add acct
This commit is contained in:
parent
3fd8336882
commit
9a66d4e562
@ -4,6 +4,7 @@
|
||||
* Rename inetd connect interface for consistency.
|
||||
* Misc. cleanups.
|
||||
* Added policies:
|
||||
acct
|
||||
mysql
|
||||
|
||||
20050802 (2 Aug 2005)
|
||||
|
8
refpolicy/policy/modules/admin/acct.fc
Normal file
8
refpolicy/policy/modules/admin/acct.fc
Normal file
@ -0,0 +1,8 @@
|
||||
|
||||
/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||
|
||||
/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||
|
||||
/usr/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||
|
||||
/var/account(/.*)? context_template(system_u:object_r:acct_data_t,s0)
|
84
refpolicy/policy/modules/admin/acct.if
Normal file
84
refpolicy/policy/modules/admin/acct.if
Normal file
@ -0,0 +1,84 @@
|
||||
## <summary>Berkeley process accounting</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the accounting management domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`acct_domtrans',`
|
||||
gen_require(`
|
||||
type acct_t, acct_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,acct_exec_t,acct_t)
|
||||
|
||||
allow $1 acct_t:fd use;
|
||||
allow acct_t $1:fd use;
|
||||
allow acct_t $1:fifo_file rw_file_perms;
|
||||
allow acct_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute accounting management tools in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`acct_exec',`
|
||||
gen_require(`
|
||||
type acct_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
can_exec($1,acct_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute accounting management data in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
# cjp: this is added for logrotate, and does
|
||||
# not make sense to me.
|
||||
interface(`acct_exec_data',`
|
||||
gen_require(`
|
||||
type acct_data_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
can_exec($1,acct_data_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete process accounting data.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`acct_manage_data',`
|
||||
gen_require(`
|
||||
type acct_data_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 acct_data_t:dir rw_dir_perms;
|
||||
allow $1 acct_data_t:file create_file_perms;
|
||||
allow $1 acct_data_t:lnk_file create_lnk_perms;
|
||||
')
|
98
refpolicy/policy/modules/admin/acct.te
Normal file
98
refpolicy/policy/modules/admin/acct.te
Normal file
@ -0,0 +1,98 @@
|
||||
|
||||
policy_module(acct,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type acct_t;
|
||||
type acct_exec_t;
|
||||
init_daemon_domain(acct_t,acct_exec_t)
|
||||
|
||||
type acct_data_t;
|
||||
files_type(acct_data_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
# gzip needs chown capability for some reason
|
||||
allow acct_t self:capability { sys_pacct chown fsetid };
|
||||
# not sure why we need kill, the command "last" is reported as using it
|
||||
dontaudit acct_t self:capability { kill sys_tty_config };
|
||||
|
||||
allow acct_t self:fifo_file { read write getattr };
|
||||
allow acct_t self:process signal_perms;
|
||||
|
||||
allow acct_t acct_data_t:dir rw_dir_perms;
|
||||
allow acct_t acct_data_t:file create_file_perms;
|
||||
allow acct_t acct_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
can_exec(acct_t,acct_exec_t)
|
||||
|
||||
kernel_list_proc(acct_t)
|
||||
kernel_read_system_state(acct_t)
|
||||
kernel_read_kernel_sysctl(acct_t)
|
||||
|
||||
dev_read_sysfs(acct_t)
|
||||
# for SSP
|
||||
dev_read_urand(acct_t)
|
||||
|
||||
fs_search_auto_mountpoints(acct_t)
|
||||
fs_getattr_xattr_fs(acct_t)
|
||||
|
||||
term_dontaudit_use_console(acct_t)
|
||||
|
||||
corecmd_exec_bin(acct_t)
|
||||
corecmd_exec_shell(acct_t)
|
||||
|
||||
domain_use_wide_inherit_fd(acct_t)
|
||||
|
||||
files_read_etc_files(acct_t)
|
||||
files_read_etc_runtime_files(acct_t)
|
||||
# for nscd
|
||||
files_dontaudit_getattr_pid_dir(acct_t)
|
||||
|
||||
init_use_fd(acct_t)
|
||||
init_use_script_pty(acct_t)
|
||||
init_exec_script(acct_t)
|
||||
|
||||
libs_use_ld_so(acct_t)
|
||||
libs_use_shared_libs(acct_t)
|
||||
|
||||
logging_send_syslog_msg(acct_t)
|
||||
|
||||
miscfiles_read_localization(acct_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(acct_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(acct_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(acct_t)
|
||||
term_dontaudit_use_generic_pty(acct_t)
|
||||
files_dontaudit_read_root_file(acct_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
optional_policy(`authlogin.te',`
|
||||
# for monthly cron job
|
||||
auth_create_login_records(acct_t)
|
||||
auth_manage_login_records(acct_t)
|
||||
')
|
||||
|
||||
cron_system_entry(acct_t,acct_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(acct_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(acct_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(acct_t)
|
||||
')
|
@ -113,6 +113,12 @@ ifdef(`distro_debian', `
|
||||
can_exec(logrotate_t, logrotate_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`acct.te',`
|
||||
acct_domtrans(logrotate_t)
|
||||
acct_manage_data(logrotate_t)
|
||||
acct_exec_data(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_exec(logrotate_t)
|
||||
|
||||
|
@ -669,6 +669,18 @@ interface(`auth_rw_login_records',`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_create_login_records(domain)
|
||||
#
|
||||
interface(`auth_create_login_records',`
|
||||
gen_require(`
|
||||
type wtmp_t;
|
||||
')
|
||||
|
||||
logging_create_log($1,wtmp_t,file)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_manage_login_records(domain)
|
||||
|
Loading…
Reference in New Issue
Block a user