dd14d0d892
permission is checked when using shared libs to execute code in them, which is not the same as just reading the shared libs.
84 lines
2.2 KiB
Plaintext
84 lines
2.2 KiB
Plaintext
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
policy_module(audit, 1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type auditd_log_t;
|
|
logging_make_log_file(auditd_t,auditd_log_t)
|
|
|
|
type auditd_t;
|
|
type auditd_exec_t;
|
|
init_make_daemon_domain(auditd_t,auditd_exec_t)
|
|
|
|
type auditd_var_run_t;
|
|
files_make_daemon_runtime_file(auditd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Auditd local policy
|
|
#
|
|
|
|
allow auditd_t self:capability { audit_write audit_control };
|
|
dontaudit auditd_t self:capability sys_tty_config;
|
|
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
|
|
|
allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
|
|
allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
|
|
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
|
|
|
kernel_read_kernel_sysctl(auditd_t)
|
|
kernel_read_hardware_state(auditd_t)
|
|
|
|
filesystem_get_all_filesystems_attributes(auditd_t)
|
|
|
|
terminal_ignore_use_console(auditd_t)
|
|
|
|
init_use_file_descriptors(auditd_t)
|
|
init_script_use_pseudoterminal(auditd_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(auditd_t)
|
|
|
|
files_read_general_system_config(auditd_t)
|
|
|
|
logging_send_system_log_message(auditd_t)
|
|
|
|
libraries_use_dynamic_loader(auditd_t)
|
|
libraries_use_shared_libraries(auditd_t)
|
|
|
|
miscfiles_read_localization(auditd_t)
|
|
|
|
tunable_policy(`targeted_policy', `
|
|
terminal_ignore_use_general_physical_terminal(auditd_t)
|
|
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
|
files_ignore_read_rootfs_file(auditd_t)
|
|
')dnl end targeted_policy tunable
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_newrole_sigchld(auditd_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_database(auditd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
allow auditd_t proc_t:dir r_dir_perms;
|
|
allow auditd_t proc_t:lnk_file read;
|
|
dontaudit auditd_t unpriv_userdomain:fd use;
|
|
allow auditd_t autofs_t:dir { search getattr };
|
|
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
|
optional_policy(`rhgb.te', `
|
|
allow auditd_t rhgb_t:process sigchld;
|
|
allow auditd_t rhgb_t:fd use;
|
|
allow auditd_t rhgb_t:fifo_file { read write };
|
|
')
|
|
|
|
# cjp: this is questionable:
|
|
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
|
') dnl endif TODO
|