1syslogd_selinux(8) SELinux Policy syslogd syslogd_selinux(8)
2
6 syslogd_selinux - Security Enhanced Linux Policy for the syslogd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the syslogd processes via flexible
11 mandatory access control.
12 The syslogd processes execute with the syslogd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep syslogd_t
20
24 The syslogd_t SELinux type can be entered via the syslogd_exec_t file
25 type.
26 The default entrypoint paths for the syslogd_t domain are the follow‐
28 ing:
29 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
31 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
32 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-jour‐
33 nald, /usr/lib/systemd/systemd-kmsg-syslogd
34
36 SELinux defines process types (domains) for each process running on the
37 system
38 You can see the context of a process using the -Z option to ps
40 Policy governs the access confined processes have to files. SELinux
42 syslogd policy is very flexible allowing users to setup their syslogd
43 processes in as secure a method as possible.
44 The following process types are defined for syslogd:
46 syslogd_t
48 Note: semanage permissive -a syslogd_t can be used to make the process
50 type syslogd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
56 SELinux policy is customizable based on least access required. syslogd
57 policy is extremely flexible and has several booleans that allow you to
58 manipulate the policy and run syslogd with the tightest access possi‐
59 ble.
60 If you want to allow users to resolve user passwd entries directly from
64 ldap rather then using a sssd server, you must turn on the authlo‐
65 gin_nsswitch_use_ldap boolean. Disabled by default.
66 setsebool -P authlogin_nsswitch_use_ldap 1
68 If you want to allow all daemons to write corefiles to /, you must turn
72 on the daemons_dump_core boolean. Disabled by default.
73 setsebool -P daemons_dump_core 1
75 If you want to enable cluster mode for daemons, you must turn on the
79 daemons_enable_cluster_mode boolean. Enabled by default.
80 setsebool -P daemons_enable_cluster_mode 1
82 If you want to allow all daemons to use tcp wrappers, you must turn on
86 the daemons_use_tcp_wrapper boolean. Disabled by default.
87 setsebool -P daemons_use_tcp_wrapper 1
89 If you want to allow all daemons the ability to read/write terminals,
93 you must turn on the daemons_use_tty boolean. Disabled by default.
94 setsebool -P daemons_use_tty 1
96 If you want to deny any process from ptracing or debugging any other
100 processes, you must turn on the deny_ptrace boolean. Enabled by
101 default.
102 setsebool -P deny_ptrace 1
104 If you want to allow any process to mmap any file on system with
108 attribute file_type, you must turn on the domain_can_mmap_files bool‐
109 ean. Enabled by default.
110 setsebool -P domain_can_mmap_files 1
112 If you want to allow all domains write to kmsg_device, while kernel is
116 executed with systemd.log_target=kmsg parameter, you must turn on the
117 domain_can_write_kmsg boolean. Disabled by default.
118 setsebool -P domain_can_write_kmsg 1
120 If you want to allow all domains to use other domains file descriptors,
124 you must turn on the domain_fd_use boolean. Enabled by default.
125 setsebool -P domain_fd_use 1
127 If you want to allow all domains to have the kernel load modules, you
131 must turn on the domain_kernel_load_modules boolean. Disabled by
132 default.
133 setsebool -P domain_kernel_load_modules 1
135 If you want to allow all domains to execute in fips_mode, you must turn
139 on the fips_mode boolean. Enabled by default.
140 setsebool -P fips_mode 1
142 If you want to enable reading of urandom for all domains, you must turn
146 on the global_ssp boolean. Disabled by default.
147 setsebool -P global_ssp 1
149 If you want to allow confined applications to run with kerberos, you
153 must turn on the kerberos_enabled boolean. Enabled by default.
154 setsebool -P kerberos_enabled 1
156 If you want to allow syslogd daemon to send mail, you must turn on the
160 logging_syslogd_can_sendmail boolean. Disabled by default.
161 setsebool -P logging_syslogd_can_sendmail 1
163 If you want to allow syslogd the ability to call nagios plugins. It is
167 turned on by omprog rsyslog plugin, you must turn on the logging_sys‐
168 logd_run_nagios_plugins boolean. Disabled by default.
