selinux-policy/policy/modules/admin/acct.if

## <summary>Berkeley process accounting</summary>

########################################
## <summary>
##	Transition to the accounting management domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`acct_domtrans',`
	gen_require(`
		type acct_t, acct_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,acct_exec_t,acct_t)

	allow $1 acct_t:fd use;
	allow acct_t $1:fd use;
	allow acct_t $1:fifo_file rw_file_perms;
	allow acct_t $1:process sigchld;
')

########################################
## <summary>
##	Execute accounting management tools in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`acct_exec',`
	gen_require(`
		type acct_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1,acct_exec_t)
')

########################################
## <summary>
##	Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
# cjp: this is added for logrotate, and does
# not make sense to me.
interface(`acct_exec_data',`
	gen_require(`
		type acct_data_t;
	')

	files_search_var($1)
	can_exec($1,acct_data_t)
')

########################################
## <summary>
##	Create, read, write, and delete process accounting data.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`acct_manage_data',`
	gen_require(`
		type acct_data_t;
	')

	files_search_var($1)
	allow $1 acct_data_t:dir rw_dir_perms;
	allow $1 acct_data_t:file create_file_perms;
	allow $1 acct_data_t:lnk_file create_lnk_perms;
')