selinux-refpolicy/policy/modules/system/logging.te

616 lines
17 KiB
Plaintext
Raw Normal View History

policy_module(logging, 1.34.0)
2005-06-07 14:27:19 +00:00
########################################
#
# Declarations
#
2005-04-14 20:18:17 +00:00
attribute logfile;
2005-10-25 20:06:27 +00:00
type auditctl_t;
2005-09-15 15:34:31 +00:00
type auditctl_exec_t;
2009-06-26 14:40:13 +00:00
init_system_domain(auditctl_t, auditctl_exec_t)
2005-09-15 15:34:31 +00:00
role system_r types auditctl_t;
type auditd_etc_t;
files_security_file(auditd_etc_t)
2005-09-15 15:34:31 +00:00
type auditd_log_t;
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
2005-06-07 14:27:19 +00:00
type audit_spool_t;
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
2005-06-07 14:27:19 +00:00
type auditd_t;
type auditd_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(auditd_t, auditd_exec_t)
2005-06-07 14:27:19 +00:00
2008-09-18 13:20:57 +00:00
type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)
type auditd_runtime_t alias auditd_var_run_t;
files_runtime_file(auditd_runtime_t)
2005-06-07 14:27:19 +00:00
type auditd_unit_t;
init_unit_file(auditd_unit_t)
type audisp_t;
type audisp_exec_t;
init_system_domain(audisp_t, audisp_exec_t)
type audisp_remote_t;
type audisp_remote_exec_t;
logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
type audisp_runtime_t alias audisp_var_run_t;
files_runtime_file(audisp_runtime_t)
2005-09-26 20:26:32 +00:00
type devlog_t;
files_type(devlog_t)
2005-09-26 20:26:32 +00:00
mls_trusted_object(devlog_t)
2005-09-26 20:26:32 +00:00
type klogd_t;
type klogd_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(klogd_t, klogd_exec_t)
type klogd_runtime_t alias klogd_var_run_t;
files_runtime_file(klogd_runtime_t)
type klogd_tmp_t;
files_tmp_file(klogd_tmp_t)
2007-11-05 19:35:08 +00:00
type syslog_conf_t;
files_config_file(syslog_conf_t)
2007-11-05 19:35:08 +00:00
type syslogd_t;
type syslogd_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(syslogd_t, syslogd_exec_t)
init_named_socket_activation(syslogd_t, syslogd_runtime_t)
mls_trusted_socket(syslogd_t)
2008-09-18 13:20:57 +00:00
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
type syslogd_runtime_t alias syslogd_var_run_t;
files_runtime_file(syslogd_runtime_t)
type syslogd_tmp_t;
2005-06-13 17:35:46 +00:00
files_tmp_file(syslogd_tmp_t)
type syslogd_unit_t;
init_unit_file(syslogd_unit_t)
2007-11-05 19:35:08 +00:00
type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)
2005-11-01 15:45:00 +00:00
type var_log_t;
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
2005-06-07 14:27:19 +00:00
########################################
#
2007-09-12 14:53:39 +00:00
# Auditctl local policy
2005-06-07 14:27:19 +00:00
#
allow auditctl_t self:capability { dac_override dac_read_search fsetid };
2017-01-05 10:53:06 +00:00
allow auditctl_t self:process getcap;
2007-11-05 19:35:08 +00:00
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
2005-09-15 15:34:31 +00:00
2009-06-26 14:40:13 +00:00
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
2006-12-12 20:08:08 +00:00
allow auditctl_t auditd_etc_t:dir list_dir_perms;
dontaudit auditctl_t auditd_etc_t:file map;
2005-09-15 15:34:31 +00:00
corecmd_search_bin(auditctl_t)
# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
2007-09-12 14:53:39 +00:00
files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)
kernel_dontaudit_getattr_proc(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
2005-12-06 15:23:59 +00:00
kernel_read_proc_symlinks(auditctl_t)
2010-03-17 18:40:06 +00:00
kernel_setsched(auditctl_t)
2005-09-15 15:34:31 +00:00
2005-12-06 15:23:59 +00:00
domain_read_all_domains_state(auditctl_t)
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(auditctl_t)
2005-09-15 15:34:31 +00:00
mls_file_read_all_levels(auditctl_t)
2006-01-06 22:51:40 +00:00
term_use_all_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
2005-09-15 15:34:31 +00:00
2007-11-05 19:35:08 +00:00
logging_set_audit_parameters(auditctl_t)
2005-10-24 00:54:39 +00:00
logging_send_syslog_msg(auditctl_t)
2017-08-13 23:52:16 +00:00
miscfiles_read_localization(auditctl_t)
ifdef(`init_systemd',`
init_rw_stream_sockets(auditctl_t)
')
optional_policy(`
locallogin_dontaudit_use_fds(auditctl_t)
')
2005-09-15 15:34:31 +00:00
########################################
#
# Auditd local policy
#
2007-11-05 19:35:08 +00:00
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
2005-06-07 14:27:19 +00:00
dontaudit auditd_t self:capability sys_tty_config;
2010-03-17 18:40:06 +00:00
allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
allow auditd_t self:file rw_file_perms;
2005-09-15 15:34:31 +00:00
allow auditd_t self:unix_dgram_socket create_socket_perms;
