selinux-refpolicy/refpolicy/policy/modules/admin/acct.if
Chris PeBenito 9a66d4e562 add acct
2005-08-05 14:32:12 +00:00

85 lines
1.8 KiB
Plaintext

## <summary>Berkeley process accounting</summary>
########################################
## <summary>
## Transition to the accounting management domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`acct_domtrans',`
gen_require(`
type acct_t, acct_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,acct_exec_t,acct_t)
allow $1 acct_t:fd use;
allow acct_t $1:fd use;
allow acct_t $1:fifo_file rw_file_perms;
allow acct_t $1:process sigchld;
')
########################################
## <summary>
## Execute accounting management tools in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`acct_exec',`
gen_require(`
type acct_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,acct_exec_t)
')
########################################
## <summary>
## Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
# cjp: this is added for logrotate, and does
# not make sense to me.
interface(`acct_exec_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1,acct_data_t)
')
########################################
## <summary>
## Create, read, write, and delete process accounting data.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`acct_manage_data',`
gen_require(`
type acct_data_t;
class dir rw_dir_perms;
class file create_file_perms;
class lnk_file create_lnk_perms;
')
files_search_var($1)
allow $1 acct_data_t:dir rw_dir_perms;
allow $1 acct_data_t:file create_file_perms;
allow $1 acct_data_t:lnk_file create_lnk_perms;
')