#DESC Klogd - Kernel log daemon

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

# X-Debian-Packages: klogd

#

#################################

#

# Rules for the klogd_t domain.

#

daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')

tmp_domain(klogd)

allow klogd_t proc_t:dir r_dir_perms;

allow klogd_t proc_t:lnk_file r_file_perms;

allow klogd_t proc_t:file { getattr read };

allow klogd_t self:dir r_dir_perms;

allow klogd_t self:lnk_file r_file_perms;

# read /etc/nsswitch.conf

allow klogd_t etc_t:lnk_file read;

allow klogd_t etc_t:file r_file_perms;

read_locale(klogd_t)

allow klogd_t etc_runtime_t:file { getattr read };

# Create unix sockets

allow klogd_t self:unix_dgram_socket create_socket_perms;

# Use the sys_admin and sys_rawio capabilities.

allow klogd_t self:capability { sys_admin sys_rawio };

dontaudit klogd_t self:capability sys_resource;

# Read /proc/kmsg and /dev/mem.

allow klogd_t proc_kmsg_t:file r_file_perms;

allow klogd_t memory_device_t:chr_file r_file_perms;

# Control syslog and console logging

allow klogd_t kernel_t:system { syslog_mod syslog_console };

# Read /boot/System.map*

allow klogd_t system_map_t:file r_file_perms;

allow klogd_t boot_t:dir r_dir_perms;

ifdef(`targeted_policy', `

allow klogd_t unconfined_t:system syslog_mod;

')