Back to igraltist's experiences / RC Modules

Syslog-ng

Syslog

Create a Role ``Syslog`` and apply it to the syslog binary.

rc_set_item ROLE 10 name "Syslog"
attr_set_file_dir FILE "/usr/sbin/syslog-ng" rc_initial_role 10

Create ``rc_type_fd`` and assign it RC role 10.

rc_set_item TYPE 10 type_fd_name "Syslog_FD"
rc_set_item ROLE 10 def_fd_create_type 10
rc_set_item ROLE 10 def_fd_ind_create_type 10 10
rc_set_item ROLE 10 def_unixsock_create_type 10

Assign ``rc_type_fd 10`` to ``/var/lib/syslog-ng``.

attr_set_file_dir DIR "/var/lib/syslog-ng" rc_type_fd 10

Policy for Role ``Syslog``:

rc_set_item ROLE 10 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC
rc_set_item ROLE 10 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA READ READ_OPEN WRITE WRITE_OPEN
rc_set_item ROLE 10 type_comp_user 0 GET_STATUS_DATA READ SEARCH
rc_set_item ROLE 10 type_comp_process 0 CREATE
rc_set_item ROLE 10 type_comp_ipc 0 CHANGE_OWNER CLOSE CREATE MODIFY_PERMISSIONS_DATA MODIFY_SYSTEM_DATA WRITE LISTEN RECEIVE
rc_set_item ROLE 10 type_comp_group 0 READ SEARCH
rc_set_item ROLE 10 type_comp_ipc 2 RECEIVE
rc_set_item ROLE 10 type_comp_fd 2 APPEND_OPEN CHANGE_OWNER CLOSE MODIFY_PERMISSIONS_DATA WRITE
rc_set_item ROLE 10 type_comp_fd 10 CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN ACCEPT

Need to access on ``rc_type_fd 4`` which is assigned on ``/var/log``.

rc_set_item ROLE 10 type_comp_fd 4 APPEND_OPEN CHANGE_OWNER CLOSE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN

Need to access on ``rc_type_fd 5`` which is assigned on ``/var/run``.

rc_set_item ROLE 10 type_comp_fd 5 CREATE SEARCH

Extend Policy for RC role ``System Admin``:
If cron deamon has no seperate RC role then it need access to CONNECT, RECEIVE.

rc_set_item ROLE 2 type_comp_fd 10 CLOSE DELETE GET_STATUS_DATA READ READ_OPEN CONNECT SEND

Rklogd

rklogd

My security user has his homedirectory on ``/security``.
Then the logfile is create as ``/security/log/security-log``.
Through set the ``rc_type_fd 1`` on ``/security`` its prevent to root user to watch the rsbac message. With the bootparam ``rsbac_nosyslog`` its not log the rsbac message to the default syslog file.
The root user also not allow to watch trough the ``/proc/rsbac-info/rmsg``.

When using the rklogd then create two Roles.

rc_set_item ROLE 8 name "Rklogd_Server"
rc_set_item ROLE 9 name "Rklogd_Worker"

attr_set_file_dir FILE “/usr/sbin/rklogd” rc_initial_role 8

attr_set_file_dir FILE "/usr/sbin/rklogd" rc_force_role 9

Policy for rklog Roles:

rc_set_item ROLE 8 type_comp_dev 0 CLOSE READ_WRITE_OPEN
rc_set_item ROLE 8 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH
rc_set_item ROLE 8 type_comp_ipc 0 CLOSE CREATE
rc_set_item ROLE 8 type_comp_process 0 CREATE
rc_set_item ROLE 8 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN MAP_EXEC LOCK
rc_set_item ROLE 8 type_comp_fd 5 CHANGE_OWNER CREATE SEARCH
rc_set_item ROLE 9 type_comp_fd 10 CONNECT SEND
rc_set_item ROLE 9 type_comp_fd 0 APPEND_OPEN CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN CONNECT SEND LOCK
rc_set_item ROLE 9 type_comp_scd 9 GET_STATUS_DATA
rc_set_item ROLE 9 type_comp_dev 0 CLOSE READ_WRITE_OPEN
rc_set_item ROLE 9 type_comp_ipc 0 CLOSE CREATE