selinux-policy/policy/modules/admin/acct.te

94 lines
1.8 KiB
Plaintext

policy_module(acct, 1.2.0)
########################################
#
# Declarations
#
type acct_t;
type acct_exec_t;
init_system_domain(acct_t, acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
########################################
#
# Local Policy
#
# gzip needs chown capability for some reason
allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
can_exec(acct_t, acct_exec_t)
kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctls(acct_t)
dev_read_sysfs(acct_t)
# for SSP
dev_read_urand(acct_t)
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
term_dontaudit_use_console(acct_t)
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
domain_use_interactive_fds(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
libs_use_ld_so(acct_t)
libs_use_shared_libs(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
sysadm_dontaudit_search_home_dirs(acct_t)
optional_policy(`
optional_policy(`
# for monthly cron job
auth_log_filetrans_login_records(acct_t)
auth_manage_login_records(acct_t)
')
cron_system_entry(acct_t, acct_exec_t)
')
optional_policy(`
nscd_socket_use(acct_t)
')
optional_policy(`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`
udev_read_db(acct_t)
')