Sākums Izpētīt Palīdzība
Pierakstīties
Hoshpak
/
debian-selinux-policies
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: c5f59a0683
Atzari Tagi
debian-selinux-...
/
policy
/
modules
/
logrotate.te

logrotate.te 6.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275 
  1. policy_module(logrotate, 1.16.5)
    2. 

  2. 

  3. ########################################
    4. 

  4. #
    5. 

  5. # Declarations
    6. 

  6. #
    7. 

  7. 

  8. attribute_role logrotate_roles;
    9. 

  9. roleattribute system_r logrotate_roles;
    10. 

  10. 

  11. type logrotate_t;
    12. 

  12. type logrotate_exec_t;
    13. 

  13. domain_type(logrotate_t)
    14. 

  14. domain_obj_id_change_exemption(logrotate_t)
    15. 

  15. domain_system_change_exemption(logrotate_t)
    16. 

  16. domain_entry_file(logrotate_t, logrotate_exec_t)
    17. 

  17. role logrotate_roles types logrotate_t;
    18. 

  18. 

  19. type logrotate_lock_t;
    20. 

  20. files_lock_file(logrotate_lock_t)
    21. 

  21. 

  22. type logrotate_tmp_t;
    23. 

  23. files_tmp_file(logrotate_tmp_t)
    24. 

  24. 

  25. type logrotate_var_lib_t;
    26. 

  26. files_type(logrotate_var_lib_t)
    27. 

  27. 

  28. mta_base_mail_template(logrotate)
    29. 

  29. role system_r types logrotate_mail_t;
    30. 

  30. 

  31. ########################################
    32. 

  32. #
    33. 

  33. # Local policy
    34. 

  34. #
    35. 

  35. 

  36. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
    37. 

  37. allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
    38. 

  38. allow logrotate_t self:fd use;
    39. 

  39. allow logrotate_t self:key manage_key_perms;
    40. 

  40. allow logrotate_t self:fifo_file rw_fifo_file_perms;
    41. 

  41. allow logrotate_t self:unix_dgram_socket sendto;
    42. 

  42. allow logrotate_t self:unix_stream_socket { accept connectto listen };
    43. 

  43. allow logrotate_t self:shm create_shm_perms;
    44. 

  44. allow logrotate_t self:sem create_sem_perms;
    45. 

  45. allow logrotate_t self:msgq create_msgq_perms;
    46. 

  46. allow logrotate_t self:msg { send receive };
    47. 

  47. 

  48. allow logrotate_t logrotate_lock_t:file manage_file_perms;
    49. 

  49. files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
    50. 

  50. 

  51. manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
    52. 

  52. manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
    53. 

  53. files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
    54. 

  54. 

  55. create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
    56. 

  56. manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
    57. 

  57. read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
    58. 

  58. files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
    59. 

  59. 

  60. can_exec(logrotate_t, { logrotate_exec_t logrotate_tmp_t })
    61. 

  61. 

  62. kernel_read_system_state(logrotate_t)
    63. 

  63. kernel_read_kernel_sysctls(logrotate_t)
    64. 

  64. 

  65. corecmd_exec_bin(logrotate_t)
    66. 

  66. corecmd_exec_shell(logrotate_t)
    67. 

  67. corecmd_getattr_all_executables(logrotate_t)
    68. 

  68. 

  69. dev_read_urand(logrotate_t)
    70. 

  70. 

  71. domain_signal_all_domains(logrotate_t)
    72. 

  72. domain_use_interactive_fds(logrotate_t)
    73. 

  73. domain_getattr_all_entry_files(logrotate_t)
    74. 

  74. domain_read_all_domains_state(logrotate_t)
    75. 

  75. 

  76. files_read_usr_files(logrotate_t)
    77. 

  77. files_read_etc_runtime_files(logrotate_t)
    78. 

  78. files_read_all_pids(logrotate_t)
    79. 

  79. files_search_all(logrotate_t)
    80. 

  80. files_read_var_lib_files(logrotate_t)
    81. 

  81. files_manage_generic_spool(logrotate_t)
    82. 

  82. files_manage_generic_spool_dirs(logrotate_t)
    83. 

