Blob Blame History Raw
#DESC Logrotate - Rotate log files
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil>   Timothy Fraser  
#           Russell Coker <rcoker@redhat.com>
# X-Debian-Packages: logrotate
# Depends: crond.te
#

#################################
#
# Rules for the logrotate_t domain.
#
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
#
type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
role system_r types logrotate_t;
role sysadm_r types logrotate_t;
uses_shlib(logrotate_t)
general_domain_access(logrotate_t)
type logrotate_exec_t, file_type, sysadmfile, exec_type;

system_crond_entry(logrotate_exec_t, logrotate_t)
allow logrotate_t cron_spool_t:dir search;
allow crond_t logrotate_var_lib_t:dir search;
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
allow logrotate_t self:unix_stream_socket create_socket_perms;
allow logrotate_t devtty_t:chr_file rw_file_perms;

ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
')

# for perl
allow logrotate_t usr_t:file { getattr read ioctl };
allow logrotate_t usr_t:lnk_file read;

# access files in /etc
allow logrotate_t etc_t:file { getattr read ioctl };
allow logrotate_t etc_t:lnk_file { getattr read };
allow logrotate_t etc_runtime_t:file r_file_perms;

# it should not require this
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };

# create lock files
rw_dir_create_file(logrotate_t, var_lock_t)

# Create temporary files.
tmp_domain(logrotate)
can_exec(logrotate_t, logrotate_tmp_t)

# Run helper programs.
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
allow logrotate_t { bin_t sbin_t }:lnk_file read;
can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })

# Read PID files.
allow logrotate_t pidfile:file r_file_perms;

# Read /proc/PID directories for all domains.
read_sysctl(logrotate_t)
allow logrotate_t proc_t:dir r_dir_perms;
allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
allow logrotate_t domain:notdevfile_class_set r_file_perms;
allow logrotate_t domain:dir r_dir_perms;
allow logrotate_t exec_type:file getattr;

# Read /dev directories and any symbolic links.
allow logrotate_t device_t:dir r_dir_perms;
allow logrotate_t device_t:lnk_file r_file_perms;

# Signal processes.
allow logrotate_t domain:process signal;

# Modify /var/log and other log dirs.
allow logrotate_t var_t:dir r_dir_perms;
allow logrotate_t logfile:dir rw_dir_perms;
allow logrotate_t logfile:lnk_file read;

# Create, rename, and truncate log files.
allow logrotate_t logfile:file create_file_perms;
allow logrotate_t wtmp_t:file create_file_perms;
ifdef(`squid.te', `
allow squid_t { system_crond_t crond_t }:fd use;
allow squid_t crond_t:fifo_file { read write };
allow squid_t system_crond_t:fifo_file write;
allow squid_t self:capability kill;
')

# Set a context other than the default one for newly created files.
can_setfscreate(logrotate_t)

# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
dontaudit logrotate_t self:capability { setuid setgid };

ifdef(`mta.te', `
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
')

# Access /var/run
allow logrotate_t var_run_t:dir r_dir_perms;

# for /var/lib/logrotate.status and /var/lib/logcheck
var_lib_domain(logrotate)
allow logrotate_t logrotate_var_lib_t:dir create;

# Write to /var/spool/slrnpull - should be moved into its own type.
create_dir_file(logrotate_t, var_spool_t)

allow logrotate_t urandom_device_t:chr_file { getattr read };

# Access terminals.
allow logrotate_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
allow logrotate_t privfd:fd use;

# for /var/backups on Debian
ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t)
')

read_locale(logrotate_t)

allow logrotate_t fs_t:filesystem getattr;
can_exec(logrotate_t, shell_exec_t)
can_exec(logrotate_t, hostname_exec_t)
can_exec(logrotate_t,logfile)
allow logrotate_t net_conf_t:file { getattr read };

ifdef(`consoletype.te', `
can_exec(logrotate_t, consoletype_exec_t)
dontaudit consoletype_t logrotate_t:fd use;
')

allow logrotate_t syslogd_t:unix_dgram_socket sendto;

domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)

dontaudit logrotate_t selinux_config_t:dir search;