add in some rules from NSA CVS to make targeted policy work
This commit is contained in:
parent
8c3f438f75
commit
a28f6db576
|
@ -16,7 +16,9 @@ ifdef(`distro_suse', `
|
|||
')
|
||||
|
||||
/var/log(/.*)? context_template(system_u:object_r:var_log_t,s0)
|
||||
/var/log/audit.log context_template(system_u:object_r:auditd_log_t,s0)
|
||||
/var/log/audit.log -- context_template(system_u:object_r:auditd_log_t,s0)
|
||||
|
||||
/var/log/audit(/.*)? context_template(system_u:object_r:auditd_log_t,s0)
|
||||
|
||||
/var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0)
|
||||
/var/run/log -s context_template(system_u:object_r:devlog_t,s0)
|
||||
|
|
|
@ -9,7 +9,7 @@ policy_module(logging,1.0)
|
|||
attribute logfile;
|
||||
|
||||
type auditd_log_t;
|
||||
logging_log_file(auditd_log_t)
|
||||
files_type(auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
type auditd_exec_t;
|
||||
|
@ -49,10 +49,12 @@ files_type(var_log_t)
|
|||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control };
|
||||
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process setsched;
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
|
||||
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
||||
allow auditd_t auditd_log_t:file create_file_perms;
|
||||
|
||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
|
|
Loading…
Reference in New Issue