add in some rules from NSA CVS to make targeted policy work

This commit is contained in:
Chris PeBenito 2005-07-20 13:30:06 +00:00
parent 8c3f438f75
commit a28f6db576
2 changed files with 7 additions and 3 deletions

View File

@ -16,7 +16,9 @@ ifdef(`distro_suse', `
') ')
/var/log(/.*)? context_template(system_u:object_r:var_log_t,s0) /var/log(/.*)? context_template(system_u:object_r:var_log_t,s0)
/var/log/audit.log context_template(system_u:object_r:auditd_log_t,s0) /var/log/audit.log -- context_template(system_u:object_r:auditd_log_t,s0)
/var/log/audit(/.*)? context_template(system_u:object_r:auditd_log_t,s0)
/var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0) /var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s context_template(system_u:object_r:devlog_t,s0) /var/run/log -s context_template(system_u:object_r:devlog_t,s0)

View File

@ -9,7 +9,7 @@ policy_module(logging,1.0)
attribute logfile; attribute logfile;
type auditd_log_t; type auditd_log_t;
logging_log_file(auditd_log_t) files_type(auditd_log_t)
type auditd_t; type auditd_t;
type auditd_exec_t; type auditd_exec_t;
@ -49,10 +49,12 @@ files_type(var_log_t)
# Auditd local policy # Auditd local policy
# #
allow auditd_t self:capability { audit_write audit_control }; allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config; dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process setsched;
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t auditd_log_t:dir rw_dir_perms;
allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:file create_file_perms;