2010-03-17 18:40:06 +00:00
allow auditd_t self:fifo_file rw_fifo_file_perms;
2008-10-09 18:06:24 +00:00
allow auditd_t self:tcp_socket create_stream_socket_perms;
2005-09-15 15:34:31 +00:00
2006-12-12 20:08:08 +00:00
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
dontaudit auditd_t auditd_etc_t:file map;
2005-06-07 14:27:19 +00:00
2009-06-26 14:40:13 +00:00
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
2017-01-05 10:53:06 +00:00
allow auditd_t auditd_log_t:dir setattr;
2009-06-26 14:40:13 +00:00
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
2006-12-12 20:08:08 +00:00
allow auditd_t var_log_t:dir search_dir_perms;
2005-06-07 14:27:19 +00:00
manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
files_runtime_filetrans(auditd_t, auditd_runtime_t, { file sock_file })
2005-06-07 14:27:19 +00:00
# Needs to be able to getattr on the audisp-remote binary to verify
# the plugin configuration.
allow auditd_t audisp_remote_exec_t:file getattr;
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
dev_read_sysfs(auditd_t)
2005-06-07 14:27:19 +00:00
2005-06-10 01:01:13 +00:00
fs_getattr_all_fs(auditd_t)
2005-06-27 16:30:55 +00:00
fs_search_auto_mountpoints(auditd_t)
2008-10-09 18:06:24 +00:00
fs_rw_anon_inodefs_files(auditd_t)
2005-06-07 14:27:19 +00:00
selinux_search_fs(auditctl_t)
2008-10-09 18:06:24 +00:00
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
corenet_tcp_bind_generic_node(auditd_t)
2008-10-09 18:06:24 +00:00
corenet_tcp_bind_audit_port(auditd_t)
corenet_sendrecv_audit_server_packets(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
corecmd_exec_shell(auditd_t)
2005-06-07 14:27:19 +00:00
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(auditd_t)
2005-06-07 14:27:19 +00:00
files_read_etc_files(auditd_t)
2005-09-05 18:17:17 +00:00
files_list_usr(auditd_t)
2005-06-07 14:27:19 +00:00
auth_use_nsswitch(auditd_t)
init_telinit(auditd_t)
2007-11-05 19:35:08 +00:00
logging_set_audit_parameters(auditd_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
2005-06-07 14:27:19 +00:00
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
2005-10-24 00:54:39 +00:00
seutil_dontaudit_read_config(auditd_t)
2005-09-26 20:26:32 +00:00
sysnet_dns_name_resolve(auditd_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(auditd_t)
2006-02-20 21:33:25 +00:00
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_dirs(auditd_t)
2005-10-26 16:00:13 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(auditd_t)
')
')
optional_policy(`
mta_send_mail(auditd_t)
')
optional_policy(`
seutil_sigchld_newrole(auditd_t)
2005-06-07 14:27:19 +00:00
')
audit daemon can halt system, allow this to happen. auditd can halt the system for several reasons based on configuration. These mostly revovle around audit partition full issues. I am seeing the following denials when attempting to halt the system. Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.122:1943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.147:1944): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Jan 12 04:44:54 localhost audispd: node=localhost type=AVC msg=audit(1578804294.103:1923): avc: denied { getattr } for pid=6936 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=45 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 v2 - use optional rather than ifdef v3 - fix order Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-01-22 12:35:42 +00:00
optional_policy(`
init_list_unit_dirs(auditd_t)
systemd_start_power_units(auditd_t)
systemd_status_power_units(auditd_t)
')
########################################
#
# audit dispatcher local policy
#
2010-03-17 18:40:06 +00:00
allow audisp_t self:capability { dac_override setpcap sys_nice };
allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
manage_sock_files_pattern(audisp_t, audisp_runtime_t, audisp_runtime_t)
files_runtime_filetrans(audisp_t, audisp_runtime_t, sock_file)
kernel_read_system_state(audisp_t)
2010-03-17 18:40:06 +00:00
corecmd_exec_bin(audisp_t)
corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
2018-02-15 22:10:34 +00:00
files_map_etc_files(audisp_t)
files_read_etc_files(audisp_t)
2010-03-17 18:40:06 +00:00
files_read_etc_runtime_files(audisp_t)
mls_file_write_all_levels(audisp_t)
logging_send_syslog_msg(audisp_t)
miscfiles_read_localization(audisp_t)
2008-10-09 18:06:24 +00:00
sysnet_dns_name_resolve(audisp_t)
2010-03-17 18:40:06 +00:00
optional_policy(`
dbus_system_bus_client(audisp_t)
')
########################################
#
# Audit remote logger local policy
#
allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
2010-03-17 18:40:06 +00:00
corenet_tcp_bind_audit_port(audisp_remote_t)
corenet_tcp_bind_generic_node(audisp_remote_t)
2008-10-09 18:06:24 +00:00
