1syslogd_selinux(8)          SELinux Policy syslogd          syslogd_selinux(8)
2
3
4

NAME

6       syslogd_selinux  -  Security Enhanced Linux Policy for the syslogd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  syslogd  processes  via  flexible
11       mandatory access control.
12
13       The  syslogd processes execute with the syslogd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep syslogd_t
20
21
22

ENTRYPOINTS

24       The  syslogd_t  SELinux type can be entered via the syslogd_exec_t file
25       type.
26
27       The default entrypoint paths for the syslogd_t domain are  the  follow‐
28       ing:
29
30       /sbin/syslogd,    /sbin/minilogd,    /sbin/rsyslogd,   /sbin/syslog-ng,
31       /usr/sbin/metalog,        /usr/sbin/syslogd,        /usr/sbin/minilogd,
32       /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-jour‐
33       nald, /usr/lib/systemd/systemd-kmsg-syslogd
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       syslogd policy is very flexible allowing users to setup  their  syslogd
43       processes in as secure a method as possible.
44
45       The following process types are defined for syslogd:
46
47       syslogd_t
48
49       Note:  semanage permissive -a syslogd_t can be used to make the process
50       type syslogd_t permissive. SELinux does not deny access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access required.  syslogd
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run syslogd with the tightest  access  possi‐
59       ble.
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow confined applications to run  with  kerberos,  you
71       must turn on the kerberos_enabled boolean. Disabled by default.
72
73       setsebool -P kerberos_enabled 1
74
75
76
77       If  you want to allow syslogd daemon to send mail, you must turn on the
78       logging_syslogd_can_sendmail boolean. Disabled by default.
79
80       setsebool -P logging_syslogd_can_sendmail 1
81
82
83
84       If you want to allow syslogd the ability to call nagios plugins. It  is
85       turned  on  by omprog rsyslog plugin, you must turn on the logging_sys‐
86       logd_run_nagios_plugins boolean. Disabled by default.
87
88       setsebool -P logging_syslogd_run_nagios_plugins 1
89
90
91
92       If you want to allow syslogd the ability to read/write  terminals,  you
93       must turn on the logging_syslogd_use_tty boolean. Enabled by default.
94
95       setsebool -P logging_syslogd_use_tty 1
96
97
98

PORT TYPES

100       SELinux defines port types to represent TCP and UDP ports.
101
102       You  can  see  the  types associated with a port by using the following
103       command:
104
105       semanage port -l
106
107
108       Policy governs the access  confined  processes  have  to  these  ports.
109       SELinux  syslogd  policy is very flexible allowing users to setup their
110       syslogd processes in as secure a method as possible.
111
112       The following port types are defined for syslogd:
113
114
115       syslog_tls_port_t
116
117
118
119       Default Defined Ports:
120                 tcp 6514,10514
121                 udp 6514,10514
122
123
124       syslogd_port_t
125
126
127
128       Default Defined Ports:
129                 tcp 601,20514
130                 udp 514,601,20514
131

MANAGED FILES

133       The SELinux process type syslogd_t can manage files  labeled  with  the
134       following file types.  The paths listed are the default paths for these
135       file types.  Note the processes UID still need to have DAC permissions.
136
137       cluster_conf_t
138
139            /etc/cluster(/.*)?
140
141       cluster_var_lib_t
142
143            /var/lib/pcsd(/.*)?
144            /var/lib/cluster(/.*)?
145            /var/lib/openais(/.*)?
146            /var/lib/pengine(/.*)?
147            /var/lib/corosync(/.*)?
148            /usr/lib/heartbeat(/.*)?
149            /var/lib/heartbeat(/.*)?
150            /var/lib/pacemaker(/.*)?
151
152       cluster_var_run_t
153
154            /var/run/crm(/.*)?
155            /var/run/cman_.*
156            /var/run/rsctmp(/.*)?
157            /var/run/aisexec.*
158            /var/run/heartbeat(/.*)?
159            /var/run/corosync-qnetd(/.*)?
160            /var/run/corosync-qdevice(/.*)?
161            /var/run/corosync.pid
162            /var/run/cpglockd.pid
163            /var/run/rgmanager.pid
164            /var/run/cluster/rgmanager.sk
165
166       logfile
167
168            all log files
169
170       root_t
171
172            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
173            /
174            /initrd
175
176       security_t
177
178            /selinux
179
180       syslogd_tmpfs_t
181
182
183       syslogd_var_lib_t
184
185            /var/lib/r?syslog(/.*)?
186            /var/lib/syslog-ng(/.*)?
187            /var/lib/syslog-ng.persist
188            /var/lib/misc/syslog-ng.persist-?
189
190       syslogd_var_run_t
191
192            /var/run/log(/.*)?
193            /var/run/syslog-ng.ctl
194            /var/run/syslog-ng(/.*)?
195            /var/run/systemd/journal(/.*)?
196            /var/run/metalog.pid
197            /var/run/syslogd.pid
198
199       systemd_coredump_tmpfs_t
200
201
202

