1syslogd_selinux(8) SELinux Policy syslogd syslogd_selinux(8)
2
3
4
6 syslogd_selinux - Security Enhanced Linux Policy for the syslogd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the syslogd processes via flexible
11 mandatory access control.
12
13 The syslogd processes execute with the syslogd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep syslogd_t
20
21
22
24 The syslogd_t SELinux type can be entered via the syslogd_exec_t file
25 type.
26
27 The default entrypoint paths for the syslogd_t domain are the follow‐
28 ing:
29
30 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
31 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
32 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-jour‐
33 nald, /usr/lib/systemd/systemd-kmsg-syslogd
34
36 SELinux defines process types (domains) for each process running on the
37 system
38
39 You can see the context of a process using the -Z option to ps
40
41 Policy governs the access confined processes have to files. SELinux
42 syslogd policy is very flexible allowing users to setup their syslogd
43 processes in as secure a method as possible.
44
45 The following process types are defined for syslogd:
46
47 syslogd_t
48
49 Note: semanage permissive -a syslogd_t can be used to make the process
50 type syslogd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
54
56 SELinux policy is customizable based on least access required. syslogd
57 policy is extremely flexible and has several booleans that allow you to
58 manipulate the policy and run syslogd with the tightest access possi‐
59 ble.
60
61
62
63 If you want to allow users to resolve user passwd entries directly from
64 ldap rather then using a sssd server, you must turn on the authlo‐
65 gin_nsswitch_use_ldap boolean. Disabled by default.
66
67 setsebool -P authlogin_nsswitch_use_ldap 1
68
69
70
71 If you want to allow all domains to execute in fips_mode, you must turn
72 on the fips_mode boolean. Enabled by default.
73
74 setsebool -P fips_mode 1
75
76
77
78 If you want to allow confined applications to run with kerberos, you
79 must turn on the kerberos_enabled boolean. Enabled by default.
80
81 setsebool -P kerberos_enabled 1
82
83
84
85 If you want to allow syslogd daemon to send mail, you must turn on the
86 logging_syslogd_can_sendmail boolean. Disabled by default.
87
88 setsebool -P logging_syslogd_can_sendmail 1
89
90
91
92 If you want to allow syslogd the ability to call nagios plugins. It is
93 turned on by omprog rsyslog plugin, you must turn on the logging_sys‐
94 logd_run_nagios_plugins boolean. Disabled by default.
95
96 setsebool -P logging_syslogd_run_nagios_plugins 1
97
98
99
100 If you want to allow syslogd the ability to read/write terminals, you
101 must turn on the logging_syslogd_use_tty boolean. Enabled by default.
102
103 setsebool -P logging_syslogd_use_tty 1
104
105
106
107 If you want to allow system to run with NIS, you must turn on the
108 nis_enabled boolean. Disabled by default.
109
110 setsebool -P nis_enabled 1
111
112
113
114 If you want to allow confined applications to use nscd shared memory,
115 you must turn on the nscd_use_shm boolean. Enabled by default.
116
117 setsebool -P nscd_use_shm 1
118
119
120
122 SELinux defines port types to represent TCP and UDP ports.
123
124 You can see the types associated with a port by using the following
125 command:
126
127 semanage port -l
128
129
130 Policy governs the access confined processes have to these ports.
131 SELinux syslogd policy is very flexible allowing users to setup their
132 syslogd processes in as secure a method as possible.
133
134 The following port types are defined for syslogd:
135
136
137 syslog_tls_port_t
138
139
140
141 Default Defined Ports:
142 tcp 6514,10514
143 udp 6514,10514
144
145
146 syslogd_port_t
147
148
149
150 Default Defined Ports:
151 tcp 601,20514
152 udp 514,601,20514
153
155 The SELinux process type syslogd_t can manage files labeled with the
156 following file types. The paths listed are the default paths for these
157 file types. Note the processes UID still need to have DAC permissions.
158
159 cert_t
160
161 /etc/(letsencrypt|certbot)/(live|archive)(/.*)?
162 /etc/pki(/.*)?
163 /etc/ssl(/.*)?
164 /etc/ipa/nssdb(/.*)?
165 /etc/httpd/alias(/.*)?
