Layer: system

Module: logging

Tunables Interfaces

Description:

Policy for the kernel message logger and system logging daemon.

Tunables:

logging_syslogd_can_sendmail
Default value

false

Description

Allow syslogd daemon to send mail

logging_syslogd_run_nagios_plugins
Default value

false

Description

Allow syslogd the ability to call nagios plugins. It is turned on by omprog rsyslog plugin.

logging_syslogd_use_tty
Default value

true

Description

Allow syslogd the ability to read/write terminals

Return

Interfaces:

logging_admin( domain , role )
Summary

All of the rules required to administrate the logging environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_admin_audit( domain , role )
Summary

All of the rules required to administrate the audit environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_admin_syslog( domain , role )
Summary

All of the rules required to administrate the syslog environment

Parameters
Parameter:Description:
domain

Domain allowed access.

role

User role allowed access.

logging_append_all_logs( domain )
Summary

Append to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_check_exec_syslog( domain )
Summary

Check if syslogd is executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_create_devlog_dev( domain )
Summary

Connect to the syslog control unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_delete_generic_logs( domain )
Summary

Delete generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_dispatcher_domain( domain , entry_point )
Summary

Create a domain for processes which can be started by the system audit dispatcher

Parameters
Parameter:Description:
domain

Type to be used as a domain.

entry_point

Type of the program to be used as an entry point to this domain.

logging_domtrans_auditctl( domain )
Summary

Execute auditctl in the auditctl domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_auditd( domain )
Summary

Execute auditd in the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_dispatcher( domain )
Summary

Execute a domain transition to run the audit dispatcher.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_klog( domain )
Summary

Execute klogd in the klog domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_domtrans_syslog( domain )
Summary

Execute syslogd in the syslog domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_dontaudit_getattr_all_logs( domain )
Summary

Do not audit attempts to get the attributes of any log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_rw_inherited_generic_logs( domain )
Summary

Dontaudit read/Write inherited generic log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_search_audit_config( domain )
Summary

dontaudit search of auditd configuration files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_search_audit_logs( domain )
Summary

dontaudit search of auditd log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_search_logs( domain )
Summary

Do not audit attempts to search the var log directory.

Parameters
Parameter:Description:
domain

Domain not to audit.

logging_dontaudit_send_audit_msgs( domain )
Summary

dontaudit attempts to send audit messages.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_dontaudit_write_generic_logs( domain )
Summary

Dontaudit Write generic log files.

Parameters
Parameter:Description:
domain

Domain to not audit.

logging_exec_all_logs( domain )
Summary

Execute all log files in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_filetrans_named_conf( domain )
Summary

Transition to syslog.conf

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_filetrans_named_content( domain )
Summary

Transition to logging named content

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_getattr_all_logs( domain )
Summary

Read the atttributes of any log file

Parameters
Parameter:Description:
domain

Domain allowed access

logging_inherit_append_all_logs( domain )
Summary

Append to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_link_generic_logs( domain )
Summary

Link generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_list_logs( domain )
Summary

List the contents of the generic log directory (/var/log).

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_log_file( type )
Summary

Make the specified type usable for log files in a filesystem.

Description

Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.

Related interfaces:

  • logging_log_filetrans()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters
Parameter:Description:
type

Type to be used for files.

logging_log_filetrans( domain , private type , object , name )
Summary

Create an object in the log directory, with a private type.

Description

Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.

Related interfaces:

  • logging_log_file()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

logging_log_named_filetrans( domain , private type , object , name )
Summary

Create an object in the log directory, with a private type.

Description

Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.

Related interfaces:

  • logging_log_file()

Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):

type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

logging_manage_all_logs( domain )
Summary

Create, read, write, and delete all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_audit_config( domain )
Summary

Manage the auditd configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_audit_log( domain )
Summary

Manage the audit log.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_generic_logs( domain )
Summary

Create, read, write, and delete generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_manage_syslog_config( domain )
Summary

Manage syslog configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_all_logs( domain )
Summary

Read all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_audit_config( domain )
Summary

Read the auditd configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_audit_log( domain )
Summary

Read the audit log.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_generic_logs( domain )
Summary

Read generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_syslog_config( domain )
Summary

Read syslog configuration files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_read_syslog_pid( domain )
Summary

Allow domain to read the syslog pid files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_all_log_dirs( domain )
Summary

Relabel on all log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_devlog_dev( domain )
Summary

Relabel the devlog sock_file.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_relabel_syslog_pid_socket( domain )
Summary

Relabel the syslog pid sock_file.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_run_auditctl( domain , role )
Summary

Execute auditctl in the auditctl domain, and allow the specified role the auditctl domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

role

Role allowed access.

logging_run_auditd( domain , role )
Summary

Execute auditd in the auditd domain, and allow the specified role the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

role

Role allowed access.

logging_rw_all_logs( domain )
Summary

read/write to all log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_rw_generic_log_dirs( domain )
Summary

Read and write the generic log directory (/var/log).

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_rw_generic_logs( domain )
Summary

Read and write generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_search_all_logs( domain )
Summary

Search through all log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_search_logs( domain )
Summary

Allows the domain to open a file in the log directory, but does not allow the listing of the contents of the log directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_send_audit_msgs( domain )
Summary

Send audit messages.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_send_syslog_msg( domain )
Summary

Send system log messages.

Description

Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.

This does not allow messages to be sent to the auditing system.

Programs which use the libc function syslog() will require this access.

Related interfaces:

  • logging_send_audit_msgs()

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_audit_parameters( domain )
Summary

Set up audit

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_loginuid( domain )
Summary

Set login uid

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_set_tty_audit( domain )
Summary

Set tty auditing

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_setattr_all_log_dirs( domain )
Summary

Set attributes on all log dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_signal_dispatcher( domain )
Summary

Signal the audit dispatcher.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_stream_connect_auditd( domain )
Summary

Connect to auditdstored over a unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_stream_connect_dispatcher( domain )
Summary

Connect to the audit dispatcher over a unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_stream_connect_syslog( domain )
Summary

Connect to the syslog control unix stream socket.

Parameters
Parameter:Description:
domain

Domain allowed access.

logging_syslogd_pid_filetrans( domain , private_type , object_class , name )
Summary

Create objects in /run/systemd/journal/ directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

logging_systemctl_audit( domain )
Summary

Execute auditd server in the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_systemctl_syslogd( domain )
Summary

Execute auditd server in the auditd domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

logging_write_generic_logs( domain )
Summary

Write generic log files.

Parameters
Parameter:Description:
domain

Domain allowed access.

Return