## <summary>Berkeley process accounting</summary> ######################################## ## <summary> ## Transition to the accounting management domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`acct_domtrans',` gen_require(` type acct_t, acct_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1,acct_exec_t,acct_t) allow $1 acct_t:fd use; allow acct_t $1:fd use; allow acct_t $1:fifo_file rw_file_perms; allow acct_t $1:process sigchld; ') ######################################## ## <summary> ## Execute accounting management tools in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`acct_exec',` gen_require(` type acct_exec_t; ') corecmd_search_sbin($1) can_exec($1,acct_exec_t) ') ######################################## ## <summary> ## Execute accounting management data in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # # cjp: this is added for logrotate, and does # not make sense to me. interface(`acct_exec_data',` gen_require(` type acct_data_t; ') files_search_var($1) can_exec($1,acct_data_t) ') ######################################## ## <summary> ## Create, read, write, and delete process accounting data. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`acct_manage_data',` gen_require(` type acct_data_t; ') files_search_var($1) allow $1 acct_data_t:dir rw_dir_perms; allow $1 acct_data_t:file create_file_perms; allow $1 acct_data_t:lnk_file create_lnk_perms; ')