Policy for the kernel message logger and system logging daemon.
false
Allow syslogd daemon to send mail
false
Allow syslogd the ability to call nagios plugins. It is turned on by omprog rsyslog plugin.
true
Allow syslogd the ability to read/write terminals
All of the rules required to administrate the logging environment
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| role | User role allowed access. | 
All of the rules required to administrate the audit environment
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| role | User role allowed access. | 
All of the rules required to administrate the syslog environment
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| role | User role allowed access. | 
Append to all log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Check if syslogd is executable.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Connect to the syslog control unix stream socket.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Delete generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Create a domain for processes which can be started by the system audit dispatcher
| Parameter: | Description: | 
|---|---|
| domain | Type to be used as a domain. | 
| entry_point | Type of the program to be used as an entry point to this domain. | 
Execute auditctl in the auditctl domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Execute auditd in the auditd domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Execute a domain transition to run the audit dispatcher.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Execute klogd in the klog domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Execute syslogd in the syslog domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Do not audit attempts to get the attributes of any log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
Dontaudit read/Write inherited generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
dontaudit search of auditd configuration files.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
dontaudit search of auditd log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
Do not audit attempts to search the var log directory.
| Parameter: | Description: | 
|---|---|
| domain | Domain not to audit. | 
dontaudit attempts to send audit messages.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
Dontaudit Write generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain to not audit. | 
Execute all log files in the caller domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Transition to syslog.conf
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Transition to logging named content
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read the atttributes of any log file
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access | 
Append to all log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Link generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
List the contents of the generic log directory (/var/log).
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Make the specified type usable for log files in a filesystem.
Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.
Related interfaces:
logging_log_filetrans()
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
| Parameter: | Description: | 
|---|---|
| type | Type to be used for files. | 
Create an object in the log directory, with a private type.
Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
logging_log_file()
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| private type | The type of the object to be created. | 
| object | The object class of the object being created. | 
| name | The name of the object being created. | 
Create an object in the log directory, with a private type.
Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
logging_log_file()
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| private type | The type of the object to be created. | 
| object | The object class of the object being created. | 
| name | The name of the object being created. | 
Create, read, write, and delete all log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Manage the auditd configuration files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Manage the audit log.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Create, read, write, and delete generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Manage syslog configuration files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read all log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read the auditd configuration files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read the audit log.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read syslog configuration files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Allow domain to read the syslog pid files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Relabel on all log dirs.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Relabel the devlog sock_file.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Relabel the syslog pid sock_file.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Execute auditctl in the auditctl domain, and allow the specified role the auditctl domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
| role | Role allowed access. | 
Execute auditd in the auditd domain, and allow the specified role the auditd domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
| role | Role allowed access. | 
read/write to all log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read and write the generic log directory (/var/log).
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Read and write generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Search through all log dirs.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Allows the domain to open a file in the log directory, but does not allow the listing of the contents of the log directory.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Send audit messages.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Send system log messages.
Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.
This does not allow messages to be sent to the auditing system.
Programs which use the libc function syslog() will require this access.
Related interfaces:
logging_send_audit_msgs()
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Set up audit
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Set login uid
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Set tty auditing
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Set attributes on all log dirs.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Signal the audit dispatcher.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Connect to auditdstored over a unix stream socket.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Connect to the audit dispatcher over a unix stream socket.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Connect to the syslog control unix stream socket.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
Create objects in /run/systemd/journal/ directory with an automatic type transition to a specified private type.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. | 
| private_type | The type of the object to create. | 
| object_class | The class of the object to be created. | 
| name | The name of the object being created. | 
Execute auditd server in the auditd domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Execute auditd server in the auditd domain.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed to transition. | 
Write generic log files.
| Parameter: | Description: | 
|---|---|
| domain | Domain allowed access. |