add in some rules from NSA CVS to make targeted policy work
This commit is contained in:
parent
8c3f438f75
commit
a28f6db576
@ -16,7 +16,9 @@ ifdef(`distro_suse', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
/var/log(/.*)? context_template(system_u:object_r:var_log_t,s0)
|
/var/log(/.*)? context_template(system_u:object_r:var_log_t,s0)
|
||||||
/var/log/audit.log context_template(system_u:object_r:auditd_log_t,s0)
|
/var/log/audit.log -- context_template(system_u:object_r:auditd_log_t,s0)
|
||||||
|
|
||||||
|
/var/log/audit(/.*)? context_template(system_u:object_r:auditd_log_t,s0)
|
||||||
|
|
||||||
/var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0)
|
/var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0)
|
||||||
/var/run/log -s context_template(system_u:object_r:devlog_t,s0)
|
/var/run/log -s context_template(system_u:object_r:devlog_t,s0)
|
||||||
|
@ -9,7 +9,7 @@ policy_module(logging,1.0)
|
|||||||
attribute logfile;
|
attribute logfile;
|
||||||
|
|
||||||
type auditd_log_t;
|
type auditd_log_t;
|
||||||
logging_log_file(auditd_log_t)
|
files_type(auditd_log_t)
|
||||||
|
|
||||||
type auditd_t;
|
type auditd_t;
|
||||||
type auditd_exec_t;
|
type auditd_exec_t;
|
||||||
@ -49,10 +49,12 @@ files_type(var_log_t)
|
|||||||
# Auditd local policy
|
# Auditd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow auditd_t self:capability { audit_write audit_control };
|
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||||
dontaudit auditd_t self:capability sys_tty_config;
|
dontaudit auditd_t self:capability sys_tty_config;
|
||||||
|
allow auditd_t self:process setsched;
|
||||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||||
|
|
||||||
|
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
||||||
allow auditd_t auditd_log_t:file create_file_perms;
|
allow auditd_t auditd_log_t:file create_file_perms;
|
||||||
|
|
||||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||||
|
Loading…
Reference in New Issue
Block a user