policy_module(logrotate,1.6.0) ######################################## # # Declarations # type logrotate_t; domain_type(logrotate_t) domain_obj_id_change_exemption(logrotate_t) domain_system_change_exemption(logrotate_t) role system_r types logrotate_t; type logrotate_exec_t; domain_entry_file(logrotate_t,logrotate_exec_t) type logrotate_lock_t; files_lock_file(logrotate_lock_t) type logrotate_tmp_t; files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) ######################################## # # Local policy # # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; # for mailx dontaudit logrotate_t self:capability { setuid setgid }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; # Set a context other than the default one for newly created files. allow logrotate_t self:process setfscreate; allow logrotate_t self:fd use; allow logrotate_t self:fifo_file rw_fifo_file_perms; allow logrotate_t self:unix_dgram_socket create_socket_perms; allow logrotate_t self:unix_stream_socket create_stream_socket_perms; allow logrotate_t self:unix_dgram_socket sendto; allow logrotate_t self:unix_stream_socket connectto; allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t,logrotate_lock_t,file) can_exec(logrotate_t, logrotate_tmp_t) manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t) manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t) files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t) manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) dev_read_urand(logrotate_t) fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) mls_file_upgrade(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) # Run helper programs. corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) domain_getattr_all_entry_files(logrotate_t) # Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) # Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) # cjp: why is this needed? init_domtrans_script(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) # cjp: why is this needed? logging_exec_all_logs(logrotate_t) libs_use_ld_so(logrotate_t) libs_use_shared_libs(logrotate_t) miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) userdom_dontaudit_search_sysadm_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) mta_send_mail(logrotate_t) ifdef(`distro_debian', ` allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; # for savelog can_exec(logrotate_t, logrotate_exec_t) ') optional_policy(` acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) ') optional_policy(` apache_read_config(logrotate_t) apache_domtrans(logrotate_t) apache_signull(logrotate_t) ') optional_policy(` consoletype_exec(logrotate_t) ') optional_policy(` cups_domtrans(logrotate_t) ') optional_policy(` hostname_exec(logrotate_t) ') optional_policy(` samba_exec_log(logrotate_t) ') optional_policy(` mailman_exec(logrotate_t) mailman_search_data(logrotate_t) mailman_manage_log(logrotate_t) ') optional_policy(` munin_read_config(logrotate_t) munin_stream_connect(logrotate_t) munin_search_lib(logrotate_t) ') optional_policy(` mysql_read_config(logrotate_t) mysql_search_db(logrotate_t) mysql_stream_connect(logrotate_t) ') optional_policy(` slrnpull_manage_spool(logrotate_t) ') optional_policy(` # cjp: why? squid_domtrans(logrotate_t) ') ifdef(`TODO',` # it should not require this allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; # for /var/backups on Debian ifdef(`backup.te', ` rw_dir_create_file(logrotate_t, backup_store_t) ') allow logrotate_t syslogd_exec_t:file r_file_perms; ') dnl end TODO