diff options
Diffstat (limited to 'policy/modules/contrib/logrotate.te')
-rw-r--r-- | policy/modules/contrib/logrotate.te | 230 |
1 files changed, 230 insertions, 0 deletions
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te new file mode 100644 index 00000000..7090dae7 --- /dev/null +++ b/policy/modules/contrib/logrotate.te @@ -0,0 +1,230 @@ +policy_module(logrotate, 1.14.0) + +######################################## +# +# Declarations +# + +type logrotate_t; +domain_type(logrotate_t) +domain_obj_id_change_exemption(logrotate_t) +domain_system_change_exemption(logrotate_t) +role system_r types logrotate_t; + +type logrotate_exec_t; +domain_entry_file(logrotate_t, logrotate_exec_t) + +type logrotate_lock_t; +files_lock_file(logrotate_lock_t) + +type logrotate_tmp_t; +files_tmp_file(logrotate_tmp_t) + +type logrotate_var_lib_t; +files_type(logrotate_var_lib_t) + +######################################## +# +# Local policy +# + +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; +# for mailx +dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + +# Set a context other than the default one for newly created files. +allow logrotate_t self:process setfscreate; + +allow logrotate_t self:fd use; +allow logrotate_t self:fifo_file rw_fifo_file_perms; +allow logrotate_t self:unix_dgram_socket create_socket_perms; +allow logrotate_t self:unix_stream_socket create_stream_socket_perms; +allow logrotate_t self:unix_dgram_socket sendto; +allow logrotate_t self:unix_stream_socket connectto; +allow logrotate_t self:shm create_shm_perms; +allow logrotate_t self:sem create_sem_perms; +allow logrotate_t self:msgq create_msgq_perms; +allow logrotate_t self:msg { send receive }; + +allow logrotate_t logrotate_lock_t:file manage_file_perms; +files_lock_filetrans(logrotate_t, logrotate_lock_t, file) + +can_exec(logrotate_t, logrotate_tmp_t) + +manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + +# for /var/lib/logrotate.status and /var/lib/logcheck +create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) + +kernel_read_system_state(logrotate_t) +kernel_read_kernel_sysctls(logrotate_t) + +dev_read_urand(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_xattr_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) + +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) +mls_file_upgrade(logrotate_t) + +selinux_get_fs_mount(logrotate_t) +selinux_get_enforce_mode(logrotate_t) + +auth_manage_login_records(logrotate_t) +auth_use_nsswitch(logrotate_t) + +# Run helper programs. +corecmd_exec_bin(logrotate_t) +corecmd_exec_shell(logrotate_t) + +domain_signal_all_domains(logrotate_t) +domain_use_interactive_fds(logrotate_t) +domain_getattr_all_entry_files(logrotate_t) +# Read /proc/PID directories for all domains. +domain_read_all_domains_state(logrotate_t) + +files_read_usr_files(logrotate_t) +files_read_etc_files(logrotate_t) +files_read_etc_runtime_files(logrotate_t) +files_read_all_pids(logrotate_t) +files_search_all(logrotate_t) +files_read_var_lib_files(logrotate_t) +# Write to /var/spool/slrnpull - should be moved into its own type. +files_manage_generic_spool(logrotate_t) +files_manage_generic_spool_dirs(logrotate_t) +files_getattr_generic_locks(logrotate_t) + +# cjp: why is this needed? +init_domtrans_script(logrotate_t) + +logging_manage_all_logs(logrotate_t) +logging_send_syslog_msg(logrotate_t) +logging_send_audit_msgs(logrotate_t) +# cjp: why is this needed? +logging_exec_all_logs(logrotate_t) + +miscfiles_read_localization(logrotate_t) + +seutil_dontaudit_read_config(logrotate_t) + +userdom_use_user_terminals(logrotate_t) +userdom_list_user_home_dirs(logrotate_t) +userdom_use_unpriv_users_fds(logrotate_t) + +cron_system_entry(logrotate_t, logrotate_exec_t) +cron_search_spool(logrotate_t) + +mta_send_mail(logrotate_t) + +ifdef(`distro_debian', ` + allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; + # for savelog + can_exec(logrotate_t, logrotate_exec_t) + + # for syslogd-listfiles + logging_read_syslog_config(logrotate_t) + + # for "test -x /sbin/syslogd" + logging_check_exec_syslog(logrotate_t) +') + +optional_policy(` + abrt_cache_manage(logrotate_t) +') + +optional_policy(` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +') + +optional_policy(` + apache_read_config(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) +') + +optional_policy(` + asterisk_domtrans(logrotate_t) +') + +optional_policy(` + bind_manage_cache(logrotate_t) +') + +optional_policy(` + consoletype_exec(logrotate_t) +') + +optional_policy(` + cups_domtrans(logrotate_t) +') + +optional_policy(` + fail2ban_stream_connect(logrotate_t) +') + +optional_policy(` + hostname_exec(logrotate_t) +') + +optional_policy(` + icecast_signal(logrotate_t) +') + +optional_policy(` + mailman_domtrans(logrotate_t) + mailman_search_data(logrotate_t) + mailman_manage_log(logrotate_t) +') + +optional_policy(` + munin_read_config(logrotate_t) + munin_stream_connect(logrotate_t) + munin_search_lib(logrotate_t) +') + +optional_policy(` + mysql_read_config(logrotate_t) + mysql_search_db(logrotate_t) + mysql_stream_connect(logrotate_t) +') + +optional_policy(` + psad_domtrans(logrotate_t) +') + + +optional_policy(` + samba_exec_log(logrotate_t) +') + +optional_policy(` + sssd_domtrans(logrotate_t) +') + +optional_policy(` + slrnpull_manage_spool(logrotate_t) +') + +optional_policy(` + squid_domtrans(logrotate_t) +') + +optional_policy(` + #Red Hat bug 564565 + su_exec(logrotate_t) +') + +optional_policy(` + varnishd_manage_log(logrotate_t) +') |