rpms / selinux-policy

Clone
Source Code
GIT

Blame mls/domains/program/auditd.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   e2e98665379663b82320134fe53b5590dedd8d57
  2.   mls
  3.   domains
  4.   program
  5.   auditd.te
Blob History Raw
Chris PeBenito 31b7c0 
#DESC auditd - System auditing daemon
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Authors: Colin Walters <walters@verbum.org>
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Some fixes by Paul Moore <paul.moore@hp.com>
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
define(`audit_manager_domain', `
Chris PeBenito 31b7c0 
allow $1 auditd_etc_t:file rw_file_perms;
Chris PeBenito 31b7c0 
create_dir_file($1, auditd_log_t)
Chris PeBenito 31b7c0 
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
daemon_domain(auditd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`mls_policy', `
Chris PeBenito 31b7c0 
# run at the highest MLS level
Chris PeBenito 31b7c0 
typeattribute auditd_t mlsrangetrans;
Chris PeBenito 31b7c0 
range_transition initrc_t auditd_exec_t s15:c0.c255;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
Chris PeBenito 31b7c0 
allow auditd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0 
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
Chris PeBenito 31b7c0 
allow auditd_t self:process setsched;
Chris PeBenito 31b7c0 
allow auditd_t self:file { getattr read write };
Chris PeBenito 31b7c0 
allow auditd_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Do not use logdir_domain since this is a security file
Chris PeBenito 31b7c0 
type auditd_log_t, file_type, secure_file_type;
Chris PeBenito 31b7c0 
allow auditd_t var_log_t:dir search;
Chris PeBenito 31b7c0 
rw_dir_create_file(auditd_t, auditd_log_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
can_exec(auditd_t, init_exec_t)
Chris PeBenito 31b7c0 
allow auditd_t initctl_t:fifo_file write;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0 
dontaudit auditd_t unconfined_t:fifo_file read;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
type auditctl_t, domain, privlog;
Chris PeBenito 31b7c0 
type auditctl_exec_t, file_type, exec_type, sysadmfile;
Chris PeBenito 31b7c0 
uses_shlib(auditctl_t)
Chris PeBenito 31b7c0 
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
Chris PeBenito 31b7c0 
allow auditctl_t self:capability { audit_write audit_control };
Chris PeBenito 31b7c0 
allow auditctl_t etc_t:file { getattr read };
Chris PeBenito 31b7c0 
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
type auditd_etc_t, file_type, secure_file_type;
Chris PeBenito 31b7c0 
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
Chris PeBenito 31b7c0 
allow initrc_t auditd_etc_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
role secadm_r types auditctl_t;
Chris PeBenito 31b7c0 
role sysadm_r types auditctl_t;
Chris PeBenito 31b7c0 
audit_manager_domain(secadm_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`targeted_policy', `', `
Chris PeBenito 31b7c0 
ifdef(`separate_secadm', `', `
Chris PeBenito 31b7c0 
audit_manager_domain(sysadm_t)
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
role system_r types auditctl_t;
Chris PeBenito 31b7c0 
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
dontaudit auditctl_t local_login_t:fd use;
Chris PeBenito 31b7c0 
allow auditctl_t proc_t:dir search;
Chris PeBenito 31b7c0 
allow auditctl_t sysctl_kernel_t:dir search;
Chris PeBenito 31b7c0 
allow auditctl_t sysctl_kernel_t:file { getattr read };
Chris PeBenito 31b7c0 
dontaudit auditctl_t init_t:fd use;
Chris PeBenito 31b7c0 
allow auditctl_t initrc_devpts_t:chr_file { read write };
Chris PeBenito 31b7c0 
allow auditctl_t privfd:fd use;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow auditd_t sbin_t:dir search;
Chris PeBenito 31b7c0 
can_exec(auditd_t, sbin_t)
Chris PeBenito 31b7c0 
allow auditd_t self:fifo_file rw_file_perms;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation