From 9a66d4e562c30a74e7a61a13e83fd51792483305 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 5 Aug 2005 14:32:12 +0000
Subject: [PATCH] add acct

---
 refpolicy/Changelog                          |  1 +
 refpolicy/policy/modules/admin/acct.fc       |  8 ++
 refpolicy/policy/modules/admin/acct.if       | 84 +++++++++++++++++
 refpolicy/policy/modules/admin/acct.te       | 98 ++++++++++++++++++++
 refpolicy/policy/modules/admin/logrotate.te  |  6 ++
 refpolicy/policy/modules/system/authlogin.if | 12 +++
 6 files changed, 209 insertions(+)
 create mode 100644 refpolicy/policy/modules/admin/acct.fc
 create mode 100644 refpolicy/policy/modules/admin/acct.if
 create mode 100644 refpolicy/policy/modules/admin/acct.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ab624a5..7e934e3a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
 	* Rename inetd connect interface for consistency.
 	* Misc. cleanups.
 	* Added policies:
+		acct
 		mysql
 
 20050802 (2 Aug 2005)
diff --git a/refpolicy/policy/modules/admin/acct.fc b/refpolicy/policy/modules/admin/acct.fc
new file mode 100644
index 00000000..4edd4658
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.fc
@@ -0,0 +1,8 @@
+
+/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0)
+
+/sbin/accton		--	context_template(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton	--	context_template(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)?		context_template(system_u:object_r:acct_data_t,s0)
diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if
new file mode 100644
index 00000000..fe69889e
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.if
@@ -0,0 +1,84 @@
+## <summary>Berkeley process accounting</summary>
+
+########################################
+## <summary>
+##	Transition to the accounting management domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`acct_domtrans',`
+	gen_require(`
+		type acct_t, acct_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,acct_exec_t,acct_t)
+
+	allow $1 acct_t:fd use;
+	allow acct_t $1:fd use;
+	allow acct_t $1:fifo_file rw_file_perms;
+	allow acct_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute accounting management tools in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`acct_exec',`
+	gen_require(`
+		type acct_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	can_exec($1,acct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute accounting management data in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+# cjp: this is added for logrotate, and does
+# not make sense to me.
+interface(`acct_exec_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	files_search_var($1)
+	can_exec($1,acct_data_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete process accounting data.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`acct_manage_data',`
+	gen_require(`
+		type acct_data_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	files_search_var($1)
+	allow $1 acct_data_t:dir rw_dir_perms;
+	allow $1 acct_data_t:file create_file_perms;
+	allow $1 acct_data_t:lnk_file create_lnk_perms;
+')
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
new file mode 100644
index 00000000..c8098d73
--- /dev/null
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -0,0 +1,98 @@
+
+policy_module(acct,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_daemon_domain(acct_t,acct_exec_t)
+
+type acct_data_t;
+files_type(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { sys_pacct chown fsetid };
+# not sure why we need kill, the command "last" is reported as using it
+dontaudit acct_t self:capability { kill sys_tty_config };
+
+allow acct_t self:fifo_file { read write getattr };
+allow acct_t self:process signal_perms;
+
+allow acct_t acct_data_t:dir rw_dir_perms;
+allow acct_t acct_data_t:file create_file_perms;
+allow acct_t acct_data_t:lnk_file create_lnk_perms;
+
+can_exec(acct_t,acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctl(acct_t)
+
+dev_read_sysfs(acct_t)
+# for SSP
+dev_read_urand(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+domain_use_wide_inherit_fd(acct_t)
+
+files_read_etc_files(acct_t)
+files_read_etc_runtime_files(acct_t)
+# for nscd
+files_dontaudit_getattr_pid_dir(acct_t)
+
+init_use_fd(acct_t)
+init_use_script_pty(acct_t)
+init_exec_script(acct_t)
+
+libs_use_ld_so(acct_t)
+libs_use_shared_libs(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_search_sysadm_home_dir(acct_t)
+userdom_dontaudit_use_unpriv_user_fd(acct_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(acct_t)
+	term_dontaudit_use_generic_pty(acct_t)
+	files_dontaudit_read_root_file(acct_t)
+')
+
+optional_policy(`cron.te',`
+	optional_policy(`authlogin.te',`
+		# for monthly cron job
+		auth_create_login_records(acct_t)
+		auth_manage_login_records(acct_t)
+	')
+
+	cron_system_entry(acct_t,acct_exec_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(acct_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(acct_t)
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 16b81302..c11e1a4b 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -113,6 +113,12 @@ ifdef(`distro_debian', `
 	can_exec(logrotate_t, logrotate_exec_t)
 ')
 
+optional_policy(`acct.te',`
+	acct_domtrans(logrotate_t)
+	acct_manage_data(logrotate_t)
+	acct_exec_data(logrotate_t)
+')
+
 optional_policy(`consoletype.te',`
 	consoletype_exec(logrotate_t)
 
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 9cc216e8..cc296e60 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -669,6 +669,18 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')
 
+#######################################
+#
+# auth_create_login_records(domain)
+#
+interface(`auth_create_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	logging_create_log($1,wtmp_t,file)
+')
+
 #######################################
 #
 # auth_manage_login_records(domain)