#DESC auditd - System auditing daemon

#

# Authors: Colin Walters <walters@verbum.org>

#

# Some fixes by Paul Moore <paul.moore@hp.com>

# 

define(`audit_manager_domain', `

allow $1 auditd_etc_t:file rw_file_perms;

create_dir_file($1, auditd_log_t)

domain_auto_trans($1, auditctl_exec_t, auditctl_t)

')

daemon_domain(auditd)

allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };

allow auditd_t self:unix_dgram_socket create_socket_perms;

allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };

allow auditd_t self:process setsched;

allow auditd_t self:file { getattr read write };

allow auditd_t etc_t:file { getattr read };

# Do not use logdir_domain since this is a security file

type auditd_log_t, file_type, secure_file_type;

allow auditd_t var_log_t:dir search;

rw_dir_create_file(auditd_t, auditd_log_t)

can_exec(auditd_t, init_exec_t)

allow auditd_t initctl_t:fifo_file write;

ifdef(`targeted_policy', `

dontaudit auditd_t unconfined_t:fifo_file read;

')

type auditctl_t, domain, privlog;

type auditctl_exec_t, file_type, exec_type, sysadmfile;

uses_shlib(auditctl_t)

allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };

allow auditctl_t self:capability { audit_write audit_control };

allow auditctl_t etc_t:file { getattr read };

allow auditctl_t admin_tty_type:chr_file rw_file_perms;

type auditd_etc_t, file_type, secure_file_type;

allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;

allow initrc_t auditd_etc_t:file r_file_perms;

role secadm_r types auditctl_t;

role sysadm_r types auditctl_t;

audit_manager_domain(secadm_t)

ifdef(`targeted_policy', `', `

ifdef(`separate_secadm', `', `

audit_manager_domain(sysadm_t)

') 

')

role system_r types auditctl_t;

domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)

dontaudit auditctl_t local_login_t:fd use;

allow auditctl_t proc_t:dir search;

allow auditctl_t sysctl_kernel_t:dir search;

allow auditctl_t sysctl_kernel_t:file { getattr read };

dontaudit auditctl_t init_t:fd use; 

allow auditctl_t initrc_devpts_t:chr_file { read write };

allow auditctl_t privfd:fd use;

allow auditd_t sbin_t:dir search;

can_exec(auditd_t, sbin_t)