166 /etc/docker/certs.d(/.*)?
167 /usr/share/ssl/certs(/.*)?
168 /var/lib/letsencrypt(/.*)?
169 /usr/share/ssl/private(/.*)?
170 /var/named/chroot/etc/pki(/.*)?
171 /usr/share/ca-certificates(/.*)?
172 /usr/share/pki/ca-certificates(/.*)?
173 /usr/share/pki/ca-trust-source(/.*)?
174
175 cluster_conf_t
176
177 /etc/cluster(/.*)?
178
179 cluster_var_lib_t
180
181 /var/lib/pcsd(/.*)?
182 /var/lib/cluster(/.*)?
183 /var/lib/openais(/.*)?
184 /var/lib/pengine(/.*)?
185 /var/lib/corosync(/.*)?
186 /usr/lib/heartbeat(/.*)?
187 /var/lib/heartbeat(/.*)?
188 /var/lib/pacemaker(/.*)?
189
190 cluster_var_run_t
191
192 /var/run/crm(/.*)?
193 /var/run/cman_.*
194 /var/run/rsctmp(/.*)?
195 /var/run/aisexec.*
196 /var/run/heartbeat(/.*)?
197 /var/run/corosync-qnetd(/.*)?
198 /var/run/corosync-qdevice(/.*)?
199 /var/run/corosync.pid
200 /var/run/cpglockd.pid
201 /var/run/rgmanager.pid
202 /var/run/cluster/rgmanager.sk
203
204 cron_log_t
205
206 /var/log/cron.*
207 /var/log/rpmpkgs.*
208
209 innd_log_t
210
211 /var/log/news(/.*)?
212
213 krb5_host_rcache_t
214
215 /var/cache/krb5rcache(/.*)?
216 /var/tmp/nfs_0
217 /var/tmp/DNS_25
218 /var/tmp/host_0
219 /var/tmp/imap_0
220 /var/tmp/HTTP_23
221 /var/tmp/HTTP_48
222 /var/tmp/ldap_55
223 /var/tmp/ldap_487
224 /var/tmp/ldapmap1_0
225
226 logfile
227
228 all log files
229
230 plymouthd_var_log_t
231
232 /var/log/boot.log.*
233
234 root_t
235
236 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
237 /
238 /initrd
239
240 security_t
241
242 /selinux
243
244 syslogd_tmp_t
245
246
247 syslogd_tmpfs_t
248
249
250 syslogd_var_lib_t
251
252 /var/lib/r?syslog(/.*)?
253 /var/lib/syslog-ng(/.*)?
254 /var/lib/syslog-ng.persist
255 /var/lib/misc/syslog-ng.persist-?
256
257 syslogd_var_run_t
258
259 /var/run/log(/.*)?
260 /var/run/syslog-ng.ctl
261 /var/run/syslog-ng(/.*)?
262 /var/run/systemd/journal(/.*)?
263 /var/run/metalog.pid
264 /var/run/syslogd.pid
265
266 systemd_coredump_tmpfs_t
267
268
269 var_log_t
270
271 /var/log/.*
272 /nsr/logs(/.*)?
273 /var/webmin(/.*)?
274 /var/log/secure[^/]*
275 /opt/zimbra/log(/.*)?
276 /var/log/maillog[^/]*
277 /var/log/spooler[^/]*
278 /var/log/messages[^/]*
279 /usr/centreon/log(/.*)?
280 /var/spool/rsyslog(/.*)?
281 /var/axfrdns/log/main(/.*)?
282 /var/spool/bacula/log(/.*)?
283 /var/tinydns/log/main(/.*)?
284 /var/dnscache/log/main(/.*)?
285 /var/stockmaniac/templates_cache(/.*)?
286 /opt/Symantec/scspagent/IDS/system(/.*)?
287 /var/log
288 /var/log/dmesg
289 /var/log/syslog
290 /var/named/chroot/var/log
291
292
294 SELinux requires files to have an extended attribute to define the file
295 type.
296
297 You can see the context of a file using the -Z option to ls
298
299 Policy governs the access confined processes have to these files.
300 SELinux syslogd policy is very flexible allowing users to setup their
301 syslogd processes in as secure a method as possible.
