[[wiki:experiences/igraltist#RC Setup|Back to igraltist's experiences / RC Modules]]










===== Syslog-ng =====











== Syslog ==
Create a Role ``Syslog`` and apply it to the syslog binary.\\

  rc_set_item ROLE 10 name "Syslog"
  attr_set_file_dir FILE "/usr/sbin/syslog-ng" rc_initial_role 10

Create ``rc_type_fd`` and assign it RC role 10.
  rc_set_item TYPE 10 type_fd_name "Syslog_FD"
  rc_set_item ROLE 10 def_fd_create_type 10
  rc_set_item ROLE 10 def_fd_ind_create_type 10 10
  rc_set_item ROLE 10 def_unixsock_create_type 10

Assign ``rc_type_fd 10`` to ``/var/lib/syslog-ng``.
  attr_set_file_dir DIR "/var/lib/syslog-ng" rc_type_fd 10
Policy for Role ``Syslog``:
  rc_set_item ROLE 10 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC
  rc_set_item ROLE 10 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA READ READ_OPEN WRITE WRITE_OPEN
  rc_set_item ROLE 10 type_comp_user 0 GET_STATUS_DATA READ SEARCH
  rc_set_item ROLE 10 type_comp_process 0 CREATE
  rc_set_item ROLE 10 type_comp_ipc 0 CHANGE_OWNER CLOSE CREATE MODIFY_PERMISSIONS_DATA MODIFY_SYSTEM_DATA WRITE LISTEN RECEIVE
  rc_set_item ROLE 10 type_comp_group 0 READ SEARCH
  rc_set_item ROLE 10 type_comp_ipc 2 RECEIVE
  rc_set_item ROLE 10 type_comp_fd 2 APPEND_OPEN CHANGE_OWNER CLOSE MODIFY_PERMISSIONS_DATA WRITE
  rc_set_item ROLE 10 type_comp_fd 10 CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN ACCEPT
Need to access on ``rc_type_fd 4`` which is assigned on ``/var/log``.
  rc_set_item ROLE 10 type_comp_fd 4 APPEND_OPEN CHANGE_OWNER CLOSE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN
Need to access on ``rc_type_fd 5`` which is assigned on ``/var/run``.
  rc_set_item ROLE 10 type_comp_fd 5 CREATE SEARCH


Extend Policy for RC role ``System Admin``:  \\
If cron deamon has no seperate RC role then it need access to CONNECT, RECEIVE.
  rc_set_item ROLE 2 type_comp_fd 10 CLOSE DELETE GET_STATUS_DATA READ READ_OPEN CONNECT SEND
















===== Rklogd =====
== rklogd ==
My security user has his homedirectory on ``/security``.\\
Then the logfile is create as ``/security/log/security-log``.\\
Through set the ``rc_type_fd 1``  on ``/security`` its prevent to root user to watch the rsbac message.
With the bootparam ``rsbac_nosyslog`` its not log the rsbac message to the default syslog file.\\
The root user also not allow to watch trough the ``/proc/rsbac-info/rmsg``.


When using the rklogd then create two Roles.

  rc_set_item ROLE 8 name "Rklogd_Server"
  rc_set_item ROLE 9 name "Rklogd_Worker"
 
  attr_set_file_dir FILE "/usr/sbin/rklogd" rc_initial_role 8
  attr_set_file_dir FILE "/usr/sbin/rklogd" rc_force_role 9

Policy for rklog Roles:
  rc_set_item ROLE 8 type_comp_dev 0 CLOSE READ_WRITE_OPEN
  rc_set_item ROLE 8 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH
  rc_set_item ROLE 8 type_comp_ipc 0 CLOSE CREATE
  rc_set_item ROLE 8 type_comp_process 0 CREATE
  rc_set_item ROLE 8 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN MAP_EXEC LOCK
  rc_set_item ROLE 8 type_comp_fd 5 CHANGE_OWNER CREATE SEARCH

  rc_set_item ROLE 9 type_comp_fd 10 CONNECT SEND
  rc_set_item ROLE 9 type_comp_fd 0 APPEND_OPEN CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN CONNECT SEND LOCK
  rc_set_item ROLE 9 type_comp_scd 9 GET_STATUS_DATA
  rc_set_item ROLE 9 type_comp_dev 0 CLOSE READ_WRITE_OPEN
  rc_set_item ROLE 9 type_comp_ipc 0 CLOSE CREATE