FILE CONTEXTS

204       SELinux requires files to have an extended attribute to define the file
205       type.
206
207       You can see the context of a file using the -Z option to ls
208
209       Policy  governs  the  access  confined  processes  have to these files.
210       SELinux syslogd policy is very flexible allowing users to  setup  their
211       syslogd processes in as secure a method as possible.
212
213       EQUIVALENCE DIRECTORIES
214
215
216       syslogd  policy  stores data with multiple different file context types
217       under the /var/lib/syslog-ng directory.  If you would like to store the
218       data  in a different directory you can use the semanage command to cre‐
219       ate an equivalence mapping.  If you wanted to store this data under the
220       /srv directory you would execute the following command:
221
222       semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng
223       restorecon -R -v /srv/syslog-ng
224
225       syslogd  policy  stores data with multiple different file context types
226       under the /var/run/syslog-ng directory.  If you would like to store the
227       data  in a different directory you can use the semanage command to cre‐
228       ate an equivalence mapping.  If you wanted to store this data under the
229       /srv directory you would execute the following command:
230
231       semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng
232       restorecon -R -v /srv/syslog-ng
233
234       STANDARD FILE CONTEXT
235
236       SELinux  defines  the file context types for the syslogd, if you wanted
237       to store files with these types in a diffent paths, you need to execute
238       the  semanage  command  to  sepecify  alternate  labeling  and then use
239       restorecon to put the labels on disk.
240
241       semanage  fcontext  -a  -t   syslogd_unit_file_t   '/srv/mysyslogd_con‐
242       tent(/.*)?'
243       restorecon -R -v /srv/mysyslogd_content
244
245       Note:  SELinux  often  uses  regular expressions to specify labels that
246       match multiple files.
247
248       The following file types are defined for syslogd:
249
250
251
252       syslogd_exec_t
253
254       - Set files with the syslogd_exec_t type, if you want to transition  an
255       executable to the syslogd_t domain.
256
257
258       Paths:
259            /sbin/syslogd,  /sbin/minilogd,  /sbin/rsyslogd,  /sbin/syslog-ng,
260            /usr/sbin/metalog,     /usr/sbin/syslogd,      /usr/sbin/minilogd,
261            /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-
262            journald, /usr/lib/systemd/systemd-kmsg-syslogd
263
264
265       syslogd_initrc_exec_t
266
267       - Set files with the syslogd_initrc_exec_t type, if you want to transi‐
268       tion an executable to the syslogd_initrc_t domain.
269
270
271
272       syslogd_tmp_t
273
274       -  Set  files with the syslogd_tmp_t type, if you want to store syslogd
275       temporary files in the /tmp directories.
276
277
278
279       syslogd_tmpfs_t
280
281       - Set files with the syslogd_tmpfs_t type, if you want to store syslogd
282       files on a tmpfs file system.
283
284
285
286       syslogd_unit_file_t
287
288       - Set files with the syslogd_unit_file_t type, if you want to treat the
289       files as syslogd unit content.
290
291
292
293       syslogd_var_lib_t
294
295       - Set files with the syslogd_var_lib_t type, if you want to  store  the
296       syslogd files under the /var/lib directory.
297
298
299       Paths:
300            /var/lib/r?syslog(/.*)?,  /var/lib/syslog-ng(/.*)?,  /var/lib/sys‐
301            log-ng.persist, /var/lib/misc/syslog-ng.persist-?
302
303
304       syslogd_var_run_t
305
306       - Set files with the syslogd_var_run_t type, if you want to  store  the
307       syslogd files under the /run or /var/run directory.
308
309
310       Paths:
311            /var/run/log(/.*)?,    /var/run/syslog-ng.ctl,    /var/run/syslog-
312            ng(/.*)?,  /var/run/systemd/journal(/.*)?,   /var/run/metalog.pid,
313            /var/run/syslogd.pid
314
315
316       Note:  File context can be temporarily modified with the chcon command.
317       If you want to permanently change the file context you need to use  the
318       semanage fcontext command.  This will modify the SELinux labeling data‐
319       base.  You will need to use restorecon to apply the labels.
320
321

COMMANDS

323       semanage fcontext can also be used to manipulate default  file  context
324       mappings.
325
326       semanage  permissive  can  also  be used to manipulate whether or not a
327       process type is permissive.
328
329       semanage module can also be used to enable/disable/install/remove  pol‐
330       icy modules.
331
332       semanage port can also be used to manipulate the port definitions
333
334       semanage boolean can also be used to manipulate the booleans
335
336
337       system-config-selinux is a GUI tool available to customize SELinux pol‐
338       icy settings.
339
340

AUTHOR

342       This manual page was auto-generated using sepolicy manpage .
343
344

SEE ALSO

346       selinux(8), syslogd(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
347       icy(8), setsebool(8)
348
349
350
351syslogd                            20-05-05                 syslogd_selinux(8)
Impressum