Changeset 2789
- Timestamp:
- 08/22/08 10:48:34 (3 months ago)
- Files:
-
- branches/rbacsep/Changelog (modified) (1 diff)
- branches/rbacsep/man/man8/ftpd_selinux.8 (modified) (1 diff)
- branches/rbacsep/man/man8/httpd_selinux.8 (modified) (2 diffs)
- branches/rbacsep/policy/modules/admin/firstboot.if (modified) (1 diff)
- branches/rbacsep/policy/modules/admin/firstboot.te (modified) (5 diffs)
- branches/rbacsep/policy/modules/services/ntp.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/setroubleshoot.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/w3c.fc (copied) (copied from trunk/policy/modules/services/w3c.fc)
- branches/rbacsep/policy/modules/services/w3c.if (copied) (copied from trunk/policy/modules/services/w3c.if)
- branches/rbacsep/policy/modules/services/w3c.te (copied) (copied from trunk/policy/modules/services/w3c.te)
- branches/rbacsep/policy/modules/system/logging.fc (modified) (5 diffs)
- branches/rbacsep/policy/modules/system/logging.if (modified) (7 diffs)
- branches/rbacsep/policy/modules/system/logging.te (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/Changelog
r2782 r2789 10 10 - Issuing commands to upstart is over a datagram socket, not the initctl 11 11 named pipe. Updated init_telinit() to match. 12 - Added modules: 13 w3c (Dan Walsh) 12 14 13 15 * Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702 branches/rbacsep/man/man8/ftpd_selinux.8
r2451 r2789 1 .TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd S elinux Policy documentation"1 .TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" 2 2 .SH "NAME" 3 ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon 3 .PP 4 ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. 4 5 .SH "DESCRIPTION" 5 6 Security-Enhanced Linux secures the ftpd server via flexible mandatory access 7 control. 6 .PP 7 Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. 8 8 .SH FILE_CONTEXTS 9 SELinux requires files to have an extended attribute to define the file type. 10 Policy governs the access daemons have to these files. 11 If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool. 9 .PP 10 SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. 12 11 .TP 13 chcon -R -t public_content_t /var/ftp 12 Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. 13 .PP 14 .B 15 semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" 14 16 .TP 15 If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. 17 .B 18 restorecon -R -v /var/ftp 16 19 .TP 17 chcon -t public_content_rw_t /var/ftp/incoming 20 Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. 21 .PP 22 .B 23 semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" 18 24 .TP 19 You must also turn on the boolean allow_ftpd_anon_write. 20 .TP 21 setsebool -P allow_ftpd_anon_write=1 22 .TP 23 If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. 24 .TP 25 /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local 26 .br 27 /var/ftp(/.*)? system_u:object_r:public_content_t 28 /var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t 25 .B 26 restorecon -R -v /var/ftp/incoming 29 27 30 28 .SH BOOLEANS 31 SELinux ftp daemon policy is customizable based on least access required. So by 32 default SElinux does not allow users to login and read their home directories. 33 .br 34 If you are setting up this machine as a ftpd server and wish to allow users to access their home 35 directorories, you need to set the ftp_home_dir boolean. 29 .PP 30 SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. 36 31 .TP 37 setsebool -P ftp_home_dir 1 32 Allow ftp servers to read and write files with the public_content_rw_t file type. 33 .PP 34 .B 35 setsebool -P allow_ftpd_anon_write on 38 36 .TP 39 ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. 37 Allow ftp servers to read or write files in the user home directories. 38 .PP 39 .B 40 setsebool -P ftp_home_dir on 40 41 .TP 41 setsebool -P ftpd_is_daemon 1 42 .br 43 service vsftpd restart 42 Allow ftp servers to read or write all files on the system. 