Tree - rpms/selinux-policy - CentOS Git server

rpms / selinux-policy

Blame targeted/domains/program/auditd.te

Blob History Raw

Chris PeBenito	ab58ad	`#DESC auditd - System auditing daemon`
Chris PeBenito	ab58ad	`#`
Chris PeBenito	ab58ad	`# Authors: Colin Walters <walters@verbum.org>`
Chris PeBenito	ab58ad	`#`
Chris PeBenito	ab58ad	`# Some fixes by Paul Moore <paul.moore@hp.com>`
Chris PeBenito	ab58ad	`#`
Chris PeBenito	ab58ad	define(`audit_manager_domain', `
Chris PeBenito	ab58ad	`allow $1 auditd_etc_t:file rw_file_perms;`
Chris PeBenito	ab58ad	`create_dir_file($1, auditd_log_t)`
Chris PeBenito	ab58ad	`domain_auto_trans($1, auditctl_exec_t, auditctl_t)`
Chris PeBenito	ab58ad	`')`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`daemon_domain(auditd)`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };`
Chris PeBenito	ab58ad	`allow auditd_t self:unix_dgram_socket create_socket_perms;`
Chris PeBenito	ab58ad	`allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };`
Chris PeBenito	ab58ad	`allow auditd_t self:process setsched;`
Chris PeBenito	ab58ad	`allow auditd_t self:file { getattr read write };`
Chris PeBenito	ab58ad	`allow auditd_t etc_t:file { getattr read };`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`# Do not use logdir_domain since this is a security file`
Chris PeBenito	ab58ad	`type auditd_log_t, file_type, secure_file_type;`
Chris PeBenito	ab58ad	`allow auditd_t var_log_t:dir search;`
Chris PeBenito	ab58ad	`rw_dir_create_file(auditd_t, auditd_log_t)`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`can_exec(auditd_t, init_exec_t)`
Chris PeBenito	ab58ad	`allow auditd_t initctl_t:fifo_file write;`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	ifdef(`targeted_policy', `
Chris PeBenito	ab58ad	`dontaudit auditd_t unconfined_t:fifo_file read;`
Chris PeBenito	ab58ad	`')`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`type auditctl_t, domain, privlog;`
Chris PeBenito	ab58ad	`type auditctl_exec_t, file_type, exec_type, sysadmfile;`
Chris PeBenito	ab58ad	`uses_shlib(auditctl_t)`
Chris PeBenito	ab58ad	`allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };`
Chris PeBenito	ab58ad	`allow auditctl_t self:capability { audit_write audit_control };`
Chris PeBenito	ab58ad	`allow auditctl_t etc_t:file { getattr read };`
Chris PeBenito	ab58ad	`allow auditctl_t admin_tty_type:chr_file rw_file_perms;`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`type auditd_etc_t, file_type, secure_file_type;`
Chris PeBenito	ab58ad	`allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;`
Chris PeBenito	ab58ad	`allow initrc_t auditd_etc_t:file r_file_perms;`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`role secadm_r types auditctl_t;`
Chris PeBenito	ab58ad	`role sysadm_r types auditctl_t;`
Chris PeBenito	ab58ad	`audit_manager_domain(secadm_t)`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	ifdef(`targeted_policy', `', `
Chris PeBenito	ab58ad	ifdef(`separate_secadm', `', `
Chris PeBenito	ab58ad	`audit_manager_domain(sysadm_t)`
Chris PeBenito	ab58ad	`')`
Chris PeBenito	ab58ad	`')`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`role system_r types auditctl_t;`
Chris PeBenito	ab58ad	`domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`dontaudit auditctl_t local_login_t:fd use;`
Chris PeBenito	ab58ad	`allow auditctl_t proc_t:dir search;`
Chris PeBenito	ab58ad	`allow auditctl_t sysctl_kernel_t:dir search;`
Chris PeBenito	ab58ad	`allow auditctl_t sysctl_kernel_t:file { getattr read };`
Chris PeBenito	ab58ad	`dontaudit auditctl_t init_t:fd use;`
Chris PeBenito	ab58ad	`allow auditctl_t initrc_devpts_t:chr_file { read write };`
Chris PeBenito	ab58ad	`allow auditctl_t privfd:fd use;`
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad
Chris PeBenito	ab58ad	`allow auditd_t sbin_t:dir search;`
Chris PeBenito	ab58ad	`can_exec(auditd_t, sbin_t)`

rpms / selinux-policy

Source Code

Blame targeted/domains/program/auditd.te