302
303 EQUIVALENCE DIRECTORIES
304
305
306 syslogd policy stores data with multiple different file context types
307 under the /var/lib/syslog-ng directory. If you would like to store the
308 data in a different directory you can use the semanage command to cre‐
309 ate an equivalence mapping. If you wanted to store this data under the
310 /srv dirctory you would execute the following command:
311
312 semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng
313 restorecon -R -v /srv/syslog-ng
314
315 syslogd policy stores data with multiple different file context types
316 under the /var/run/syslog-ng directory. If you would like to store the
317 data in a different directory you can use the semanage command to cre‐
318 ate an equivalence mapping. If you wanted to store this data under the
319 /srv dirctory you would execute the following command:
320
321 semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng
322 restorecon -R -v /srv/syslog-ng
323
324 STANDARD FILE CONTEXT
325
326 SELinux defines the file context types for the syslogd, if you wanted
327 to store files with these types in a diffent paths, you need to execute
328 the semanage command to sepecify alternate labeling and then use
329 restorecon to put the labels on disk.
330
331 semanage fcontext -a -t syslogd_unit_file_t '/srv/mysyslogd_con‐
332 tent(/.*)?'
333 restorecon -R -v /srv/mysyslogd_content
334
335 Note: SELinux often uses regular expressions to specify labels that
336 match multiple files.
337
338 The following file types are defined for syslogd:
339
340
341
342 syslogd_exec_t
343
344 - Set files with the syslogd_exec_t type, if you want to transition an
345 executable to the syslogd_t domain.
346
347
348 Paths:
349 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
350 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
351 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-
352 journald, /usr/lib/systemd/systemd-kmsg-syslogd
353
354
355 syslogd_initrc_exec_t
356
357 - Set files with the syslogd_initrc_exec_t type, if you want to transi‐
358 tion an executable to the syslogd_initrc_t domain.
359
360
361
362 syslogd_tmp_t
363
364 - Set files with the syslogd_tmp_t type, if you want to store syslogd
365 temporary files in the /tmp directories.
366
367
368
369 syslogd_tmpfs_t
370
371 - Set files with the syslogd_tmpfs_t type, if you want to store syslogd
372 files on a tmpfs file system.
373
374
375
376 syslogd_unit_file_t
377
378 - Set files with the syslogd_unit_file_t type, if you want to treat the
379 files as syslogd unit content.
380
381
382
383 syslogd_var_lib_t
384
385 - Set files with the syslogd_var_lib_t type, if you want to store the
386 syslogd files under the /var/lib directory.
387
388
389 Paths:
390 /var/lib/r?syslog(/.*)?, /var/lib/syslog-ng(/.*)?, /var/lib/sys‐
391 log-ng.persist, /var/lib/misc/syslog-ng.persist-?
392
393
394 syslogd_var_run_t
395
396 - Set files with the syslogd_var_run_t type, if you want to store the
397 syslogd files under the /run or /var/run directory.
398
399
400 Paths:
401 /var/run/log(/.*)?, /var/run/syslog-ng.ctl, /var/run/syslog-
402 ng(/.*)?, /var/run/systemd/journal(/.*)?, /var/run/metalog.pid,
403 /var/run/syslogd.pid
404
405
406 Note: File context can be temporarily modified with the chcon command.
407 If you want to permanently change the file context you need to use the
408 semanage fcontext command. This will modify the SELinux labeling data‐
409 base. You will need to use restorecon to apply the labels.
410
411
413 semanage fcontext can also be used to manipulate default file context
414 mappings.
415
416 semanage permissive can also be used to manipulate whether or not a
417 process type is permissive.
418
419 semanage module can also be used to enable/disable/install/remove pol‐
420 icy modules.
421
422 semanage port can also be used to manipulate the port definitions
423
424 semanage boolean can also be used to manipulate the booleans
425
426
427 system-config-selinux is a GUI tool available to customize SELinux pol‐
428 icy settings.
429
430
432 This manual page was auto-generated using sepolicy manpage .
433
434
436 selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1), sepol‐
437 icy(8), setsebool(8)
438
439
440
441syslogd 19-10-08 syslogd_selinux(8)