selinux-policy/targeted/domains/program/auditd.te
2005-10-21 18:05:21 +00:00

70 lines
2.2 KiB
Plaintext

#DESC auditd - System auditing daemon
#
# Authors: Colin Walters <walters@verbum.org>
#
# Some fixes by Paul Moore <paul.moore@hp.com>
#
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
')
daemon_domain(auditd)
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
allow auditd_t self:process setsched;
allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };
# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
allow auditd_t var_log_t:dir search;
rw_dir_create_file(auditd_t, auditd_log_t)
can_exec(auditd_t, init_exec_t)
allow auditd_t initctl_t:fifo_file write;
ifdef(`targeted_policy', `
dontaudit auditd_t unconfined_t:fifo_file read;
')
type auditctl_t, domain, privlog;
type auditctl_exec_t, file_type, exec_type, sysadmfile;
uses_shlib(auditctl_t)
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t etc_t:file { getattr read };
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
type auditd_etc_t, file_type, secure_file_type;
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
allow initrc_t auditd_etc_t:file r_file_perms;
role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
audit_manager_domain(secadm_t)
ifdef(`targeted_policy', `', `
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
')
')
role system_r types auditctl_t;
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file { getattr read };
dontaudit auditctl_t init_t:fd use;
allow auditctl_t initrc_devpts_t:chr_file { read write };
allow auditctl_t privfd:fd use;
allow auditd_t sbin_t:dir search;
can_exec(auditd_t, sbin_t)