selinux-policy/policy/modules/admin/acct.te

policy_module(acct,1.1.0)

########################################
#
# Declarations
#

type acct_t;
type acct_exec_t;
init_system_domain(acct_t,acct_exec_t)

type acct_data_t;
logging_log_file(acct_data_t)

########################################
#
# Local Policy
#

# gzip needs chown capability for some reason
allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };

allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;

manage_files_pattern(acct_t,acct_data_t,acct_data_t)
manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t)

can_exec(acct_t,acct_exec_t)

kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctls(acct_t)

dev_read_sysfs(acct_t)
# for SSP
dev_read_urand(acct_t)

fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)

term_dontaudit_use_console(acct_t)

corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)

domain_use_interactive_fds(acct_t)

files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)

init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)

libs_use_ld_so(acct_t)
libs_use_shared_libs(acct_t)

logging_send_syslog_msg(acct_t)

miscfiles_read_localization(acct_t)

userdom_dontaudit_search_sysadm_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)

optional_policy(`
	optional_policy(`
		# for monthly cron job
		auth_log_filetrans_login_records(acct_t)
		auth_manage_login_records(acct_t)
	')

	cron_system_entry(acct_t,acct_exec_t)
')

optional_policy(`
	nscd_socket_use(acct_t)
')

optional_policy(`
	seutil_sigchld_newrole(acct_t)
')

optional_policy(`
	udev_read_db(acct_t)
')