource sys_tty_config }; allow klogd_t self:process signal_perms; manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir }) manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t) files_pid_filetrans(klogd_t, klogd_var_run_t, file) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) kernel_read_kernel_sysctls(klogd_t) # Control syslog and console logging kernel_clear_ring_buffer(klogd_t) kernel_change_ring_buffer_level(klogd_t) files_read_kernel_symbol_table(klogd_t) dev_read_raw_memory(klogd_t) dev_read_sysfs(klogd_t) fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) domain_use_interactive_fds(klogd_t) files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) mls_file_read_all_levels(klogd_t) userdom_dontaudit_search_user_home_dirs(klogd_t) ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(klogd_t) ') ') optional_policy(` udev_read_db(klogd_t) ') optional_policy(` seutil_sigchld_newrole(klogd_t) ') ######################################## # # syslogd local policy # # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; dontaudit syslogd_t self:capability { sys_ptrace }; # setpgid for metalog # setrlimit for syslog-ng # getsched for syslog-ng # setsched for rsyslog # getcap/setcap for syslog-ng allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t, devlog_t, sock_file) init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) allow syslogd_t var_log_t:file map; rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; # for systemd but can not be conditional files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") # manage temporary files manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) allow syslogd_t syslogd_tmp_t:file map; files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) allow syslogd_t syslogd_var_lib_t:file map; files_search_var_lib(syslogd_t) # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) allow syslogd_t syslogd_var_run_t:file map; files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) allow syslogd_t syslogd_var_run_t:dir create_dir_perms; kernel_read_crypto_sysctls(syslogd_t) kernel_read_system_state(syslogd_t) kernel_read_network_state(syslogd_t) kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) # Allow access to /proc/kmsg for syslog-ng kernel_read_messages(syslogd_t) # rsyslog kernel_read_vm_overcommit_sysctl(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) # Read ring buffer for journald kernel_read_ring_buffer(syslogd_t) # /initrd is not umounted before minilog starts kernel_dontaudit_search_unlabeled(syslogd_t) corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) corenet_udp_sendrecv_all_ports(syslogd_t) corenet_udp_bind_generic_node(syslogd_t) corenet_udp_bind_syslogd_port(syslogd_t) # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) corenet_tcp_sendrecv_all_ports(syslogd_t) corenet_tcp_bind_generic_node(syslogd_t) corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) dev_read_urand(syslogd_t) # Allow access to /dev/kmsg for journald dev_rw_kmsg(syslogd_t) domain_use_interactive_fds(syslogd_t) # Allow access to /proc/ information for journald domain_read_all_domains_state(syslogd_t) files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) term_write_all_ttys(syslogd_t) auth_use_nsswitch(syslogd_t) init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) miscfiles_read_localization(syslogd_t) seutil_read_config(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`init_systemd',` # for systemd-journal allow syslogd_t self:netlink_audit_socket connected_socket_perms; allow syslogd_t self:capability2 audit_read; allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; kernel_getattr_dgram_sockets(syslogd_t) kernel_read_ring_buffer(syslogd_t) kernel_rw_stream_sockets(syslogd_t) kernel_rw_unix_dgram_sockets(syslogd_t) kernel_use_fds(syslogd_t) dev_read_kmsg(syslogd_t) dev_read_urand(syslogd_t) dev_write_kmsg(syslogd_t) domain_getattr_all_domains(syslogd_t) domain_read_all_domains_state(syslogd_t) init_create_runtime_dirs(syslogd_t) init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") init_getattr(syslogd_t) init_rename_runtime_files(syslogd_t) init_delete_runtime_files(syslogd_t) init_dgram_send(syslogd_t) init_read_runtime_pipes(syslogd_t) init_read_runtime_symlinks(syslogd_t) init_read_state(syslogd_t) systemd_manage_journal_files(syslogd_t) udev_read_pid_files(syslogd_t) ') ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel # and high priority messages to /dev/tty12 # and chown/chgrp/chmod /dev/tty12, which is denied term_dontaudit_setattr_unallocated_ttys(syslogd_t) ') ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) ') ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(syslogd_t) ') ') optional_policy(` bind_search_cache(syslogd_t) ') optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") ') optional_policy(` inn_manage_log(syslogd_t) inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit") inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err") inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice") ') optional_policy(` mysql_stream_connect(syslogd_t) ') optional_policy(` postgresql_stream_connect(syslogd_t) ') optional_policy(` seutil_sigchld_newrole(syslogd_t) ') optional_policy(` udev_read_db(syslogd_t) # for systemd-journal to read seat data from /run/udev/data udev_read_pid_files(syslogd_t) ') optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ')