Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 21421 Details for
Bug 34647
Add SElinux policy for logrotate
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
logrotate policy
logrotate.te (text/plain), 3.57 KB, created by
Tad Glines
on 2003-11-28 14:32:27 UTC
(
hide
)
Description:
logrotate policy
Filename:
MIME Type:
Creator:
Tad Glines
Created:
2003-11-28 14:32:27 UTC
Size:
3.57 KB
patch
obsolete
>#DESC Logrotate - Rotate log files ># ># Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser ># X-Debian-Packages: logrotate ># > >################################# ># ># Rules for the logrotate_t domain. ># ># logrotate_t is the domain for the logrotate program. ># logrotate_exec_t is the type of the corresponding program. ># >type logrotate_t, domain, privowner, privmail; >role system_r types logrotate_t; >role sysadm_r types logrotate_t; >uses_shlib(logrotate_t); >general_domain_access(logrotate_t); >type logrotate_exec_t, file_type, sysadmfile, exec_type; > >system_crond_entry(logrotate_exec_t, logrotate_t) >domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t) >allow logrotate_t self:unix_stream_socket create_socket_perms; >allow logrotate_t devtty_t:chr_file rw_file_perms; > ># access files in /etc >allow logrotate_t etc_t:file { getattr read ioctl }; >allow logrotate_t etc_t:lnk_file read; >allow logrotate_t etc_runtime_t:file r_file_perms; > ># it should not require this >allow logrotate_t sysadm_home_dir_t:dir { read getattr search }; > ># create lock files >rw_dir_create_file(logrotate_t, var_lock_t) > ># Create temporary files. >tmp_domain(logrotate) > ># Run helper programs. >allow logrotate_t { bin_t sbin_t }:dir r_dir_perms; >allow logrotate_t { bin_t sbin_t }:lnk_file read; >can_exec(logrotate_t, { bin_t sbin_t shell_exec_t initrc_exec_t ls_exec_t }); > ># Read PID files. >allow logrotate_t pidfile:file r_file_perms; > ># Read /proc/PID directories for all domains. >allow logrotate_t proc_t:dir r_dir_perms; >allow logrotate_t proc_t:{ file lnk_file } r_file_perms; >allow logrotate_t { sysctl_t sysctl_kernel_t }:dir search; >allow logrotate_t sysctl_kernel_t:file { getattr read }; >allow logrotate_t domain:notdevfile_class_set r_file_perms; >allow logrotate_t domain:dir r_dir_perms; >allow logrotate_t exec_type:file getattr; > ># Read /dev directories and any symbolic links. >allow logrotate_t device_t:dir r_dir_perms; >allow logrotate_t device_t:lnk_file r_file_perms; > ># Signal processes. >allow logrotate_t domain:process signal; > ># Modify /var/log and other log dirs. >allow logrotate_t var_t:dir r_dir_perms; >allow logrotate_t logfile:dir rw_dir_perms; >allow logrotate_t logfile:lnk_file read; > ># Create, rename, and truncate log files. >allow logrotate_t logfile:file create_file_perms; >allow logrotate_t wtmp_t:file create_file_perms; >ifdef(`squid.te', ` >allow squid_t { system_crond_t crond_t }:fd use; >allow squid_t crond_t:fifo_file { read write }; >allow squid_t system_crond_t:fifo_file { write }; >allow squid_t self:capability kill; >') > ># Set a context other than the default one for newly created files. >can_setfscreate(logrotate_t) > ># Change ownership on log files. >allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner }; ># for mailx >dontaudit logrotate_t self:capability { setuid setgid }; > >ifdef(`mta.te', ` >allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; >') > ># Access /var/run >allow logrotate_t var_run_t:dir r_dir_perms; > ># for /var/lib/logrotate.status and /var/lib/logcheck >var_lib_domain(logrotate) > ># Write to /var/spool/slrnpull - should be moved into its own type. >allow logrotate_t var_spool_t:dir { search write add_name remove_name }; >allow logrotate_t var_spool_t:file { rename create setattr unlink }; > ># Access terminals. >allow logrotate_t admin_tty_type:chr_file rw_file_perms; >ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') > ># for /var/backups on Debian >ifdef(`backup.te', ` >rw_dir_create_file(logrotate_t, backup_store_t) >') > >read_locale(logrotate_t) > >allow logrotate_t fs_t:filesystem getattr; >can_exec(logrotate_t, shell_exec_t)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21421">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 34647
:
21420
| 21421 |
21447
