selinux-refpolicy/refpolicy/policy/modules/system/logging.te

290 lines
6.8 KiB
Plaintext

policy_module(logging,1.0)
########################################
#
# Declarations
#
attribute logfile;
type auditd_log_t;
logging_log_file(auditd_log_t)
type auditd_t;
type auditd_exec_t;
init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
type devlog_t;
files_type(devlog_t)
type klogd_t;
type klogd_exec_t;
init_daemon_domain(klogd_t,klogd_exec_t)
type klogd_tmp_t;
files_tmp_file(klogd_tmp_t)
type klogd_var_run_t;
files_pid_file(klogd_var_run_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t,syslogd_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
type var_log_t, logfile;
files_type(var_log_t)
########################################
#
# Auditd local policy
#
allow auditd_t self:capability { audit_write audit_control };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
kernel_list_proc(auditd_t)
kernel_read_proc_symlinks(auditd_t)
dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
term_dontaudit_use_console(auditd_t)
init_use_fd(auditd_t)
init_use_script_pty(auditd_t)
domain_use_wide_inherit_fd(auditd_t)
files_read_etc_files(auditd_t)
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable
userdom_use_sysadm_tty(auditd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t)
term_dontaudit_use_generic_pty(auditd_t)
files_dontaudit_read_root_file(auditd_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(auditd_t)
')
optional_policy(`udev.te', `
udev_read_db(auditd_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
rhgb_domain(auditd_t)
')
') dnl endif TODO
########################################
#
# klogd local policy
#
allow klogd_t klogd_tmp_t:file create_file_perms;
files_create_tmp_files(klogd_t,klogd_tmp_t)
allow klogd_t klogd_var_run_t:file create_file_perms;
allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability sys_resource;
kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
# Control syslog and console logging
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)
bootloader_read_kernel_symbol_table(klogd_t)
dev_read_raw_memory(klogd_t)
fs_getattr_all_fs(klogd_t)
files_create_pid(klogd_t,klogd_var_run_t)
files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
files_read_etc_files(klogd_t)
init_use_fd(klogd_t)
libs_use_ld_so(klogd_t)
libs_use_shared_libs(klogd_t)
logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t)
########################################
#
# syslogd local policy
#
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket { connected_socket_perms connect };
# create/append log files.
allow syslogd_t var_log_t:dir rw_dir_perms;
allow syslogd_t var_log_t:file create_file_perms;
# manage temporary files
allow syslogd_t syslogd_tmp_t:file create_file_perms;
files_create_tmp_files(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t,file)
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
files_create_pid(syslogd_t,devlog_t,sock_file)
# I belive these are not needed:
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_kernel_sysctl(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users
init_read_script_pid(syslogd_t)
init_dontaudit_write_script_pid(syslogd_t)
term_write_all_user_ttys(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_raw_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
fs_getattr_all_fs(syslogd_t)
init_use_fd(syslogd_t)
init_use_script_pty(syslogd_t)
domain_use_wide_inherit_fd(syslogd_t)
files_read_etc_files(syslogd_t)
libs_use_ld_so(syslogd_t)
libs_use_shared_libs(syslogd_t)
sysnet_read_config(syslogd_t)
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
#
# /initrd is not umounted before minilog starts
#
files_dontaudit_search_isid_type_dir(syslogd_t)
#allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_create_var_lib(syslogd_t,devlog_t,sock_file)
')
ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
term_dontaudit_use_generic_pty(syslogd_t)
files_dontaudit_read_root_file(syslogd_t)
')
optional_policy(`cron.te',`
cron_rw_log(syslogd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(syslogd_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(syslogd_t)
')
optional_policy(`udev.te', `
udev_read_db(syslogd_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
')
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
#
# Special case to handle crashes
#
allow syslogd_t { device_t file_t }:sock_file unlink;
') dnl end TODO