Blob Blame History Raw

policy_module(logging, 1.12.0)

########################################
#
# Declarations
#

attribute logfile;

type auditctl_t;
type auditctl_exec_t;
init_system_domain(auditctl_t,auditctl_exec_t)
role system_r types auditctl_t;

type auditd_etc_t;
files_security_file(auditd_etc_t)

type auditd_log_t;
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)

type auditd_t;
type auditd_exec_t;
init_daemon_domain(auditd_t,auditd_exec_t)

type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)

type auditd_var_run_t;
files_pid_file(auditd_var_run_t)

type audisp_t;
type audisp_exec_t;
init_system_domain(audisp_t, audisp_exec_t)

type audisp_var_run_t;
files_pid_file(audisp_var_run_t)

type audisp_remote_t;
type audisp_remote_exec_t;
logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)

type devlog_t;
files_type(devlog_t)
mls_trusted_object(devlog_t)

type klogd_t;
type klogd_exec_t;
init_daemon_domain(klogd_t,klogd_exec_t)

type klogd_tmp_t;
files_tmp_file(klogd_tmp_t)

type klogd_var_run_t;
files_pid_file(klogd_var_run_t)

type syslog_conf_t;
files_type(syslog_conf_t)

type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t,syslogd_exec_t)

type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)

type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)

type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)

type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)

type var_log_t;
logging_log_file(var_log_t)
files_mountpoint(var_log_t)

ifdef(`enable_mls',`
	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')

########################################
#
# Auditctl local policy
#

allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;

# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)

kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)

domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)

mls_file_read_all_levels(auditctl_t)

term_use_all_terms(auditctl_t)

init_dontaudit_use_fds(auditctl_t)

locallogin_dontaudit_use_fds(auditctl_t)

logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)

########################################
#
# Auditd local policy
#

allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;

allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;

manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;

manage_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
manage_sock_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })

kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)

dev_read_sysfs(auditd_t)

fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)

selinux_search_fs(auditctl_t)

corenet_all_recvfrom_unlabeled(auditd_t)
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_all_nodes(auditd_t)
corenet_tcp_sendrecv_all_ports(auditd_t)
corenet_tcp_bind_all_nodes(auditd_t)
corenet_tcp_bind_audit_port(auditd_t)
corenet_sendrecv_audit_server_packets(auditd_t)

# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
corecmd_exec_shell(auditd_t)

domain_use_interactive_fds(auditd_t)

files_read_etc_files(auditd_t)
files_list_usr(auditd_t)

init_telinit(auditd_t)

logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)

miscfiles_read_localization(auditd_t)

mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory

seutil_dontaudit_read_config(auditd_t)

sysnet_dns_name_resolve(auditd_t)

userdom_dontaudit_use_unpriv_user_fds(auditd_t)

sysadm_dontaudit_search_home_dirs(auditd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(auditd_t)
	')
')

optional_policy(`
	mta_send_mail(auditd_t)
')

optional_policy(`
	seutil_sigchld_newrole(auditd_t)
')

optional_policy(`
	udev_read_db(auditd_t)
')

########################################
#
# audit dispatcher local policy
#

allow audisp_t self:capability sys_nice;
allow audisp_t self:process setsched;
allow audisp_t self:fifo_file rw_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;

allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;

manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)

corecmd_search_bin(audisp_t)

domain_use_interactive_fds(audisp_t)

files_read_etc_files(audisp_t)

mls_file_write_all_levels(audisp_t)

logging_send_syslog_msg(audisp_t)

miscfiles_read_localization(audisp_t)

sysnet_dns_name_resolve(audisp_t)

########################################
#
# Audit remote logger local policy
#

allow audisp_remote_t self:tcp_socket create_socket_perms;

corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_all_if(audisp_remote_t)
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)

files_read_etc_files(audisp_remote_t)

logging_send_syslog_msg(audisp_remote_t)

miscfiles_read_localization(audisp_remote_t)

sysnet_dns_name_resolve(audisp_remote_t)

########################################
#
# klogd local policy
#

allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
allow klogd_t self:process signal_perms;

manage_dirs_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
manage_files_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })

manage_files_pattern(klogd_t,klogd_var_run_t,klogd_var_run_t)
files_pid_filetrans(klogd_t,klogd_var_run_t,file)

kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
kernel_read_kernel_sysctls(klogd_t)
# Control syslog and console logging
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)

files_read_kernel_symbol_table(klogd_t)

dev_read_raw_memory(klogd_t)
dev_read_sysfs(klogd_t)

fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)

domain_use_interactive_fds(klogd_t)

files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
files_read_etc_files(klogd_t)

logging_send_syslog_msg(klogd_t)

miscfiles_read_localization(klogd_t)

mls_file_read_all_levels(klogd_t)

sysadm_dontaudit_search_home_dirs(klogd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(klogd_t)
	')
')

optional_policy(`
	udev_read_db(klogd_t)
')

optional_policy(`
	seutil_sigchld_newrole(klogd_t)
')

########################################
#
# syslogd local policy
#

# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;

allow syslogd_t syslog_conf_t:file read_file_perms;

# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)

# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)

# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };

# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })

manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)

allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)

# manage pid file
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)

kernel_read_system_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)

corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_all_if(syslogd_t)
corenet_tcp_sendrecv_all_nodes(syslogd_t)
corenet_tcp_sendrecv_all_ports(syslogd_t)
corenet_tcp_bind_all_nodes(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)

# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)

dev_filetrans(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)

domain_use_interactive_fds(syslogd_t)

files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)

fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)

mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories

term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)

# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)

auth_use_nsswitch(syslogd_t)

init_use_fds(syslogd_t)

# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)

miscfiles_read_localization(syslogd_t)

userdom_dontaudit_use_unpriv_user_fds(syslogd_t)

sysadm_dontaudit_search_home_dirs(syslogd_t)

ifdef(`distro_gentoo',`
	# default gentoo syslog-ng config appends kernel
	# and high priority messages to /dev/tty12
	term_append_unallocated_ttys(syslogd_t)
	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')

ifdef(`distro_suse',`
	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
	files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(syslogd_t)
	')
')

optional_policy(`
	inn_manage_log(syslogd_t)
')

optional_policy(`
	postgresql_stream_connect(syslogd_t)
')

optional_policy(`
	seutil_sigchld_newrole(syslogd_t)
')

optional_policy(`
	udev_read_db(syslogd_t)
')

optional_policy(`
	# log to the xconsole
	xserver_rw_console(syslogd_t)
')