1
#DESC Logrotate - Rotate log files
3
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
4
# X-Debian-Packages: logrotate
7
#################################
9
# Rules for the logrotate_t domain.
11
# logrotate_t is the domain for the logrotate program.
12
# logrotate_exec_t is the type of the corresponding program.
14
type logrotate_t, domain, privowner, privmail;
15
role system_r types logrotate_t;
16
role sysadm_r types logrotate_t;
17
uses_shlib(logrotate_t);
18
general_domain_access(logrotate_t);
19
type logrotate_exec_t, file_type, sysadmfile, exec_type;
21
system_crond_entry(logrotate_exec_t, logrotate_t)
22
domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
23
allow logrotate_t self:unix_stream_socket create_socket_perms;
24
allow logrotate_t devtty_t:chr_file rw_file_perms;
27
allow logrotate_t usr_t:file { getattr read };
29
# access files in /etc
30
allow logrotate_t etc_t:file { getattr read ioctl };
31
allow logrotate_t etc_t:lnk_file { getattr read };
32
allow logrotate_t etc_runtime_t:file r_file_perms;
34
# it should not require this
35
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { read getattr search };
38
rw_dir_create_file(logrotate_t, var_lock_t)
40
# Create temporary files.
42
can_exec(logrotate_t, logrotate_tmp_t)
44
# Run helper programs.
45
allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
46
allow logrotate_t { bin_t sbin_t }:lnk_file read;
47
can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t });
50
allow logrotate_t pidfile:file r_file_perms;
52
# Read /proc/PID directories for all domains.
53
allow logrotate_t proc_t:dir r_dir_perms;
54
allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
55
allow logrotate_t { sysctl_t sysctl_kernel_t }:dir search;
56
allow logrotate_t sysctl_kernel_t:file { getattr read };
57
allow logrotate_t domain:notdevfile_class_set r_file_perms;
58
allow logrotate_t domain:dir r_dir_perms;
59
allow logrotate_t exec_type:file getattr;
61
# Read /dev directories and any symbolic links.
62
allow logrotate_t device_t:dir r_dir_perms;
63
allow logrotate_t device_t:lnk_file r_file_perms;
66
allow logrotate_t domain:process signal;
68
# Modify /var/log and other log dirs.
69
allow logrotate_t var_t:dir r_dir_perms;
70
allow logrotate_t logfile:dir rw_dir_perms;
71
allow logrotate_t logfile:lnk_file read;
73
# Create, rename, and truncate log files.
74
allow logrotate_t logfile:file create_file_perms;
75
allow logrotate_t wtmp_t:file create_file_perms;
77
allow squid_t { system_crond_t crond_t }:fd use;
78
allow squid_t crond_t:fifo_file { read write };
79
allow squid_t system_crond_t:fifo_file { write };
80
allow squid_t self:capability kill;
83
# Set a context other than the default one for newly created files.
84
can_setfscreate(logrotate_t)
86
# Change ownership on log files.
87
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
89
dontaudit logrotate_t self:capability { setuid setgid };
92
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
96
allow logrotate_t var_run_t:dir r_dir_perms;
98
# for /var/lib/logrotate.status and /var/lib/logcheck
99
var_lib_domain(logrotate)
101
# Write to /var/spool/slrnpull - should be moved into its own type.
102
create_dir_file(logrotate_t, var_spool_t)
104
allow logrotate_t urandom_device_t:chr_file { getattr read };
107
allow logrotate_t admin_tty_type:chr_file rw_file_perms;
108
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
109
allow logrotate_t privfd:fd use;
111
# for /var/backups on Debian
113
rw_dir_create_file(logrotate_t, backup_store_t)
116
read_locale(logrotate_t)
118
allow logrotate_t fs_t:filesystem getattr;
119
can_exec(logrotate_t, shell_exec_t)
120
can_exec(logrotate_t, hostname_exec_t)
121
ifdef(`consoletype.te', `
122
can_exec(logrotate_t, consoletype_exec_t)
125
allow logrotate_t syslogd_t:unix_dgram_socket { sendto };
127
role system_r types initrc_t;
128
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)