  83. files_getattr_generic_locks(logrotate_t)
    84. 

  84. files_dontaudit_list_mnt(logrotate_t)
    85. 

  85. 

  86. fs_search_auto_mountpoints(logrotate_t)
    87. 

  87. fs_getattr_xattr_fs(logrotate_t)
    88. 

  88. fs_list_inotifyfs(logrotate_t)
    89. 

  89. 

  90. mls_file_read_all_levels(logrotate_t)
    91. 

  91. mls_file_write_all_levels(logrotate_t)
    92. 

  92. mls_file_upgrade(logrotate_t)
    93. 

  93. mls_process_write_to_clearance(logrotate_t)
    94. 

  94. 

  95. selinux_get_fs_mount(logrotate_t)
    96. 

  96. selinux_get_enforce_mode(logrotate_t)
    97. 

  97. 

  98. auth_manage_login_records(logrotate_t)
    99. 

  99. auth_use_nsswitch(logrotate_t)
    100. 

  100. 

  101. init_all_labeled_script_domtrans(logrotate_t)
    102. 

  102. 

  103. logging_manage_all_logs(logrotate_t)
    104. 

  104. logging_send_syslog_msg(logrotate_t)
    105. 

  105. logging_send_audit_msgs(logrotate_t)
    106. 

  106. logging_exec_all_logs(logrotate_t)
    107. 

  107. 

  108. miscfiles_read_localization(logrotate_t)
    109. 

  109. 

  110. seutil_dontaudit_read_config(logrotate_t)
    111. 

  111. 

  112. userdom_use_user_terminals(logrotate_t)
    113. 

  113. userdom_list_user_home_dirs(logrotate_t)
    114. 

  114. userdom_use_unpriv_users_fds(logrotate_t)
    115. 

  115. 

  116. mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
    117. 

  117. 

  118. ifdef(`distro_debian',`
    119. 

  119. 	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
    120. 

  120. 	can_exec(logrotate_t, logrotate_exec_t)
    121. 

  121. 

  122. 	logging_check_exec_syslog(logrotate_t)
    123. 

  123. 	logging_read_syslog_config(logrotate_t)
    124. 

  124. ')
    125. 

  125. 

  126. optional_policy(`
    127. 

  127. 	systemd_systemctl_domain(logrotate)
    128. 

  128. ')
    129. 

  129. 

  130. optional_policy(`
    131. 

  131. 	abrt_manage_cache(logrotate_t)
    132. 

  132. ')
    133. 

  133. 

  134. optional_policy(`
    135. 

  135. 	acct_domtrans(logrotate_t)
    136. 

  136. 	acct_manage_data(logrotate_t)
    137. 

  137. 	acct_exec_data(logrotate_t)
    138. 

  138. ')
    139. 

  139. 

  140. optional_policy(`
    141. 

  141. 	apache_read_config(logrotate_t)
    142. 

  142. 	apache_domtrans(logrotate_t)
    143. 

  143. 	apache_signull(logrotate_t)
    144. 

  144. ')
    145. 

  145. 

  146. optional_policy(`
    147. 

  147. 	asterisk_domtrans(logrotate_t)
    148. 

  148. ')
    149. 

  149. 

  150. optional_policy(`
    151. 

  151. 	awstats_domtrans(logrotate_t)
    152. 

  152. ')
    153. 

  153. 

  154. optional_policy(`
    155. 

  155. 	bind_manage_cache(logrotate_t)
    156. 

  156. ')
    157. 

  157. 

  158. optional_policy(`
    159. 

  159. 	callweaver_exec(logrotate_t)
    160. 

  160. 	callweaver_stream_connect(logrotate_t)
    161. 

  161. ')
    162. 

  162. 

  163. optional_policy(`
    164. 

  164. 	consoletype_exec(logrotate_t)
    165. 

  165. ')
    166. 

  166. 

  167. optional_policy(`
    168. 

  168. 	cron_system_entry(logrotate_t, logrotate_exec_t)
    169. 

  169. 	cron_search_spool(logrotate_t)
    170. 

  170. ')
    171. 

  171. 

  172. optional_policy(`
    173. 