43 .PP 44 .B 45 setsebool -P allow_ftpd_full_access on 46 .TP 47 Allow ftp servers to use cifs for public file transfer services. 48 .PP 49 .B 50 setsebool -P allow_ftpd_use_cifs on 51 .TP 52 Allow ftp servers to use nfs for public file transfer services. 53 .PP 54 .B 55 setsebool -P allow_ftpd_use_nfs on 44 56 .TP 45 57 system-config-selinux is a GUI tool available to customize SELinux policy settings. 46 58 .SH AUTHOR 59 .PP 47 60 This manual page was written by Dan Walsh <dwalsh@redhat.com>. 48 61 49 62 .SH "SEE ALSO" 50 selinux(8), ftpd(8), chcon(1), setsebool(8) 63 .PP 51 64 52 65 selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) branches/rbacsep/man/man8/httpd_selinux.8
r2612 r2789 23 23 httpd_sys_content_t 24 24 .EE 25 - Set files with httpd_sys_content_t for content which is available from all httpd s cripts and the daemon.25 - Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon. 26 26 .EX 27 27 httpd_sys_script_exec_t … … 29 29 - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. 30 30 .EX 31 httpd_sys_ script_ro_t31 httpd_sys_content_rw_t 32 32 .EE 33 - Set files with httpd_sys_ script_ro_t if you want httpd_sys_script_exec_t scripts to readthe data, and disallow other non sys scripts from access.33 - Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. 34 34 .EX 35 httpd_sys_ script_rw_t35 httpd_sys_content_ra_t 36 36 .EE 37 - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. 38 .EX 39 httpd_sys_script_ra_t 40 .EE 41 - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. 37 - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. 42 38 .EX 43 39 httpd_unconfined_script_exec_t branches/rbacsep/policy/modules/admin/firstboot.if
r2782 r2789 143 143 dontaudit $1 firstboot_t:fifo_file { read write }; 144 144 ') 145 146 ######################################## 147 ## <summary> 148 ## Do not audit attemps to read and write to a firstboot 149 ## unix domain stream socket. 150 ## </summary> 151 ## <param name="domain"> 152 ## <summary> 153 ## Domain to not audit. 154 ## </summary> 155 ## </param> 156 # 157 interface(`firstboot_dontaudit_rw_stream_sockets',` 158 gen_require(` 159 type firstboot_t; 160 ') 161 162 dontaudit $1 firstboot_t:unix_stream_socket { read write }; 163 ') branches/rbacsep/policy/modules/admin/firstboot.te
r2782 r2789 1 1 2 policy_module(firstboot, 1.7. 0)2 policy_module(firstboot, 1.7.1) 3 3 4 4 gen_require(` … … 36 36 allow firstboot_t firstboot_etc_t:file { getattr read }; 37 37 38 # The big hammer39 unconfined_domain(firstboot_t)40 41 38 kernel_read_system_state(firstboot_t) 42 39 kernel_read_kernel_sysctls(firstboot_t) … … 64 61 files_manage_etc_files(firstboot_t) 65 62 files_manage_etc_runtime_files(firstboot_t) 66 files_etc_filetrans_etc_runtime(firstboot_t, { file dir })67 63 files_read_usr_files(firstboot_t) 68 64 files_manage_var_dirs(firstboot_t) … … 111 107 optional_policy(` 112 108 unconfined_domtrans(firstboot_t) 109 # The big hammer 110 unconfined_domain(firstboot_t) 113 111 ') 114 112 … … 132 130 domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) 133 131 ') 134 135 ifdef(`xserver.te', `136 domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)137 ')138 132 ') dnl end TODO branches/rbacsep/policy/modules/services/ntp.te
r2782 r2789 1 1 2 policy_module(ntp, 1.6. 0)2 policy_module(ntp, 1.6.1) 3 3 4 4 ######################################## … … 118 118 firstboot_dontaudit_use_fds(ntpd_t) 119 119 firstboot_dontaudit_rw_pipes(ntpd_t) 120 firstboot_dontaudit_rw_stream_sockets(ntpd_t) 120 121 ') 121 122 branches/rbacsep/policy/modules/services/setroubleshoot.te
r2782 r2789 1 1 2 policy_module(setroubleshoot, 1.7. 0)2 policy_module(setroubleshoot, 1.7.1) 3 3 4 4 ######################################## … … 99 99 100 100 logging_send_syslog_msg(setroubleshootd_t) 101 logging_stream_connect_ auditd(setroubleshootd_t)101 logging_stream_connect_dispatcher(setroubleshootd_t) 102 102 103 103 seutil_read_config(setroubleshootd_t) branches/rbacsep/policy/modules/system/logging.fc
