policy_module(acct, 1.2.0) ######################################## # # Declarations # type acct_t; type acct_exec_t; init_system_domain(acct_t, acct_exec_t) type acct_data_t; logging_log_file(acct_data_t) ######################################## # # Local Policy # # gzip needs chown capability for some reason allow acct_t self:capability { sys_pacct chown fsetid }; # not sure why we need kill, the command "last" is reported as using it dontaudit acct_t self:capability { kill sys_tty_config }; allow acct_t self:fifo_file rw_fifo_file_perms; allow acct_t self:process signal_perms; manage_files_pattern(acct_t, acct_data_t, acct_data_t) manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) can_exec(acct_t, acct_exec_t) kernel_list_proc(acct_t) kernel_read_system_state(acct_t) kernel_read_kernel_sysctls(acct_t) dev_read_sysfs(acct_t) # for SSP dev_read_urand(acct_t) fs_search_auto_mountpoints(acct_t) fs_getattr_xattr_fs(acct_t) term_dontaudit_use_console(acct_t) corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) domain_use_interactive_fds(acct_t) files_read_etc_files(acct_t) files_read_etc_runtime_files(acct_t) files_list_usr(acct_t) # for nscd files_dontaudit_search_pids(acct_t) init_use_fds(acct_t) init_use_script_ptys(acct_t) init_exec_script_files(acct_t) logging_send_syslog_msg(acct_t) miscfiles_read_localization(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) sysadm_dontaudit_search_home_dirs(acct_t) optional_policy(` optional_policy(` # for monthly cron job auth_log_filetrans_login_records(acct_t) auth_manage_login_records(acct_t) ') cron_system_entry(acct_t, acct_exec_t) ') optional_policy(` nscd_socket_use(acct_t) ') optional_policy(` seutil_sigchld_newrole(acct_t) ') optional_policy(` udev_read_db(acct_t) ')