| type cros_rsyslogd, chromeos_domain, cros_log_file_creator_domain, domain; |
| |
| from_minijail_static(cros_rsyslogd, cros_rsyslogd_exec); |
| log_writer(cros_rsyslogd); |
| cros_net(cros_rsyslogd); |
| |
| pid_file(cros_rsyslogd, {tmpfs cros_minijail_minijail_tmp_file}, "rsyslogd.pid.tmp"); |
| |
| filetrans_pattern(cros_rsyslogd, cros_run_journal, logger_device, sock_file, "syslog"); |
| allow cros_rsyslogd logger_device:sock_file create_file_perms; |
| |
| filetrans_pattern(cros_rsyslogd, cros_run_rsyslogd, logger_device, sock_file, "stdout"); |
| allow cros_rsyslogd logger_device:sock_file create_file_perms; |
| |
| allow cros_rsyslogd cros_run_rsyslogd:file create_file_perms; |
| allow cros_rsyslogd cros_run_rsyslogd:dir create_dir_perms; |
| allow cros_rsyslogd cros_run_rsyslogd:sock_file create_file_perms; |
| |
| allow cros_rsyslogd cros_log_type:file rw_file_perms; |
| |
| allow cros_rsyslogd cros_passwd_file:file r_file_perms; |
| |
| allow cros_rsyslogd proc_kmsg:file r_file_perms; |
| |
| allow cros_rsyslogd kernel:system syslog_mod; |
| allow cros_rsyslogd self:capability2 syslog; |
| |
| allow cros_rsyslogd self:capability { setuid setgid }; |
| |
| # TODO: until all log creators are confined and has logs in separate log file type |
| # This will be necessary to allow "unknown" new logs to be written. |
| allow cros_rsyslogd cros_var_log:file rw_file_perms; |