Blob Blame History Raw
#DESC auditd - System auditing daemon
#
# Authors: Colin Walters <walters@verbum.org>
#
# Some fixes by Paul Moore <paul.moore@hp.com>
# 
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
')

daemon_domain(auditd)

ifdef(`mls_policy', `
# run at the highest MLS level
typeattribute auditd_t mlsrangetrans;
range_transition initrc_t auditd_exec_t s15:c0.c255;
')

allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
allow auditd_t self:process setsched;
allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };

# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
allow auditd_t var_log_t:dir search;
rw_dir_create_file(auditd_t, auditd_log_t)

can_exec(auditd_t, init_exec_t)
allow auditd_t initctl_t:fifo_file write;

ifdef(`targeted_policy', `
dontaudit auditd_t unconfined_t:fifo_file read;
')

type auditctl_t, domain, privlog;
type auditctl_exec_t, file_type, exec_type, sysadmfile;
uses_shlib(auditctl_t)
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t etc_t:file { getattr read };
allow auditctl_t admin_tty_type:chr_file rw_file_perms;

type auditd_etc_t, file_type, secure_file_type;
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
allow initrc_t auditd_etc_t:file r_file_perms;

role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
audit_manager_domain(secadm_t)

ifdef(`targeted_policy', `', `
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
') 
')

role system_r types auditctl_t;
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)

dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file { getattr read };
dontaudit auditctl_t init_t:fd use; 
allow auditctl_t initrc_devpts_t:chr_file { read write };
allow auditctl_t privfd:fd use;


allow auditd_t sbin_t:dir search;
can_exec(auditd_t, sbin_t)
allow auditd_t self:fifo_file rw_file_perms;