  173. 	cups_domtrans(logrotate_t)
    174. 

  174. ')
    175. 

  175. 

  176. optional_policy(`
    177. 

  177. 	fail2ban_stream_connect(logrotate_t)
    178. 

  178. ')
    179. 

  179. 

  180. optional_policy(`
    181. 

  181. 	hostname_exec(logrotate_t)
    182. 

  182. ')
    183. 

  183. 

  184. optional_policy(`
    185. 

  185. 	chronyd_read_key_files(logrotate_t)
    186. 

  186. ')
    187. 

  187. 

  188. optional_policy(`
    189. 

  189. 	icecast_signal(logrotate_t)
    190. 

  190. ')
    191. 

  191. 

  192. optional_policy(`
    193. 

  193. 	mailman_domtrans(logrotate_t)
    194. 

  194. 	mailman_search_data(logrotate_t)
    195. 

  195. 	mailman_manage_log(logrotate_t)
    196. 

  196. ')
    197. 

  197. 

  198. optional_policy(`
    199. 

  199. 	munin_read_config(logrotate_t)
    200. 

  200. 	munin_stream_connect(logrotate_t)
    201. 

  201. 	munin_search_lib(logrotate_t)
    202. 

  202. ')
    203. 

  203. 

  204. optional_policy(`
    205. 

  205. 	mysql_read_config(logrotate_t)
    206. 

  206. 	mysql_stream_connect(logrotate_t)
    207. 

  207. ')
    208. 

  208. 

  209. optional_policy(`
    210. 

  210. 	openvswitch_read_pid_files(logrotate_t)
    211. 

  211. 	openvswitch_domtrans(logrotate_t)
    212. 

  212. ')
    213. 

  213. 

  214. optional_policy(`
    215. 

  215. 	polipo_log_filetrans_log(logrotate_t, file, "polipo")
    216. 

  216. ')
    217. 

  217. 

  218. optional_policy(`
    219. 

  219. 	psad_domtrans(logrotate_t)
    220. 

  220. ')
    221. 

  221. 

  222. optional_policy(`
    223. 

  223. 	samba_exec_log(logrotate_t)
    224. 

  224. ')
    225. 

  225. 

  226. optional_policy(`
    227. 

  227. 	sssd_domtrans(logrotate_t)
    228. 

  228. ')
    229. 

  229. 

  230. optional_policy(`
    231. 

  231. 	slrnpull_manage_spool(logrotate_t)
    232. 

  232. ')
    233. 

  233. 

  234. optional_policy(`
    235. 

  235. 	squid_domtrans(logrotate_t)
    236. 

  236. ')
    237. 

  237. 

  238. optional_policy(`
    239. 

  239. 	jabber_domtrans(logrotate_t)
    240. 

  240. ')
    241. 

  241. 

  242. optional_policy(`
    243. 

  243. 	su_exec(logrotate_t)
    244. 

  244. ')
    245. 

  245. 

  246. optional_policy(`
    247. 

  247. 	varnishd_manage_log(logrotate_t)
    248. 

  248. ')
    249. 

  249. 

  250. optional_policy(`
    251. 

  251. 	gen_require(`
    252. 

  252. 		type php_usr_lib_t;
    253. 

  253. 	')
    254. 

  254. 	allow logrotate_t php_usr_lib_t:file { read open execute execute_no_trans };
    255. 

  255. ')
    256. 

  256. 

  257. optional_policy(`
    258. 

  258.         gen_require(`
    259. 

  259. 		type phpfpm_etc_t;
    260. 

  260. 	')
    261. 

  261. 	read_files_pattern(logrotate_t,phpfpm_etc_t,phpfpm_etc_t)
    262. 

  262. ')
    263. 

  263. 	
    264. 

  264. #######################################
    265. 

  265. #
    266. 

  266. # Mail local policy
    267. 

  267. #
    268. 

  268. 

  269. allow logrotate_mail_t logrotate_t:fd use;
    270. 

  270. allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
    271. 

  271. allow logrotate_mail_t logrotate_t:process sigchld;
    272. 

  272. 

  273. manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
    274. 

  274. 

  275. logging_read_all_logs(logrotate_mail_t)
    276.