rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   0fbfa546bdf996641cc75b829b6f93b12ebb84e5
  2.   strict
  3.   domains
  4.   program
  5.   syslogd.te
Blob Blame History Raw 
#DESC Syslogd - System log daemon
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: sysklogd syslog-ng
#

#################################
#
# Rules for the syslogd_t domain.
#
# syslogd_t is the domain of syslogd.
# syslogd_exec_t is the type of the syslogd executable.
# devlog_t is the type of the Unix domain socket created 
# by syslogd.
#
ifdef(`klogd.te', `
daemon_domain(syslogd)
', `
daemon_domain(syslogd, `, privmem')
')

# can_network is for the UDP socket
can_network_udp(syslogd_t)
can_ypbind(syslogd_t)

r_dir_file(syslogd_t, sysfs_t)

type devlog_t, file_type, sysadmfile, dev_fs;

# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };

tmp_domain(syslogd)

# read files in /etc
allow syslogd_t etc_t:file r_file_perms;

# Use capabilities.
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };

# Modify/create log files.
create_append_log_file(syslogd_t, var_log_t)

# Create and bind to /dev/log or /var/run/log.
file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };

# Domains with the privlog attribute may log to syslogd.
allow privlog devlog_t:sock_file rw_file_perms;
can_unix_send(privlog,syslogd_t)
can_unix_connect(privlog,syslogd_t)
# allow /dev/log to be a link elsewhere for chroot setup
allow privlog devlog_t:lnk_file read;

ifdef(`crond.te', `
# Write to the cron log.
allow syslogd_t crond_log_t:file rw_file_perms;
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')

ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms;
')

# for sending messages to logged in users
allow syslogd_t initrc_var_run_t:file { read lock };
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };

ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng
allow syslogd_t proc_t:dir search;
allow syslogd_t proc_kmsg_t:file { getattr read };
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
')
#
# Special case to handle crashes
#
allow syslogd_t { device_t file_t }:sock_file unlink;

# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };

# Allow name_bind for remote logging
type syslogd_port_t, port_type, reserved_port_type;
allow syslogd_t syslogd_port_t:udp_socket name_bind;
#
# /initrd is not umounted before minilog starts
#
dontaudit syslogd_t file_t:dir search;
allow syslogd_t { tmpfs_t devpts_t }:dir search;
dontaudit syslogd_t unlabeled_t:file read;
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.