From 9a66d4e562c30a74e7a61a13e83fd51792483305 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 05 2005 14:32:12 +0000 Subject: add acct --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0ab624a..7e934e3 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -4,6 +4,7 @@ * Rename inetd connect interface for consistency. * Misc. cleanups. * Added policies: + acct mysql 20050802 (2 Aug 2005) diff --git a/refpolicy/policy/modules/admin/acct.fc b/refpolicy/policy/modules/admin/acct.fc new file mode 100644 index 0000000..4edd465 --- /dev/null +++ b/refpolicy/policy/modules/admin/acct.fc @@ -0,0 +1,8 @@ + +/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0) + +/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0) + +/usr/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0) + +/var/account(/.*)? context_template(system_u:object_r:acct_data_t,s0) diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if new file mode 100644 index 0000000..fe69889 --- /dev/null +++ b/refpolicy/policy/modules/admin/acct.if @@ -0,0 +1,84 @@ +## Berkeley process accounting + +######################################## +## +## Transition to the accounting management domain. +## +## +## Domain allowed access. +## +# +interface(`acct_domtrans',` + gen_require(` + type acct_t, acct_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,acct_exec_t,acct_t) + + allow $1 acct_t:fd use; + allow acct_t $1:fd use; + allow acct_t $1:fifo_file rw_file_perms; + allow acct_t $1:process sigchld; +') + +######################################## +## +## Execute accounting management tools in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`acct_exec',` + gen_require(` + type acct_exec_t; + ') + + corecmd_search_sbin($1) + can_exec($1,acct_exec_t) +') + +######################################## +## +## Execute accounting management data in the caller domain. +## +## +## The type of the process performing this action. +## +# +# cjp: this is added for logrotate, and does +# not make sense to me. +interface(`acct_exec_data',` + gen_require(` + type acct_data_t; + ') + + files_search_var($1) + can_exec($1,acct_data_t) +') + +######################################## +## +## Create, read, write, and delete process accounting data. +## +## +## The type of the process performing this action. +## +# +interface(`acct_manage_data',` + gen_require(` + type acct_data_t; + class dir rw_dir_perms; + class file create_file_perms; + class lnk_file create_lnk_perms; + ') + + files_search_var($1) + allow $1 acct_data_t:dir rw_dir_perms; + allow $1 acct_data_t:file create_file_perms; + allow $1 acct_data_t:lnk_file create_lnk_perms; +') diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te new file mode 100644 index 0000000..c8098d7 --- /dev/null +++ b/refpolicy/policy/modules/admin/acct.te @@ -0,0 +1,98 @@ + +policy_module(acct,1.0) + +######################################## +# +# Declarations +# + +type acct_t; +type acct_exec_t; +init_daemon_domain(acct_t,acct_exec_t) + +type acct_data_t; +files_type(acct_data_t) + +######################################## +# +# Local Policy +# + +# gzip needs chown capability for some reason +allow acct_t self:capability { sys_pacct chown fsetid }; +# not sure why we need kill, the command "last" is reported as using it +dontaudit acct_t self:capability { kill sys_tty_config }; + +allow acct_t self:fifo_file { read write getattr }; +allow acct_t self:process signal_perms; + +allow acct_t acct_data_t:dir rw_dir_perms; +allow acct_t acct_data_t:file create_file_perms; +allow acct_t acct_data_t:lnk_file create_lnk_perms; + +can_exec(acct_t,acct_exec_t) + +kernel_list_proc(acct_t) +kernel_read_system_state(acct_t) +kernel_read_kernel_sysctl(acct_t) + +dev_read_sysfs(acct_t) +# for SSP +dev_read_urand(acct_t) + +fs_search_auto_mountpoints(acct_t) +fs_getattr_xattr_fs(acct_t) + +term_dontaudit_use_console(acct_t) + +corecmd_exec_bin(acct_t) +corecmd_exec_shell(acct_t) + +domain_use_wide_inherit_fd(acct_t) + +files_read_etc_files(acct_t) +files_read_etc_runtime_files(acct_t) +# for nscd +files_dontaudit_getattr_pid_dir(acct_t) + +init_use_fd(acct_t) +init_use_script_pty(acct_t) +init_exec_script(acct_t) + +libs_use_ld_so(acct_t) +libs_use_shared_libs(acct_t) + +logging_send_syslog_msg(acct_t) + +miscfiles_read_localization(acct_t) + +userdom_dontaudit_search_sysadm_home_dir(acct_t) +userdom_dontaudit_use_unpriv_user_fd(acct_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(acct_t) + term_dontaudit_use_generic_pty(acct_t) + files_dontaudit_read_root_file(acct_t) +') + +optional_policy(`cron.te',` + optional_policy(`authlogin.te',` + # for monthly cron job + auth_create_login_records(acct_t) + auth_manage_login_records(acct_t) + ') + + cron_system_entry(acct_t,acct_exec_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(acct_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(acct_t) +') + +optional_policy(`udev.te', ` + udev_read_db(acct_t) +') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 16b8130..c11e1a4 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -113,6 +113,12 @@ ifdef(`distro_debian', ` can_exec(logrotate_t, logrotate_exec_t) ') +optional_policy(`acct.te',` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +') + optional_policy(`consoletype.te',` consoletype_exec(logrotate_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 9cc216e..cc296e6 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -671,6 +671,18 @@ interface(`auth_rw_login_records',` ####################################### # +# auth_create_login_records(domain) +# +interface(`auth_create_login_records',` + gen_require(` + type wtmp_t; + ') + + logging_create_log($1,wtmp_t,file) +') + +####################################### +# # auth_manage_login_records(domain) # interface(`auth_manage_login_records',`