r2675 r2789 5 5 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) 6 6 7 /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) 8 /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) 7 9 /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) 8 10 /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) … … 21 23 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) 22 24 25 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) 23 26 /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) 24 27 … … 29 32 /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) 30 33 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) 34 /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) 31 35 32 36 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) … … 38 42 /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) 39 43 /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) 40 /var/log/syslog-ng(/.*)? --gen_context(system_u:object_r:syslogd_var_run_t,s0)44 /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) 41 45 42 46 ifndef(`distro_gentoo',` … … 49 53 50 54 /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) 51 /var/run/audispd_events -s gen_context(system_u:object_r:audi td_var_run_t,s0)55 /var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) 52 56 /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) 53 57 /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) branches/rbacsep/policy/modules/system/logging.if
r2705 r2789 214 214 # 215 215 interface(`logging_stream_connect_auditd',` 216 gen_require(` 217 type auditd_t, auditd_var_run_t; 216 refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') 217 logging_stream_connect_dispatcher($1) 218 ') 219 220 ######################################## 221 ## <summary> 222 ## Execute a domain transition to run the audit dispatcher. 223 ## </summary> 224 ## <param name="domain"> 225 ## <summary> 226 ## Domain allowed to transition. 227 ## </summary> 228 ## </param> 229 # 230 interface(`logging_domtrans_dispatcher',` 231 gen_require(` 232 type audisp_t, audisp_exec_t; 233 ') 234 235 domtrans_pattern($1, audisp_exec_t, audisp_t) 236 ') 237 238 ######################################## 239 ## <summary> 240 ## Signal the audit dispatcher. 241 ## </summary> 242 ## <param name="domain"> 243 ## <summary> 244 ## Domain allowed to transition. 245 ## </summary> 246 ## </param> 247 # 248 interface(`logging_signal_dispatcher',` 249 gen_require(` 250 type audisp_t; 251 ') 252 253 allow $1 audisp_t:process signal; 254 ') 255 256 ######################################## 257 ## <summary> 258 ## Create a domain for processes 259 ## which can be started by the system audit dispatcher 260 ## </summary> 261 ## <param name="domain"> 262 ## <summary> 263 ## Type to be used as a domain. 264 ## </summary> 265 ## </param> 266 ## <param name="entry_point"> 267 ## <summary> 268 ## Type of the program to be used as an entry point to this domain. 269 ## </summary> 270 ## </param> 271 # 272 interface(`logging_dispatcher_domain',` 273 gen_require(` 274 type audisp_t; 275 role system_r; 276 ') 277 278 domain_type($1) 279 domain_entry_file($1, $2) 280 281 role system_r types $1; 282 283 domtrans_pattern(audisp_t, $2, $1) 284 allow $1 audisp_t:process signal; 285 286 allow audisp_t $2:file getattr; 287 allow $1 audisp_t:unix_stream_socket rw_socket_perms; 288 ') 289 290 ######################################## 291 ## <summary> 292 ## Connect to the audit dispatcher over an unix stream socket. 293 ## </summary> 294 ## <param name="domain"> 295 ## <summary> 296 ## Domain allowed access. 297 ## </summary> 298 ## </param> 299 # 300 interface(`logging_stream_connect_dispatcher',` 301 gen_require(` 302 type audisp_t, audisp_var_run_t; 218 303 ') 219 304 220 305 files_search_pids($1) 221 stream_connect_pattern($1, auditd_var_run_t,auditd_var_run_t,auditd_t)306 stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) 222 307 ') 223 308 … … 531 616 532 617 files_search_var($1) 533 allow $1 var_log_t:dir list_dir_perms; 534 allow $1 logfile:file { getattr append }; 618 append_files_pattern($1, var_log_t, logfile) 535 619 ') 536 620 … … 580 664 ######################################## 581 665 ## <summary> 666 ## read/write to all log files. 