1syslogd_selinux(8) SELinux Policy syslogd syslogd_selinux(8)
2
3
4
6 syslogd_selinux - Security Enhanced Linux Policy for the syslogd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the syslogd processes via flexible
11 mandatory access control.
12
13 The syslogd processes execute with the syslogd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep syslogd_t
20
21
22
24 The syslogd_t SELinux type can be entered via the syslogd_exec_t file
25 type.
26
27 The default entrypoint paths for the syslogd_t domain are the follow‐
28 ing:
29
30 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
31 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
32 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-jour‐
33 nald, /usr/lib/systemd/systemd-kmsg-syslogd
34
36 SELinux defines process types (domains) for each process running on the
37 system
38
39 You can see the context of a process using the -Z option to ps
40
41 Policy governs the access confined processes have to files. SELinux
42 syslogd policy is very flexible allowing users to setup their syslogd
43 processes in as secure a method as possible.
44
45 The following process types are defined for syslogd:
46
47 syslogd_t
48
49 Note: semanage permissive -a syslogd_t can be used to make the process
50 type syslogd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
54
56 SELinux policy is customizable based on least access required. syslogd
57 policy is extremely flexible and has several booleans that allow you to
58 manipulate the policy and run syslogd with the tightest access possi‐
59 ble.
60
61
62
63 If you want to dontaudit all daemons scheduling requests (setsched,
64 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
65 Enabled by default.
66
67 setsebool -P daemons_dontaudit_scheduling 1
68
69
70
71 If you want to allow all domains to execute in fips_mode, you must turn
72 on the fips_mode boolean. Enabled by default.
73
74 setsebool -P fips_mode 1
75
76
77
78 If you want to allow confined applications to run with kerberos, you
79 must turn on the kerberos_enabled boolean. Enabled by default.
80
81 setsebool -P kerberos_enabled 1
82
83
84
85 If you want to allow syslogd daemon append public content files, you
86 must turn on the logging_syslogd_append_public_content boolean. Dis‐
87 abled by default.
88
89 setsebool -P logging_syslogd_append_public_content 1
90
91
92
93 If you want to allow syslogd daemon to send mail, you must turn on the
94 logging_syslogd_can_sendmail boolean. Disabled by default.
95
96 setsebool -P logging_syslogd_can_sendmail 1
97
98
99
100 If you want to allow syslogd daemon list non security directories, you
101 must turn on the logging_syslogd_list_non_security_dirs boolean. Dis‐
102 abled by default.
103
104 setsebool -P logging_syslogd_list_non_security_dirs 1
105
106
107
108 If you want to allow syslogd the ability to call nagios plugins. It is
109 turned on by omprog rsyslog plugin, you must turn on the logging_sys‐
110 logd_run_nagios_plugins boolean. Disabled by default.
111
112 setsebool -P logging_syslogd_run_nagios_plugins 1
113
114
115
116 If you want to allow syslogd the ability to read/write terminals, you
117 must turn on the logging_syslogd_use_tty boolean. Enabled by default.
118
119 setsebool -P logging_syslogd_use_tty 1
120
121
122
123 If you want to allow system to run with NIS, you must turn on the
124 nis_enabled boolean. Disabled by default.
125
126 setsebool -P nis_enabled 1
127
128
129
131 SELinux defines port types to represent TCP and UDP ports.
132
133 You can see the types associated with a port by using the following
134 command:
135
136 semanage port -l
137
138
139 Policy governs the access confined processes have to these ports.
140 SELinux syslogd policy is very flexible allowing users to setup their
141 syslogd processes in as secure a method as possible.
142
143 The following port types are defined for syslogd:
144
145
146 syslog_tls_port_t
147
148
149
150 Default Defined Ports:
151 tcp 6514,10514
152 udp 6514,10514
153
154
155 syslogd_port_t
156
157
158
159 Default Defined Ports:
160 tcp 601,20514
161 udp 514,601,20514
162
164 The SELinux process type syslogd_t can manage files labeled with the
165 following file types. The paths listed are the default paths for these
166 file types. Note the processes UID still need to have DAC permissions.
167
168 cluster_conf_t
169
170 /etc/cluster(/.*)?
171
172 cluster_var_lib_t
173
174 /var/lib/pcsd(/.*)?
175 /var/lib/cluster(/.*)?
176 /var/lib/openais(/.*)?
177 /var/lib/pengine(/.*)?
178 /var/lib/corosync(/.*)?
179 /usr/lib/heartbeat(/.*)?
180 /var/lib/heartbeat(/.*)?
181 /var/lib/pacemaker(/.*)?
182
183 cluster_var_run_t
184
185 /var/run/crm(/.*)?
186 /var/run/cman_.*
187 /var/run/rsctmp(/.*)?
188 /var/run/aisexec.*
189 /var/run/heartbeat(/.*)?
190 /var/run/pcsd-ruby.socket
191 /var/run/corosync-qnetd(/.*)?
192 /var/run/corosync-qdevice(/.*)?
193 /var/run/corosync.pid
194 /var/run/cpglockd.pid
195 /var/run/rgmanager.pid
196 /var/run/cluster/rgmanager.sk
197
198 krb5_host_rcache_t
199
200 /var/tmp/krb5_0.rcache2
201 /var/cache/krb5rcache(/.*)?
202 /var/tmp/nfs_0
203 /var/tmp/DNS_25
204 /var/tmp/host_0
205 /var/tmp/imap_0
206 /var/tmp/HTTP_23
207 /var/tmp/HTTP_48
208 /var/tmp/ldap_55
209 /var/tmp/ldap_487
210 /var/tmp/ldapmap1_0
211
212 logfile
213
214 all log files
215
216 root_t
217
218 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
219 /
220 /initrd
221
222 security_t
223
224 /selinux
225
226 syslogd_tmp_t
227
228
229 syslogd_tmpfs_t
230
231
232 syslogd_var_lib_t
233
234 /var/lib/r?syslog(/.*)?