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
########################################
#
# klogd local policy
#
2005-11-10 21:37:54 +00:00
allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
allow klogd_t self:process signal_perms;
2009-06-26 14:40:13 +00:00
manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
manage_files_pattern(klogd_t, klogd_runtime_t, klogd_runtime_t)
files_runtime_filetrans(klogd_t, klogd_runtime_t, file)
kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
kernel_read_kernel_sysctls(klogd_t)
# Control syslog and console logging
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)
files_read_kernel_symbol_table(klogd_t)
dev_read_raw_memory_cond(klogd_t, allow_raw_memory_access)
2005-10-26 18:07:20 +00:00
dev_read_sysfs(klogd_t)
2005-06-10 01:01:13 +00:00
fs_getattr_all_fs(klogd_t)
2005-10-26 18:07:20 +00:00
fs_search_auto_mountpoints(klogd_t)
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(klogd_t)
2005-10-25 19:20:56 +00:00
2005-06-13 17:35:46 +00:00
files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
files_read_etc_files(klogd_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t)
mls_file_read_all_levels(klogd_t)
2006-01-06 22:51:40 +00:00
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_dirs(klogd_t)
2005-11-08 22:00:30 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(klogd_t)
')
')
optional_policy(`
2005-11-08 22:00:30 +00:00
seutil_sigchld_newrole(klogd_t)
')
########################################
#
# syslogd local policy
#
2006-08-18 18:20:22 +00:00
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
2005-09-13 13:06:07 +00:00
# cjp: why net_admin!
allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
dontaudit syslogd_t self:capability { sys_ptrace };
2006-08-18 18:20:22 +00:00
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
# setsched for rsyslog
# getcap/setcap for syslog-ng
allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
2005-05-31 23:02:11 +00:00
# receive messages to be logged
2005-06-09 18:08:26 +00:00
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
2005-05-31 23:02:11 +00:00
allow syslogd_t self:unix_dgram_socket sendto;
2010-03-17 18:40:06 +00:00
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
2007-11-05 19:35:08 +00:00
allow syslogd_t syslog_conf_t:file read_file_perms;
allow syslogd_t syslog_conf_t:dir list_dir_perms;
2007-11-05 19:35:08 +00:00
2005-09-15 15:34:31 +00:00
# Create and bind to /dev/log or /var/run/log.
2006-12-12 20:08:08 +00:00
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
2005-09-15 15:34:31 +00:00
# create/append log files.
2009-06-26 14:40:13 +00:00
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow syslogd_t var_log_t:file map;
2009-06-26 14:40:13 +00:00
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)
2007-09-12 14:53:39 +00:00
2005-09-15 15:34:31 +00:00
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
2017-02-24 01:03:23 +00:00
# for systemd but can not be conditional
files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
2017-02-24 01:03:23 +00:00
# manage temporary files
2009-06-26 14:40:13 +00:00
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
2018-02-15 22:10:34 +00:00
allow syslogd_t syslogd_tmp_t:file map;
2009-06-26 14:40:13 +00:00
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
2007-11-05 19:35:08 +00:00
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
2017-09-15 17:16:13 +00:00
allow syslogd_t syslogd_var_lib_t:file map;
2007-11-05 19:35:08 +00:00
files_search_var_lib(syslogd_t)
# manage runtime files
allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
allow syslogd_t syslogd_runtime_t:file map;
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
Fix problems booting with fips=1 Seeing the following problem when booting in enforcing with FIPS mode enabled. Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13 Then seeing the system halt Fixing the following denials: [ 4.492635] type=1400 audit(1523666552.903:4): avc: denied { search } for pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir [ 4.496621] type=1400 audit(1523666552.907:5): avc: denied { read } for pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.499741] type=1400 audit(1523666552.910:6): avc: denied { open } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.502969] type=1400 audit(1523666552.914:7): avc: denied { getattr } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.950021] type=1400 audit(1523666553.360:8): avc: denied { search } for pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir [ 4.986551] type=1400 audit(1523666553.397:9): avc: denied { read } for pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 5.028737] type=1400 audit(1523666553.439:10): avc: denied { open } for pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file type=1400 audit(1512501270.176:3): avc: denied { search } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:08:55 +00:00