169 setsebool -P logging_syslogd_run_nagios_plugins 1
171 If you want to allow syslogd the ability to read/write terminals, you
175 must turn on the logging_syslogd_use_tty boolean. Enabled by default.
176 setsebool -P logging_syslogd_use_tty 1
178 If you want to allow system to run with NIS, you must turn on the
182 nis_enabled boolean. Disabled by default.
183 setsebool -P nis_enabled 1
185 If you want to allow confined applications to use nscd shared memory,
189 you must turn on the nscd_use_shm boolean. Disabled by default.
190 setsebool -P nscd_use_shm 1
192
196 SELinux defines port types to represent TCP and UDP ports.
197 You can see the types associated with a port by using the following
199 command:
200 semanage port -l
202 Policy governs the access confined processes have to these ports.
205 SELinux syslogd policy is very flexible allowing users to setup their
206 syslogd processes in as secure a method as possible.
207 The following port types are defined for syslogd:
209 syslog_tls_port_t
212 Default Defined Ports:
216 tcp 6514,10514
217 udp 6514,10514
218 syslogd_port_t
221 Default Defined Ports:
225 tcp 601,20514
226 udp 514,601,20514
227
229 The SELinux process type syslogd_t can manage files labeled with the
230 following file types. The paths listed are the default paths for these
231 file types. Note the processes UID still need to have DAC permissions.
232 cert_t
234 /etc/pki(/.*)?
236 /etc/ssl(/.*)?
237 /etc/ipa/nssdb(/.*)?
238 /etc/httpd/alias(/.*)?
239 /etc/docker/certs.d(/.*)?
240 /usr/share/ssl/certs(/.*)?
241 /var/lib/letsencrypt(/.*)?
242 /usr/share/ssl/private(/.*)?
243 /var/named/chroot/etc/pki(/.*)?
244 /usr/share/ca-certificates(/.*)?
245 /usr/share/pki/ca-certificates(/.*)?
246 /usr/share/pki/ca-trust-source(/.*)?
247 cluster_conf_t
249 /etc/cluster(/.*)?
251 cluster_var_lib_t
253 /var/lib/pcsd(/.*)?
255 /var/lib/cluster(/.*)?
256 /var/lib/openais(/.*)?
257 /var/lib/pengine(/.*)?
258 /var/lib/corosync(/.*)?
259 /usr/lib/heartbeat(/.*)?
260 /var/lib/heartbeat(/.*)?
261 /var/lib/pacemaker(/.*)?
262 cluster_var_run_t
264 /var/run/crm(/.*)?
266 /var/run/cman_.*
267 /var/run/rsctmp(/.*)?
268 /var/run/aisexec.*
269 /var/run/heartbeat(/.*)?
270 /var/run/corosync-qnetd(/.*)?
271 /var/run/corosync-qdevice(/.*)?
272 /var/run/cpglockd.pid
273 /var/run/corosync.pid
274 /var/run/rgmanager.pid
275 /var/run/cluster/rgmanager.sk
276 krb5_host_rcache_t
278 /var/cache/krb5rcache(/.*)?
280 /var/tmp/nfs_0
281 /var/tmp/DNS_25
282 /var/tmp/host_0
283 /var/tmp/imap_0
284 /var/tmp/HTTP_23
285 /var/tmp/HTTP_48
286 /var/tmp/ldap_55
287 /var/tmp/ldap_487
288 /var/tmp/ldapmap1_0
289 logfile
291 all log files
293 root_t
295 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
297 /
298 /initrd
299 security_t
301 /selinux
303 syslogd_tmp_t
305 syslogd_tmpfs_t
308 syslogd_var_lib_t
311 /var/lib/r?syslog(/.*)?
313 /var/lib/syslog-ng(/.*)?
314 /var/lib/syslog-ng.persist
315 /var/lib/misc/syslog-ng.persist-?
316 syslogd_var_run_t
318 /var/run/log(/.*)?
320 /var/run/syslog-ng.ctl
321 /var/run/syslog-ng(/.*)?
322 /var/run/systemd/journal(/.*)?
