99 lines
2.0 KiB
Plaintext
99 lines
2.0 KiB
Plaintext
|
|
||
|
policy_module(acct,1.0)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
type acct_t;
|
||
|
type acct_exec_t;
|
||
|
init_daemon_domain(acct_t,acct_exec_t)
|
||
|
|
||
|
type acct_data_t;
|
||
|
files_type(acct_data_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Local Policy
|
||
|
#
|
||
|
|
||
|
# gzip needs chown capability for some reason
|
||
|
allow acct_t self:capability { sys_pacct chown fsetid };
|
||
|
# not sure why we need kill, the command "last" is reported as using it
|
||
|
dontaudit acct_t self:capability { kill sys_tty_config };
|
||
|
|
||
|
allow acct_t self:fifo_file { read write getattr };
|
||
|
allow acct_t self:process signal_perms;
|
||
|
|
||
|
allow acct_t acct_data_t:dir rw_dir_perms;
|
||
|
allow acct_t acct_data_t:file create_file_perms;
|
||
|
allow acct_t acct_data_t:lnk_file create_lnk_perms;
|
||
|
|
||
|
can_exec(acct_t,acct_exec_t)
|
||
|
|
||
|
kernel_list_proc(acct_t)
|
||
|
kernel_read_system_state(acct_t)
|
||
|
kernel_read_kernel_sysctl(acct_t)
|
||
|
|
||
|
dev_read_sysfs(acct_t)
|
||
|
# for SSP
|
||
|
dev_read_urand(acct_t)
|
||
|
|
||
|
fs_search_auto_mountpoints(acct_t)
|
||
|
fs_getattr_xattr_fs(acct_t)
|
||
|
|
||
|
term_dontaudit_use_console(acct_t)
|
||
|
|
||
|
corecmd_exec_bin(acct_t)
|
||
|
corecmd_exec_shell(acct_t)
|
||
|
|
||
|
domain_use_wide_inherit_fd(acct_t)
|
||
|
|
||
|
files_read_etc_files(acct_t)
|
||
|
files_read_etc_runtime_files(acct_t)
|
||
|
# for nscd
|
||
|
files_dontaudit_getattr_pid_dir(acct_t)
|
||
|
|
||
|
init_use_fd(acct_t)
|
||
|
init_use_script_pty(acct_t)
|
||
|
init_exec_script(acct_t)
|
||
|
|
||
|
libs_use_ld_so(acct_t)
|
||
|
libs_use_shared_libs(acct_t)
|
||
|
|
||
|
logging_send_syslog_msg(acct_t)
|
||
|
|
||
|
miscfiles_read_localization(acct_t)
|
||
|
|
||
|
userdom_dontaudit_search_sysadm_home_dir(acct_t)
|
||
|
userdom_dontaudit_use_unpriv_user_fd(acct_t)
|
||
|
|
||
|
ifdef(`targeted_policy',`
|
||
|
term_dontaudit_use_unallocated_tty(acct_t)
|
||
|
term_dontaudit_use_generic_pty(acct_t)
|
||
|
files_dontaudit_read_root_file(acct_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`cron.te',`
|
||
|
optional_policy(`authlogin.te',`
|
||
|
# for monthly cron job
|
||
|
auth_create_login_records(acct_t)
|
||
|
auth_manage_login_records(acct_t)
|
||
|
')
|
||
|
|
||
|
cron_system_entry(acct_t,acct_exec_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`rhgb.te',`
|
||
|
rhgb_domain(acct_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`selinuxutil.te',`
|
||
|
seutil_sigchld_newrole(acct_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`udev.te', `
|
||
|
udev_read_db(acct_t)
|
||
|
')
|