Layer: system

Module: logging

Interfaces

Description:

Policy for the kernel message logger and system logging daemon.


Interfaces:

logging_admin( domain , role )
Summary

All of the rules required to administrate the logging environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_admin_audit( domain , role )
Summary

All of the rules required to administrate the audit environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_admin_syslog( domain , role )
Summary

All of the rules required to administrate the syslog environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_append_all_inherited_logs( domain )
Summary

Append to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_append_all_logs( domain )
Summary

Append to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_audit_socket_activation( domain )
Summary

Allow the domain to create the audit socket for syslogd.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_check_exec_syslog( domain )
Summary

Check if syslogd is executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_create_devlog( domain )
Summary

Connect to the syslog control unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_dispatcher_domain( domain , entry_point )
Summary

Create a domain for processes which can be started by the system audit dispatcher

Parameters
Parameter:Description:
domain

Type to be used as a domain.

entry_point

Type of the program to be used as an entry point to this domain.

logging_domtrans_auditctl( domain )
Summary

Execute auditctl in the auditctl domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_auditd( domain )
Summary

Execute auditd in the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_dispatcher( domain )
Summary

Execute a domain transition to run the audit dispatcher.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_klog( domain )
Summary

Execute klogd in the klog domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_syslog( domain )
Summary

Execute syslogd in the syslog domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_dontaudit_getattr_all_logs( domain )
Summary

Do not audit attempts to get the attributes of any log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_search_audit_config( domain )
Summary

dontaudit search of auditd configuration files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_search_logs( domain )
Summary

Do not audit attempts to search the var log directory.

Parameters
Parameter:Description:
domain

Domain not to audit.

logging_dontaudit_send_audit_msgs( domain )
Summary

dontaudit attempts to send audit messages.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_write_generic_logs( domain )
Summary

Dontaudit Write generic log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_exec_all_logs( domain )
Summary

Execute all log files in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_getattr_all_logs( domain )
Summary

Read the attributes of any log file

Parameters
Parameter:Description:
domain

Domain allowed access

logging_list_logs( domain )
Summary

List the contents of the generic log directory (/var/log).

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_log_file( type )
Summary

Make the specified type usable for log files in a filesystem.

Description

Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.

Related interfaces:

  • logging_log_filetrans()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters
Parameter:Description:
type

Type to be used for files.

logging_log_filetrans( domain , private type , object , name )
Summary

Create an object in the log directory, with a private type.

Description

Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.

Related interfaces:

  • logging_log_file()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

logging_manage_all_logs( domain )
Summary

Create, read, write, and delete all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_audit_config( domain )
Summary

Manage the auditd configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_audit_log( domain )
Summary

Manage the audit log.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_generic_log_dirs( domain )
Summary

Create, read, write, and delete generic log directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_generic_logs( domain )
Summary

Create, read, write, and delete generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_runtime_sockets( domain )
Summary

Create, read, write, and delete syslog PID sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_mmap_generic_logs( domain )
Summary

Map generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_mmap_journal( domain )
Summary

Map files in /run/log/journal/ directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_all_logs( domain )
Summary

Read all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_audit_config( domain )
Summary

Read the auditd configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_audit_log( domain )
Summary

Read the audit log.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_generic_logs( domain )
Summary

Read generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_syslog_config( domain )
Summary

Read syslog configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_generic_log_dirs( domain )
Summary

Relabel from and to generic log directory type.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_syslogd_tmp_dirs( domain )
Summary

Relabel to and from syslog temporary directory type.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_syslogd_tmp_files( domain )
Summary

Relabel to and from syslog temporary file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabelto_devlog_sock_files( domain )
Summary

Allow domain to relabelto devlog sock_files

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_run_auditctl( domain , role )
Summary

Execute auditctl in the auditctl domain, and allow the specified role the auditctl domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

role

Role allowed access.

logging_run_auditd( domain , role )
Summary

Execute auditd in the auditd domain, and allow the specified role the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

role

Role allowed access.

logging_rw_all_logs( domain )
Summary

read/write to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_rw_generic_log_dirs( domain )
Summary

Read and write the generic log directory (/var/log).

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_rw_generic_logs( domain )
Summary

Read and write generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_search_all_logs( domain )
Summary

Search through all log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_search_logs( domain )
Summary

Allows the domain to open a file in the log directory, but does not allow the listing of the contents of the log directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_send_audit_msgs( domain )
Summary

Send audit messages.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_send_syslog_msg( domain )
Summary

Send system log messages.

Description

Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.

This does not allow messages to be sent to the auditing system.

Programs which use the libc function syslog() will require this access.

Related interfaces:

  • logging_send_audit_msgs()

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_audit_parameters( domain )
Summary

Set up audit

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_loginuid( domain )
Summary

Set login uid

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_tty_audit( domain )
Summary

Set tty auditing

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_setattr_all_log_dirs( domain )
Summary

Set attributes on all log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_setattr_syslogd_tmp_dirs( domain )
Summary

Set the attributes of syslog temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_setattr_syslogd_tmp_files( domain )
Summary

Set the attributes of syslog temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_signal_dispatcher( domain )
Summary

Signal the audit dispatcher.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_startstop_syslog( domain )
Summary

Allow specified domain to start/stop syslog units

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_status_syslog( domain )
Summary

Allow specified domain to check status of syslog unit

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_stream_connect_dispatcher( domain )
Summary

Connect to the audit dispatcher over an unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_use_syslogd_fd( domain )
Summary

Allow domain to use a file descriptor from syslogd.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_watch_all_logs( domain )
Summary

Watch all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_watch_audit_log( domain )
Summary

Watch the audit log.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_watch_generic_logs_dir( domain )
Summary

Watch generic log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_watch_runtime_dirs( domain )
Summary

Watch syslog runtime dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_write_generic_logs( domain )
Summary

Write generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

Return