667 ## </summary> 668 ## <param name="domain"> 669 ## <summary> 670 ## Domain allowed access. 671 ## </summary> 672 ## </param> 673 # 674 interface(`logging_rw_all_logs',` 675 gen_require(` 676 attribute logfile; 677 ') 678 679 files_search_var($1) 680 rw_files_pattern($1, logfile, logfile) 681 ') 682 683 ######################################## 684 ## <summary> 582 685 ## Create, read, write, and delete all log files. 583 686 ## </summary> … … 642 745 ######################################## 643 746 ## <summary> 747 ## Dontaudit Write generic log files. 748 ## </summary> 749 ## <param name="domain"> 750 ## <summary> 751 ## Domain allowed access. 752 ## </summary> 753 ## </param> 754 # 755 interface(`logging_dontaudit_write_generic_logs',` 756 gen_require(` 757 type var_log_t; 758 ') 759 760 dontaudit $1 var_log_t:file write; 761 ') 762 763 ######################################## 764 ## <summary> 644 765 ## Read and write generic log files. 645 766 ## </summary> … … 691 812 ## </summary> 692 813 ## </param> 814 ## <param name="role"> 815 ## <summary> 816 ## User role allowed access. 817 ## </summary> 818 ## </param> 819 ## <param name="terminal"> 820 ## <summary> 821 ## User terminal type. 822 ## </summary> 823 ## </param> 693 824 ## <rolecap/> 694 825 # … … 710 841 manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) 711 842 manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) 843 844 logging_run_auditctl($1, $2, $3) 712 845 ') 713 846 … … 769 902 ## </summary> 770 903 ## </param> 904 ## <param name="role"> 905 ## <summary> 906 ## User role allowed access. 907 ## </summary> 908 ## </param> 909 ## <param name="terminal"> 910 ## <summary> 911 ## User terminal type. 912 ## </summary> 913 ## </param> 771 914 ## <rolecap/> 772 915 # 773 916 interface(`logging_admin',` 774 logging_admin_audit($1 )917 logging_admin_audit($1, $2, $3) 775 918 logging_admin_syslog($1) 776 919 ') branches/rbacsep/policy/modules/system/logging.te
r2782 r2789 1 1 2 policy_module(logging, 1.11. 1)2 policy_module(logging, 1.11.2) 3 3 4 4 ######################################## … … 28 28 files_pid_file(auditd_var_run_t) 29 29 30 type audisp_t; 31 type audisp_exec_t; 32 init_system_domain(audisp_t, audisp_exec_t) 33 34 type audisp_var_run_t; 35 files_pid_file(audisp_var_run_t) 36 37 type audisp_remote_t; 38 type audisp_remote_exec_t; 39 logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) 40 30 41 type devlog_t; 31 42 files_type(devlog_t) … … 63 74 64 75 ifdef(`enable_mls',` 65 init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) 76 init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) 77 init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) 66 78 ') 67 79 … … 151 163 logging_set_audit_parameters(auditd_t) 152 164 logging_send_syslog_msg(auditd_t) 165 logging_domtrans_dispatcher(auditd_t) 166 logging_signal_dispatcher(auditd_t) 153 167 154 168 libs_use_ld_so(auditd_t) … … 161 175 162 176 seutil_dontaudit_read_config(auditd_t) 177 178 sysnet_dns_name_resolve(auditd_t) 163 179 164 180 userdom_dontaudit_use_unpriv_user_fds(auditd_t) … … 173 189 174 190 optional_policy(` 191 mta_send_mail(auditd_t) 192 ') 193 194 optional_policy(` 175 195 seutil_sigchld_newrole(auditd_t) 176 196 ') … … 179 199 udev_read_db(auditd_t) 180 200 ') 201 202 ######################################## 203 # 204 # audit dispatcher local policy 205 # 206 207 allow audisp_t self:capability sys_nice; 208 allow audisp_t self:process setsched; 209 allow audisp_t self:fifo_file rw_file_perms; 210 allow audisp_t self:unix_stream_socket create_stream_socket_perms; 211 allow audisp_t self:unix_dgram_socket create_socket_perms; 212 213 allow audisp_t auditd_t:unix_stream_socket rw_file_perms; 214 215 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) 216 