move audit to logging
This commit is contained in:
Chris PeBenito
parent
ef5e55c9fa
commit
eb7f9a34cb
@ -1,6 +1,7 @@
|
||||
|
||||
/dev/log -s context_template(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/sbin/auditd -- context_tempalte(system_u:object_r:auditd_exec_t,s0)
|
||||
/sbin/klogd -- context_template(system_u:object_r:klogd_exec_t,s0)
|
||||
/sbin/minilogd -- context_template(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslogd -- context_template(system_u:object_r:syslogd_exec_t,s0)
|
||||
@ -15,6 +16,7 @@ ifdef(`distro_suse', `
|
||||
')
|
||||
|
||||
/var/log(/.*)? context_template(system_u:object_r:var_log_t,s0)
|
||||
/var/log/audit.log context_template(system_u:object_r:auditd_log_t,s0)
|
||||
|
||||
/var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0)
|
||||
/var/run/log -s context_template(system_u:object_r:devlog_t,s0)
|
||||
|
||||
@ -1,8 +1,23 @@
|
||||
|
||||
policy_module(logging,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute logfile;
|
||||
|
||||
type auditd_log_t;
|
||||
logging_make_log_file(auditd_t,auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
type auditd_exec_t;
|
||||
init_make_daemon_domain(auditd_t,auditd_exec_t)
|
||||
|
||||
type auditd_var_run_t;
|
||||
files_make_daemon_runtime_file(auditd_var_run_t)
|
||||
|
||||
type devlog_t;
|
||||
files_make_file(devlog_t)
|
||||
|
||||
@ -29,6 +44,71 @@ files_make_daemon_runtime_file(syslogd_var_run_t)
|
||||
type var_log_t, logfile;
|
||||
files_make_file(var_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
|
||||
allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
|
||||
allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
|
||||
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
kernel_read_hardware_state(auditd_t)
|
||||
|
||||
filesystem_get_all_filesystems_attributes(auditd_t)
|
||||
|
||||
terminal_ignore_use_console(auditd_t)
|
||||
|
||||
init_use_file_descriptors(auditd_t)
|
||||
init_script_use_pseudoterminal(auditd_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(auditd_t)
|
||||
|
||||
files_read_general_system_config(auditd_t)
|
||||
|
||||
logging_send_system_log_message(auditd_t)
|
||||
|
||||
libraries_use_dynamic_loader(auditd_t)
|
||||
libraries_use_shared_libraries(auditd_t)
|
||||
|
||||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(auditd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
||||
files_ignore_read_rootfs_file(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_database(auditd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow auditd_t proc_t:dir r_dir_perms;
|
||||
allow auditd_t proc_t:lnk_file read;
|
||||
dontaudit auditd_t unpriv_userdomain:fd use;
|
||||
allow auditd_t autofs_t:dir { search getattr };
|
||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
allow auditd_t rhgb_t:process sigchld;
|
||||
allow auditd_t rhgb_t:fd use;
|
||||
allow auditd_t rhgb_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
# cjp: this is questionable:
|
||||
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# klogd local policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user