323 /var/run/metalog.pid
324 /var/run/syslogd.pid
325
328 SELinux requires files to have an extended attribute to define the file
329 type.
330 You can see the context of a file using the -Z option to ls
332 Policy governs the access confined processes have to these files.
334 SELinux syslogd policy is very flexible allowing users to setup their
335 syslogd processes in as secure a method as possible.
336 EQUIVALENCE DIRECTORIES
338 syslogd policy stores data with multiple different file context types
341 under the /var/lib/syslog-ng directory. If you would like to store the
342 data in a different directory you can use the semanage command to cre‐
343 ate an equivalence mapping. If you wanted to store this data under the
344 /srv dirctory you would execute the following command:
345 semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng
347 restorecon -R -v /srv/syslog-ng
348 syslogd policy stores data with multiple different file context types
350 under the /var/run/syslog-ng directory. If you would like to store the
351 data in a different directory you can use the semanage command to cre‐
352 ate an equivalence mapping. If you wanted to store this data under the
353 /srv dirctory you would execute the following command:
354 semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng
356 restorecon -R -v /srv/syslog-ng
357 STANDARD FILE CONTEXT
359 SELinux defines the file context types for the syslogd, if you wanted
361 to store files with these types in a diffent paths, you need to execute
362 the semanage command to sepecify alternate labeling and then use
363 restorecon to put the labels on disk.
364 semanage fcontext -a -t syslogd_var_run_t '/srv/mysyslogd_con‐
366 tent(/.*)?'
367 restorecon -R -v /srv/mysyslogd_content
368 Note: SELinux often uses regular expressions to specify labels that
370 match multiple files.
371 The following file types are defined for syslogd:
373 syslogd_exec_t
377 - Set files with the syslogd_exec_t type, if you want to transition an
379 executable to the syslogd_t domain.
380 Paths:
383 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
384 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
385 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-
386 journald, /usr/lib/systemd/systemd-kmsg-syslogd
387 syslogd_initrc_exec_t
390 - Set files with the syslogd_initrc_exec_t type, if you want to transi‐
392 tion an executable to the syslogd_initrc_t domain.
393 syslogd_tmp_t
397 - Set files with the syslogd_tmp_t type, if you want to store syslogd
399 temporary files in the /tmp directories.
400 syslogd_tmpfs_t
404 - Set files with the syslogd_tmpfs_t type, if you want to store syslogd
406 files on a tmpfs file system.
407 syslogd_var_lib_t
411 - Set files with the syslogd_var_lib_t type, if you want to store the
413 syslogd files under the /var/lib directory.
414 Paths:
417 /var/lib/r?syslog(/.*)?, /var/lib/syslog-ng(/.*)?, /var/lib/sys‐
418 log-ng.persist, /var/lib/misc/syslog-ng.persist-?
419 syslogd_var_run_t
422 - Set files with the syslogd_var_run_t type, if you want to store the
424 syslogd files under the /run or /var/run directory.
425 Paths:
428 /var/run/log(/.*)?, /var/run/syslog-ng.ctl, /var/run/syslog-
429 ng(/.*)?, /var/run/systemd/journal(/.*)?, /var/run/metalog.pid,
430 /var/run/syslogd.pid
431 Note: File context can be temporarily modified with the chcon command.
434 If you want to permanently change the file context you need to use the
435 semanage fcontext command. This will modify the SELinux labeling data‐
436 base. You will need to use restorecon to apply the labels.
437
440 semanage fcontext can also be used to manipulate default file context
441 mappings.
442 semanage permissive can also be used to manipulate whether or not a
444 process type is permissive.
445 semanage module can also be used to enable/disable/install/remove pol‐
447 icy modules.
448 semanage port can also be used to manipulate the port definitions
450 semanage boolean can also be used to manipulate the booleans
452 system-config-selinux is a GUI tool available to customize SELinux pol‐
455 icy settings.
456
459 This manual page was auto-generated using sepolicy manpage .
460
463 selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1), sepol‐
464 icy(8) , setsebool(8)
465syslogd 19-04-25 syslogd_selinux(8)