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) 217 218 corecmd_search_bin(audisp_t) 219 220 domain_use_interactive_fds(audisp_t) 221 222 files_read_etc_files(audisp_t) 223 224 mls_file_write_all_levels(audisp_t) 225 226 libs_use_ld_so(audisp_t) 227 libs_use_shared_libs(audisp_t) 228 229 logging_send_syslog_msg(audisp_t) 230 231 miscfiles_read_localization(audisp_t) 232 233 ######################################## 234 # 235 # Audit remote logger local policy 236 # 237 238 allow audisp_remote_t self:tcp_socket create_socket_perms; 239 240 corenet_all_recvfrom_unlabeled(audisp_remote_t) 241 corenet_all_recvfrom_netlabel(audisp_remote_t) 242 corenet_tcp_sendrecv_all_if(audisp_remote_t) 243 corenet_tcp_sendrecv_all_nodes(audisp_remote_t) 244 245 files_read_etc_files(audisp_remote_t) 246 247 libs_use_ld_so(audisp_remote_t) 248 libs_use_shared_libs(audisp_remote_t) 249 250 logging_send_syslog_msg(audisp_remote_t) 251 252 miscfiles_read_localization(audisp_remote_t) 253 254 sysnet_dns_name_resolve(audisp_remote_t) 181 255 182 256 ######################################## … … 254 328 # setpgid for metalog 255 329 allow syslogd_t self:process { signal_perms setpgid }; 256 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;257 330 # receive messages to be logged 258 331 allow syslogd_t self:unix_dgram_socket create_socket_perms; … … 291 364 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) 292 365 366 kernel_read_system_state(syslogd_t) 293 367 kernel_read_kernel_sysctls(syslogd_t) 294 368 kernel_read_proc_symlinks(syslogd_t) … … 297 371 kernel_clear_ring_buffer(syslogd_t) 298 372 kernel_change_ring_buffer_level(syslogd_t) 299 300 dev_filetrans(syslogd_t,devlog_t,sock_file)301 dev_read_sysfs(syslogd_t)302 303 fs_search_auto_mountpoints(syslogd_t)304 305 term_write_console(syslogd_t)306 # Allow syslog to a terminal307 term_write_unallocated_ttys(syslogd_t)308 309 # for sending messages to logged in users310 init_read_utmp(syslogd_t)311 init_dontaudit_write_utmp(syslogd_t)312 term_write_all_user_ttys(syslogd_t)313 373 314 374 corenet_all_recvfrom_unlabeled(syslogd_t) … … 329 389 corenet_tcp_bind_syslogd_port(syslogd_t) 330 390 corenet_tcp_connect_syslogd_port(syslogd_t) 391 corenet_tcp_connect_postgresql_port(syslogd_t) 392 corenet_tcp_connect_mysqld_port(syslogd_t) 331 393 332 394 # syslog-ng can send or receive logs 333 395 corenet_sendrecv_syslogd_client_packets(syslogd_t) 334 396 corenet_sendrecv_syslogd_server_packets(syslogd_t) 335 336 fs_getattr_all_fs(syslogd_t) 337 338 init_use_fds(syslogd_t) 397 corenet_sendrecv_postgresql_client_packets(syslogd_t) 398 corenet_sendrecv_mysqld_client_packets(syslogd_t) 399 400 dev_filetrans(syslogd_t,devlog_t,sock_file) 401 dev_read_sysfs(syslogd_t) 339 402 340 403 domain_use_interactive_fds(syslogd_t) 341 404 342 405 files_read_etc_files(syslogd_t) 406 files_read_usr_files(syslogd_t) 343 407 files_read_var_files(syslogd_t) 344 408 files_read_etc_runtime_files(syslogd_t) 345 409 # /initrd is not umounted before minilog starts 346 410 files_dontaudit_search_isid_type_dirs(syslogd_t) 411 files_read_kernel_symbol_table(syslogd_t) 412 413 fs_getattr_all_fs(syslogd_t) 414 fs_search_auto_mountpoints(syslogd_t) 415 416 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories 417 418 term_write_console(syslogd_t) 419 # Allow syslog to a terminal 420 term_write_unallocated_ttys(syslogd_t) 421 422 # for sending messages to logged in users 423 init_read_utmp(syslogd_t) 424 init_dontaudit_write_utmp(syslogd_t) 425 term_write_all_user_ttys(syslogd_t) 426 427 auth_use_nsswitch(syslogd_t) 428 429 init_use_fds(syslogd_t) 347 430 348 431 libs_use_ld_so(syslogd_t) … … 351 434 # cjp: this doesnt make sense 352 435 logging_send_syslog_msg(syslogd_t) 353 354 sysnet_read_config(syslogd_t)355 436 356 437 miscfiles_read_localization(syslogd_t) … … 383 464 384 465 optional_policy(` 385 nis_use_ypbind(syslogd_t) 386 ') 387 388 optional_policy(` 389 nscd_socket_use(syslogd_t) 466 postgresql_stream_connect(syslogd_t) 390 467 ') 391 468