kernel_read_crypto_sysctls(syslogd_t)
kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
2005-07-08 20:44:57 +00:00
kernel_read_proc_symlinks(syslogd_t)
2005-09-15 15:34:31 +00:00
# Allow access to /proc/kmsg for syslog-ng
2005-11-09 15:51:22 +00:00
kernel_read_messages(syslogd_t)
# rsyslog
kernel_read_vm_overcommit_sysctl(syslogd_t)
2005-11-09 15:51:22 +00:00
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
# Read ring buffer for journald
kernel_read_ring_buffer(syslogd_t)
# /initrd is not umounted before minilog starts
kernel_dontaudit_search_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
corenet_udp_bind_generic_node(syslogd_t)
2006-01-25 15:53:35 +00:00
corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
corenet_tcp_bind_generic_node(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
2007-03-22 14:33:00 +00:00
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
2009-06-26 14:40:13 +00:00
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
2016-12-04 16:42:52 +00:00
dev_read_urand(syslogd_t)
# Allow access to /dev/kmsg for journald
dev_rw_kmsg(syslogd_t)
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(syslogd_t)
# Allow access to /proc/ information for journald
domain_read_all_domains_state(syslogd_t)
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
2007-09-12 14:53:39 +00:00
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
2005-09-15 15:34:31 +00:00
# /initrd is not umounted before minilog starts
files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_ttys(syslogd_t)
auth_use_nsswitch(syslogd_t)
init_use_fds(syslogd_t)
miscfiles_read_localization(syslogd_t)
2017-02-24 01:03:23 +00:00
seutil_read_config(syslogd_t)
2006-02-20 21:33:25 +00:00
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
2017-02-24 01:03:23 +00:00
# for systemd-journal
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
# remove /run/log/journal when switching to permanent storage
allow syslogd_t var_log_t:dir rmdir;
kernel_getattr_dgram_sockets(syslogd_t)
2017-02-24 01:03:23 +00:00
kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
2017-02-24 01:03:23 +00:00
kernel_rw_unix_dgram_sockets(syslogd_t)
Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp
2020-08-13 06:44:22 +00:00
kernel_rw_netlink_audit_sockets(syslogd_t)
2017-02-24 01:03:23 +00:00
kernel_use_fds(syslogd_t)
dev_read_kmsg(syslogd_t)
dev_read_urand(syslogd_t)
dev_write_kmsg(syslogd_t)
domain_getattr_all_domains(syslogd_t)
2017-02-24 01:03:23 +00:00
domain_read_all_domains_state(syslogd_t)
init_create_runtime_dirs(syslogd_t)
init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
init_getattr(syslogd_t)
init_rename_runtime_files(syslogd_t)
init_delete_runtime_files(syslogd_t)
init_dgram_send(syslogd_t)
init_read_runtime_pipes(syslogd_t)
init_read_runtime_symlinks(syslogd_t)
2017-02-24 01:03:23 +00:00
init_read_state(syslogd_t)
Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp
2020-08-13 06:44:22 +00:00
# needed for systemd-initrd case when syslog socket is unlabelled
logging_send_syslog_msg(syslogd_t)
2017-02-24 01:03:23 +00:00
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
# journald traverses /run/user/UID (which is mode 0700) to read symlinks in /run/user/UID/systemd/units/
allow syslogd_t self:capability dac_read_search;
userdom_search_user_runtime_root(syslogd_t)
userdom_search_user_runtime(syslogd_t)
systemd_read_user_runtime_lnk_files(syslogd_t)
')
2006-08-28 02:46:20 +00:00
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
# and chown/chgrp/chmod /dev/tty12, which is denied
2006-08-28 02:46:20 +00:00
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')
2005-09-15 15:34:31 +00:00
ifdef(`distro_suse',`
2005-07-18 18:31:49 +00:00
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
2009-06-26 14:40:13 +00:00
files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
2005-07-18 18:31:49 +00:00
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(syslogd_t)
')
')
2010-03-17 18:40:06 +00:00
optional_policy(`
bind_search_cache(syslogd_t)
')
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
')
optional_policy(`
inn_manage_log(syslogd_t)
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
')
2010-03-17 18:40:06 +00:00
optional_policy(`
mysql_stream_connect(syslogd_t)
')
optional_policy(`
postgresql_stream_connect(syslogd_t)
')
optional_policy(`
seutil_sigchld_newrole(syslogd_t)
')
2006-04-06 19:27:41 +00:00
optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')