235 /var/lib/syslog-ng(/.*)?
236 /var/lib/syslog-ng.persist
237 /var/lib/misc/syslog-ng.persist-?
238
239 syslogd_var_run_t
240
241 /var/run/log(/.*)?
242 /var/run/syslog-ng.ctl
243 /var/run/syslog-ng(/.*)?
244 /var/run/systemd/journal(/.*)?
245 /var/run/systemd/journal.[^/]+(/.*)?
246 /var/run/metalog.pid
247 /var/run/syslogd.pid
248
249 systemd_bootchart_tmpfs_t
250
251
252 systemd_coredump_tmpfs_t
253
254
255
257 SELinux requires files to have an extended attribute to define the file
258 type.
259
260 You can see the context of a file using the -Z option to ls
261
262 Policy governs the access confined processes have to these files.
263 SELinux syslogd policy is very flexible allowing users to setup their
264 syslogd processes in as secure a method as possible.
265
266 EQUIVALENCE DIRECTORIES
267
268
269 syslogd policy stores data with multiple different file context types
270 under the /var/lib/syslog-ng directory. If you would like to store the
271 data in a different directory you can use the semanage command to cre‐
272 ate an equivalence mapping. If you wanted to store this data under the
273 /srv directory you would execute the following command:
274
275 semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng
276 restorecon -R -v /srv/syslog-ng
277
278 syslogd policy stores data with multiple different file context types
279 under the /var/run/syslog-ng directory. If you would like to store the
280 data in a different directory you can use the semanage command to cre‐
281 ate an equivalence mapping. If you wanted to store this data under the
282 /srv directory you would execute the following command:
283
284 semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng
285 restorecon -R -v /srv/syslog-ng
286
287 syslogd policy stores data with multiple different file context types
288 under the /var/run/systemd/journal directory. If you would like to
289 store the data in a different directory you can use the semanage com‐
290 mand to create an equivalence mapping. If you wanted to store this
291 data under the /srv directory you would execute the following command:
292
293 semanage fcontext -a -e /var/run/systemd/journal /srv/journal
294 restorecon -R -v /srv/journal
295
296 STANDARD FILE CONTEXT
297
298 SELinux defines the file context types for the syslogd, if you wanted
299 to store files with these types in a different paths, you need to exe‐
300 cute the semanage command to specify alternate labeling and then use
301 restorecon to put the labels on disk.
302
303 semanage fcontext -a -t syslogd_exec_t '/srv/syslogd/content(/.*)?'
304 restorecon -R -v /srv/mysyslogd_content
305
306 Note: SELinux often uses regular expressions to specify labels that
307 match multiple files.
308
309 The following file types are defined for syslogd:
310
311
312
313 syslogd_exec_t
314
315 - Set files with the syslogd_exec_t type, if you want to transition an
316 executable to the syslogd_t domain.
317
318
319 Paths:
320 /sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng,
321 /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd,
322 /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-
323 journald, /usr/lib/systemd/systemd-kmsg-syslogd
324
325
326 syslogd_initrc_exec_t
327
328 - Set files with the syslogd_initrc_exec_t type, if you want to transi‐
329 tion an executable to the syslogd_initrc_t domain.
330
331
332
333 syslogd_tmp_t
334
335 - Set files with the syslogd_tmp_t type, if you want to store syslogd
336 temporary files in the /tmp directories.
337
338
339
340 syslogd_tmpfs_t
341
342 - Set files with the syslogd_tmpfs_t type, if you want to store syslogd
343 files on a tmpfs file system.
344
345
346
347 syslogd_unit_file_t
348
349 - Set files with the syslogd_unit_file_t type, if you want to treat the
350 files as syslogd unit content.
351
352
353
354 syslogd_var_lib_t
355
356 - Set files with the syslogd_var_lib_t type, if you want to store the
357 syslogd files under the /var/lib directory.
358
359
360 Paths:
361 /var/lib/r?syslog(/.*)?, /var/lib/syslog-ng(/.*)?, /var/lib/sys‐
362 log-ng.persist, /var/lib/misc/syslog-ng.persist-?
363
364
365 syslogd_var_run_t
366
367 - Set files with the syslogd_var_run_t type, if you want to store the
368 syslogd files under the /run or /var/run directory.
369
370
371 Paths:
372 /var/run/log(/.*)?, /var/run/syslog-ng.ctl, /var/run/syslog-
373 ng(/.*)?, /var/run/systemd/journal(/.*)?, /var/run/systemd/jour‐
374 nal.[^/]+(/.*)?, /var/run/metalog.pid, /var/run/syslogd.pid
375
376
377 Note: File context can be temporarily modified with the chcon command.
378 If you want to permanently change the file context you need to use the
379 semanage fcontext command. This will modify the SELinux labeling data‐
380 base. You will need to use restorecon to apply the labels.
381
382
384 semanage fcontext can also be used to manipulate default file context
385 mappings.
386
387 semanage permissive can also be used to manipulate whether or not a
388 process type is permissive.
389
390 semanage module can also be used to enable/disable/install/remove pol‐
391 icy modules.
392
393 semanage port can also be used to manipulate the port definitions
394
395 semanage boolean can also be used to manipulate the booleans
396
397
398 system-config-selinux is a GUI tool available to customize SELinux pol‐
399 icy settings.
400
401
403 This manual page was auto-generated using sepolicy manpage .
404
405
407 selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1), sepol‐
408 icy(8), setsebool(8)
409
410
411
412syslogd 23-12-15 syslogd_selinux(8)