Layer: system

Module: logging

Description:

Policy for the kernel message logger and system logging daemon.

Interfaces:

logging_admin(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate the logging environment

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	User role allowed access.

logging_admin_audit(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate the audit environment

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	User role allowed access.

logging_admin_syslog(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate the syslog environment

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	User role allowed access.

logging_append_all_inherited_logs(
	
		domain
		
	)

Summary

Append to all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_append_all_logs(
	
		domain
		
	)

Summary

Append to all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_audit_socket_activation(
	
		domain
		
	)

Summary

Allow the domain to create the audit socket for syslogd.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_check_exec_syslog(
	
		domain
		
	)

Summary

Check if syslogd is executable.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_create_devlog(
	
		domain
		
	)

Summary

Connect to the syslog control unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_dispatcher_domain(
	
		domain
		
			,
		
		entry_point
		
	)

Summary

Create a domain for processes which can be started by the system audit dispatcher

Parameters

Parameter:	Description:
domain	Type to be used as a domain.
entry_point	Type of the program to be used as an entry point to this domain.

logging_domtrans_auditctl(
	
		domain
		
	)

Summary

Execute auditctl in the auditctl domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

logging_domtrans_auditd(
	
		domain
		
	)

Summary

Execute auditd in the auditd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

logging_domtrans_dispatcher(
	
		domain
		
	)

Summary

Execute a domain transition to run the audit dispatcher.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

logging_domtrans_klog(
	
		domain
		
	)

Summary

Execute klogd in the klog domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

logging_domtrans_syslog(
	
		domain
		
	)

Summary

Execute syslogd in the syslog domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

logging_dontaudit_getattr_all_logs(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of any log files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

logging_dontaudit_search_audit_config(
	
		domain
		
	)

Summary

dontaudit search of auditd configuration files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

logging_dontaudit_search_logs(
	
		domain
		
	)

Summary

Do not audit attempts to search the var log directory.

Parameters

Parameter:	Description:
domain	Domain not to audit.

logging_dontaudit_send_audit_msgs(
	
		domain
		
	)

Summary

dontaudit attempts to send audit messages.

Parameters

Parameter:	Description:
domain	Domain to not audit.

logging_dontaudit_write_generic_logs(
	
		domain
		
	)

Summary

Dontaudit Write generic log files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

logging_exec_all_logs(
	
		domain
		
	)

Summary

Execute all log files in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_getattr_all_logs(
	
		domain
		
	)

Summary

Read the attributes of any log file

Parameters

Parameter:	Description:
domain	Domain allowed access

logging_list_logs(
	
		domain
		
	)

Summary

List the contents of the generic log directory (/var/log).

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_log_file(
	
		type
		
	)

Summary

Make the specified type usable for log files in a filesystem.

Description

Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.

Related interfaces:

logging_log_filetrans()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters

Parameter:	Description:
type	Type to be used for files.

logging_log_filetrans(
	
		domain
		
			,
		
		private type
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Create an object in the log directory, with a private type.

Description

Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.

Related interfaces:

logging_log_file()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters

Parameter:	Description:
domain	Domain allowed access.
private type	The type of the object to be created.
object	The object class of the object being created.
name	The name of the object being created.

logging_manage_all_logs(
	
		domain
		
	)

Summary

Create, read, write, and delete all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_manage_audit_config(
	
		domain
		
	)

Summary

Manage the auditd configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_manage_audit_log(
	
		domain
		
	)

Summary

Manage the audit log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_manage_generic_log_dirs(
	
		domain
		
	)

Summary

Create, read, write, and delete generic log directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_manage_generic_logs(
	
		domain
		
	)

Summary

Create, read, write, and delete generic log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_manage_runtime_sockets(
	
		domain
		
	)

Summary

Create, read, write, and delete syslog PID sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_mmap_generic_logs(
	
		domain
		
	)

Summary

Map generic log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_mmap_journal(
	
		domain
		
	)

Summary

Map files in /run/log/journal/ directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_read_all_logs(
	
		domain
		
	)

Summary

Read all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_read_audit_config(
	
		domain
		
	)

Summary

Read the auditd configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_read_audit_log(
	
		domain
		
	)

Summary

Read the audit log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_read_generic_logs(
	
		domain
		
	)

Summary

Read generic log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_read_syslog_config(
	
		domain
		
	)

Summary

Read syslog configuration files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_relabel_generic_log_dirs(
	
		domain
		
	)

Summary

Relabel from and to generic log directory type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_relabel_syslogd_tmp_dirs(
	
		domain
		
	)

Summary

Relabel to and from syslog temporary directory type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_relabel_syslogd_tmp_files(
	
		domain
		
	)

Summary

Relabel to and from syslog temporary file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_relabelto_devlog_sock_files(
	
		domain
		
	)

Summary

Allow domain to relabelto devlog sock_files

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_run_auditctl(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute auditctl in the auditctl domain, and allow the specified role the auditctl domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	Role allowed access.

logging_run_auditd(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute auditd in the auditd domain, and allow the specified role the auditd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	Role allowed access.

logging_rw_all_logs(
	
		domain
		
	)

Summary

read/write to all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_rw_generic_log_dirs(
	
		domain
		
	)

Summary

Read and write the generic log directory (/var/log).

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_rw_generic_logs(
	
		domain
		
	)

Summary

Read and write generic log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_search_all_logs(
	
		domain
		
	)

Summary

Search through all log dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_search_logs(
	
		domain
		
	)

Summary

Allows the domain to open a file in the log directory, but does not allow the listing of the contents of the log directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_send_audit_msgs(
	
		domain
		
	)

Summary

Send audit messages.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_send_syslog_msg(
	
		domain
		
	)

Summary

Send system log messages.

Description

Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.

This does not allow messages to be sent to the auditing system.

Programs which use the libc function syslog() will require this access.

Related interfaces:

logging_send_audit_msgs()

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_set_audit_parameters(
	
		domain
		
	)

Summary

Set up audit

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_set_loginuid(
	
		domain
		
	)

Summary

Set login uid

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_set_tty_audit(
	
		domain
		
	)

Summary

Set tty auditing

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_setattr_all_log_dirs(
	
		domain
		
	)

Summary

Set attributes on all log dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_setattr_syslogd_tmp_dirs(
	
		domain
		
	)

Summary

Set the attributes of syslog temporary directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_setattr_syslogd_tmp_files(
	
		domain
		
	)

Summary

Set the attributes of syslog temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_signal_dispatcher(
	
		domain
		
	)

Summary

Signal the audit dispatcher.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_startstop_syslog(
	
		domain
		
	)

Summary

Allow specified domain to start/stop syslog units

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_status_syslog(
	
		domain
		
	)

Summary

Allow specified domain to check status of syslog unit

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_stream_connect_dispatcher(
	
		domain
		
	)

Summary

Connect to the audit dispatcher over an unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_use_syslogd_fd(
	
		domain
		
	)

Summary

Allow domain to use a file descriptor from syslogd.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_watch_all_logs(
	
		domain
		
	)

Summary

Watch all log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_watch_audit_log(
	
		domain
		
	)

Summary

Watch the audit log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_watch_generic_logs_dir(
	
		domain
		
	)

Summary

Watch generic log dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_watch_runtime_dirs(
	
		domain
		
	)

Summary

Watch syslog runtime dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

logging_write_generic_logs(
	
		domain
		
	)

Summary

Write generic log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return