Chris PeBenito 0fbfa5
#DESC Syslogd - System log daemon
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 0fbfa5
# X-Debian-Packages: sysklogd syslog-ng
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the syslogd_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# syslogd_t is the domain of syslogd.
Chris PeBenito 0fbfa5
# syslogd_exec_t is the type of the syslogd executable.
Chris PeBenito 0fbfa5
# devlog_t is the type of the Unix domain socket created 
Chris PeBenito 0fbfa5
# by syslogd.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`klogd.te', `
Chris PeBenito 77f6e2
daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
Chris PeBenito 0fbfa5
', `
Chris PeBenito 77f6e2
daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# can_network is for the UDP socket
Chris PeBenito 0fbfa5
can_network_udp(syslogd_t)
Chris PeBenito 0fbfa5
can_ypbind(syslogd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(syslogd_t, sysfs_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0907bd
type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# if something can log to syslog they should be able to log to the console
Chris PeBenito 0fbfa5
allow privlog console_device_t:chr_file { ioctl read write getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(syslogd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read files in /etc
Chris PeBenito 77f6e2
allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0907bd
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Modify/create log files.
Chris PeBenito 0fbfa5
create_append_log_file(syslogd_t, var_log_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Create and bind to /dev/log or /var/run/log.
Chris PeBenito 0fbfa5
file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
Chris PeBenito 0fbfa5
ifdef(`distro_suse', `
Chris PeBenito 0fbfa5
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
Chris PeBenito 0fbfa5
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow syslogd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow syslogd_t self:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow syslogd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow syslogd_t devlog_t:unix_stream_socket name_bind;
Chris PeBenito 0fbfa5
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
Chris PeBenito 0fbfa5
# log to the xconsole
Chris PeBenito 0fbfa5
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Domains with the privlog attribute may log to syslogd.
Chris PeBenito 0fbfa5
allow privlog devlog_t:sock_file rw_file_perms;
Chris PeBenito 0fbfa5
can_unix_send(privlog,syslogd_t)
Chris PeBenito 0fbfa5
can_unix_connect(privlog,syslogd_t)
Chris PeBenito 0fbfa5
# allow /dev/log to be a link elsewhere for chroot setup
Chris PeBenito 0fbfa5
allow privlog devlog_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
# for daemon re-start
Chris PeBenito 0fbfa5
allow system_crond_t syslogd_t:lnk_file read;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`logrotate.te', `
Chris PeBenito 0fbfa5
allow logrotate_t syslogd_exec_t:file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for sending messages to logged in users
Chris PeBenito 0fbfa5
allow syslogd_t initrc_var_run_t:file { read lock };
Chris PeBenito 0fbfa5
dontaudit syslogd_t initrc_var_run_t:file write;
Chris PeBenito 0fbfa5
allow syslogd_t ttyfile:chr_file { getattr write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Special case to handle crashes
Chris PeBenito 0fbfa5
#
Chris PeBenito 605ba2
allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow syslog to a terminal
Chris PeBenito 0fbfa5
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow name_bind for remote logging
Chris PeBenito 0fbfa5
allow syslogd_t syslogd_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# /initrd is not umounted before minilog starts
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
dontaudit syslogd_t file_t:dir search;
Chris PeBenito 0fbfa5
allow syslogd_t { tmpfs_t devpts_t }:dir search;
Chris PeBenito 605ba2
dontaudit syslogd_t unlabeled_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
Chris PeBenito 0fbfa5
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 605ba2
ifdef(`targeted_policy', `
Chris PeBenito 605ba2
allow syslogd_t var_run_t:fifo_file { ioctl read write };
Chris PeBenito 605ba2
')
Chris PeBenito 605ba2
Chris PeBenito 605ba2
# Allow access to /proc/kmsg for syslog-ng
Chris PeBenito 605ba2
allow syslogd_t proc_t:dir search;
Chris PeBenito 605ba2
allow syslogd_t proc_kmsg_t:file { getattr read };
Chris PeBenito 605ba2
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
Chris PeBenito 605ba2
allow syslogd_t self:capability { sys_admin chown fsetid };
Chris PeBenito 605ba2
allow syslogd_t var_log_t:dir { create setattr };
Chris PeBenito 605ba2
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
Chris PeBenito 605ba2
allow syslogd_t rsh_port_t:tcp_socket name_connect;