move to logging
This commit is contained in:
parent
09693356ac
commit
ef5e55c9fa
@ -1,82 +0,0 @@
|
||||
|
||||
policy_module(audit, 1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type auditd_log_t;
|
||||
logging_make_log_file(auditd_t,auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
type auditd_exec_t;
|
||||
init_make_daemon_domain(auditd_t,auditd_exec_t)
|
||||
|
||||
type auditd_var_run_t;
|
||||
files_make_daemon_runtime_file(auditd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
|
||||
allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
|
||||
allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
|
||||
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
kernel_read_hardware_state(auditd_t)
|
||||
|
||||
filesystem_get_all_filesystems_attributes(auditd_t)
|
||||
|
||||
terminal_ignore_use_console(auditd_t)
|
||||
|
||||
init_use_file_descriptors(auditd_t)
|
||||
init_script_use_pseudoterminal(auditd_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(auditd_t)
|
||||
|
||||
files_read_general_system_config(auditd_t)
|
||||
|
||||
logging_send_system_log_message(auditd_t)
|
||||
|
||||
libraries_use_dynamic_loader(auditd_t)
|
||||
libraries_use_shared_libraries(auditd_t)
|
||||
|
||||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(auditd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
||||
files_ignore_read_rootfs_file(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_database(auditd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow auditd_t proc_t:dir r_dir_perms;
|
||||
allow auditd_t proc_t:lnk_file read;
|
||||
dontaudit auditd_t unpriv_userdomain:fd use;
|
||||
allow auditd_t autofs_t:dir { search getattr };
|
||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
allow auditd_t rhgb_t:process sigchld;
|
||||
allow auditd_t rhgb_t:fd use;
|
||||
allow auditd_t rhgb_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
# cjp: this is questionable:
|
||||
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
||||
') dnl endif TODO
|
Loading…
Reference in New Issue
Block a user