|
Chris PeBenito |
0fbfa5 |
#DESC Syslogd - System log daemon
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: sysklogd syslog-ng
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the syslogd_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# syslogd_t is the domain of syslogd.
|
|
Chris PeBenito |
0fbfa5 |
# syslogd_exec_t is the type of the syslogd executable.
|
|
Chris PeBenito |
0fbfa5 |
# devlog_t is the type of the Unix domain socket created
|
|
Chris PeBenito |
0fbfa5 |
# by syslogd.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`klogd.te', `
|
|
Chris PeBenito |
77f6e2 |
daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
|
|
Chris PeBenito |
0fbfa5 |
', `
|
|
Chris PeBenito |
77f6e2 |
daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# can_network is for the UDP socket
|
|
Chris PeBenito |
0fbfa5 |
can_network_udp(syslogd_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(syslogd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(syslogd_t, sysfs_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0907bd |
type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# if something can log to syslog they should be able to log to the console
|
|
Chris PeBenito |
0fbfa5 |
allow privlog console_device_t:chr_file { ioctl read write getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(syslogd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# read files in /etc
|
|
Chris PeBenito |
77f6e2 |
allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0907bd |
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Modify/create log files.
|
|
Chris PeBenito |
0fbfa5 |
create_append_log_file(syslogd_t, var_log_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Create and bind to /dev/log or /var/run/log.
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_suse', `
|
|
Chris PeBenito |
0fbfa5 |
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t self:unix_dgram_socket sendto;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
# log to the xconsole
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Domains with the privlog attribute may log to syslogd.
|
|
Chris PeBenito |
0fbfa5 |
allow privlog devlog_t:sock_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
can_unix_send(privlog,syslogd_t)
|
|
Chris PeBenito |
0fbfa5 |
can_unix_connect(privlog,syslogd_t)
|
|
Chris PeBenito |
0fbfa5 |
# allow /dev/log to be a link elsewhere for chroot setup
|
|
Chris PeBenito |
0fbfa5 |
allow privlog devlog_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`crond.te', `
|
|
Chris PeBenito |
0fbfa5 |
# for daemon re-start
|
|
Chris PeBenito |
0fbfa5 |
allow system_crond_t syslogd_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`logrotate.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for sending messages to logged in users
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t initrc_var_run_t:file { read lock };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit syslogd_t initrc_var_run_t:file write;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t ttyfile:chr_file { getattr write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Special case to handle crashes
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow syslog to a terminal
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow name_bind for remote logging
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t syslogd_port_t:udp_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# /initrd is not umounted before minilog starts
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
dontaudit syslogd_t file_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t { tmpfs_t devpts_t }:dir search;
|
|
Chris PeBenito |
605ba2 |
dontaudit syslogd_t unlabeled_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
605ba2 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t var_run_t:fifo_file { ioctl read write };
|
|
Chris PeBenito |
605ba2 |
')
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
605ba2 |
# Allow access to /proc/kmsg for syslog-ng
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t proc_t:dir search;
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t proc_kmsg_t:file { getattr read };
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t self:capability { sys_admin chown fsetid };
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t var_log_t:dir { create setattr };
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
605ba2 |
allow syslogd_t rsh_port_t:tcp_socket name_connect;
|