add acct
This commit is contained in:
parent
3fd8336882
commit
9a66d4e562
|
@ -4,6 +4,7 @@
|
||||||
* Rename inetd connect interface for consistency.
|
* Rename inetd connect interface for consistency.
|
||||||
* Misc. cleanups.
|
* Misc. cleanups.
|
||||||
* Added policies:
|
* Added policies:
|
||||||
|
acct
|
||||||
mysql
|
mysql
|
||||||
|
|
||||||
20050802 (2 Aug 2005)
|
20050802 (2 Aug 2005)
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
|
||||||
|
/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||||
|
|
||||||
|
/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
|
||||||
|
|
||||||
|
/var/account(/.*)? context_template(system_u:object_r:acct_data_t,s0)
|
|
@ -0,0 +1,84 @@
|
||||||
|
## <summary>Berkeley process accounting</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Transition to the accounting management domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`acct_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type acct_t, acct_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
|
domain_auto_trans($1,acct_exec_t,acct_t)
|
||||||
|
|
||||||
|
allow $1 acct_t:fd use;
|
||||||
|
allow acct_t $1:fd use;
|
||||||
|
allow acct_t $1:fifo_file rw_file_perms;
|
||||||
|
allow acct_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute accounting management tools in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`acct_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type acct_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
|
can_exec($1,acct_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute accounting management data in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
# cjp: this is added for logrotate, and does
|
||||||
|
# not make sense to me.
|
||||||
|
interface(`acct_exec_data',`
|
||||||
|
gen_require(`
|
||||||
|
type acct_data_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
can_exec($1,acct_data_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete process accounting data.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`acct_manage_data',`
|
||||||
|
gen_require(`
|
||||||
|
type acct_data_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
class lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
allow $1 acct_data_t:dir rw_dir_perms;
|
||||||
|
allow $1 acct_data_t:file create_file_perms;
|
||||||
|
allow $1 acct_data_t:lnk_file create_lnk_perms;
|
||||||
|
')
|
|
@ -0,0 +1,98 @@
|
||||||
|
|
||||||
|
policy_module(acct,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type acct_t;
|
||||||
|
type acct_exec_t;
|
||||||
|
init_daemon_domain(acct_t,acct_exec_t)
|
||||||
|
|
||||||
|
type acct_data_t;
|
||||||
|
files_type(acct_data_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local Policy
|
||||||
|
#
|
||||||
|
|
||||||
|
# gzip needs chown capability for some reason
|
||||||
|
allow acct_t self:capability { sys_pacct chown fsetid };
|
||||||
|
# not sure why we need kill, the command "last" is reported as using it
|
||||||
|
dontaudit acct_t self:capability { kill sys_tty_config };
|
||||||
|
|
||||||
|
allow acct_t self:fifo_file { read write getattr };
|
||||||
|
allow acct_t self:process signal_perms;
|
||||||
|
|
||||||
|
allow acct_t acct_data_t:dir rw_dir_perms;
|
||||||
|
allow acct_t acct_data_t:file create_file_perms;
|
||||||
|
allow acct_t acct_data_t:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
|
can_exec(acct_t,acct_exec_t)
|
||||||
|
|
||||||
|
kernel_list_proc(acct_t)
|
||||||
|
kernel_read_system_state(acct_t)
|
||||||
|
kernel_read_kernel_sysctl(acct_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(acct_t)
|
||||||
|
# for SSP
|
||||||
|
dev_read_urand(acct_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(acct_t)
|
||||||
|
fs_getattr_xattr_fs(acct_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(acct_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(acct_t)
|
||||||
|
corecmd_exec_shell(acct_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(acct_t)
|
||||||
|
|
||||||
|
files_read_etc_files(acct_t)
|
||||||
|
files_read_etc_runtime_files(acct_t)
|
||||||
|
# for nscd
|
||||||
|
files_dontaudit_getattr_pid_dir(acct_t)
|
||||||
|
|
||||||
|
init_use_fd(acct_t)
|
||||||
|
init_use_script_pty(acct_t)
|
||||||
|
init_exec_script(acct_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(acct_t)
|
||||||
|
libs_use_shared_libs(acct_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(acct_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(acct_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir(acct_t)
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(acct_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_dontaudit_use_unallocated_tty(acct_t)
|
||||||
|
term_dontaudit_use_generic_pty(acct_t)
|
||||||
|
files_dontaudit_read_root_file(acct_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`cron.te',`
|
||||||
|
optional_policy(`authlogin.te',`
|
||||||
|
# for monthly cron job
|
||||||
|
auth_create_login_records(acct_t)
|
||||||
|
auth_manage_login_records(acct_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
cron_system_entry(acct_t,acct_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(acct_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_sigchld_newrole(acct_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(acct_t)
|
||||||
|
')
|
|
@ -113,6 +113,12 @@ ifdef(`distro_debian', `
|
||||||
can_exec(logrotate_t, logrotate_exec_t)
|
can_exec(logrotate_t, logrotate_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`acct.te',`
|
||||||
|
acct_domtrans(logrotate_t)
|
||||||
|
acct_manage_data(logrotate_t)
|
||||||
|
acct_exec_data(logrotate_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_exec(logrotate_t)
|
consoletype_exec(logrotate_t)
|
||||||
|
|
||||||
|
|
|
@ -669,6 +669,18 @@ interface(`auth_rw_login_records',`
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
#
|
||||||
|
# auth_create_login_records(domain)
|
||||||
|
#
|
||||||
|
interface(`auth_create_login_records',`
|
||||||
|
gen_require(`
|
||||||
|
type wtmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
logging_create_log($1,wtmp_t,file)
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# auth_manage_login_records(domain)
|
# auth_manage_login_records(domain)
|
||||||
|
|
Loading…
Reference in New Issue