selinux-refpolicy/targeted/domains/program/syslogd.te

110 lines
3.5 KiB
Plaintext

#DESC Syslogd - System log daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysklogd syslog-ng
#
#################################
#
# Rules for the syslogd_t domain.
#
# syslogd_t is the domain of syslogd.
# syslogd_exec_t is the type of the syslogd executable.
# devlog_t is the type of the Unix domain socket created
# by syslogd.
#
ifdef(`klogd.te', `
daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
', `
daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
')
# can_network is for the UDP socket
can_network_udp(syslogd_t)
can_ypbind(syslogd_t)
r_dir_file(syslogd_t, sysfs_t)
type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };
tmp_domain(syslogd)
# read files in /etc
allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
# Use capabilities.
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
# Modify/create log files.
create_append_log_file(syslogd_t, var_log_t)
# Create and bind to /dev/log or /var/run/log.
file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
# Domains with the privlog attribute may log to syslogd.
allow privlog devlog_t:sock_file rw_file_perms;
can_unix_send(privlog,syslogd_t)
can_unix_connect(privlog,syslogd_t)
# allow /dev/log to be a link elsewhere for chroot setup
allow privlog devlog_t:lnk_file read;
ifdef(`crond.te', `
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')
ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms;
')
# for sending messages to logged in users
allow syslogd_t initrc_var_run_t:file { read lock };
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };
#
# Special case to handle crashes
#
allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
# Allow name_bind for remote logging
allow syslogd_t syslogd_port_t:udp_socket name_bind;
#
# /initrd is not umounted before minilog starts
#
dontaudit syslogd_t file_t:dir search;
allow syslogd_t { tmpfs_t devpts_t }:dir search;
dontaudit syslogd_t unlabeled_t:file { getattr read };
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`targeted_policy', `
allow syslogd_t var_run_t:fifo_file { ioctl read write };
')
# Allow access to /proc/kmsg for syslog-ng
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read };
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
allow syslogd_t self:capability { sys_admin chown fsetid };
allow syslogd_t var_log_t:dir { create setattr };
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
allow syslogd_t rsh_port_t:tcp_socket name_connect;