selinux-refpolicy/refpolicy/policy/modules/system/audit.te
Chris PeBenito dd14d0d892 change read_shared_libraries to use_shared_libraries, since the execute
permission is checked when using shared libs to execute code in them, which
is not the same as just reading the shared libs.
2005-05-17 15:32:52 +00:00

84 lines
2.2 KiB
Plaintext

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(audit, 1.0)
########################################
#
# Declarations
#
type auditd_log_t;
logging_make_log_file(auditd_t,auditd_log_t)
type auditd_t;
type auditd_exec_t;
init_make_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
files_make_daemon_runtime_file(auditd_var_run_t)
########################################
#
# Auditd local policy
#
allow auditd_t self:capability { audit_write audit_control };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
kernel_read_hardware_state(auditd_t)
filesystem_get_all_filesystems_attributes(auditd_t)
terminal_ignore_use_console(auditd_t)
init_use_file_descriptors(auditd_t)
init_script_use_pseudoterminal(auditd_t)
domain_use_widely_inheritable_file_descriptors(auditd_t)
files_read_general_system_config(auditd_t)
logging_send_system_log_message(auditd_t)
libraries_use_dynamic_loader(auditd_t)
libraries_use_shared_libraries(auditd_t)
miscfiles_read_localization(auditd_t)
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(auditd_t)
terminal_ignore_use_general_pseudoterminal(auditd_t)
files_ignore_read_rootfs_file(auditd_t)
')dnl end targeted_policy tunable
optional_policy(`selinux.te',`
selinux_newrole_sigchld(auditd_t)
')
optional_policy(`udev.te', `
udev_read_database(auditd_t)
')
ifdef(`TODO',`
allow auditd_t proc_t:dir r_dir_perms;
allow auditd_t proc_t:lnk_file read;
dontaudit auditd_t unpriv_userdomain:fd use;
allow auditd_t autofs_t:dir { search getattr };
dontaudit auditd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
allow auditd_t rhgb_t:process sigchld;
allow auditd_t rhgb_t:fd use;
allow auditd_t rhgb_t:fifo_file { read write };
')
# cjp: this is questionable:
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
') dnl endif TODO