forked from fedora-selinux/selinux-policy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
acct.if
138 lines (123 loc) · 2.61 KB
/
acct.if
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
## <summary>Berkeley process accounting.</summary>
########################################
## <summary>
## Transition to the accounting
## management domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`acct_domtrans',`
gen_require(`
type acct_t, acct_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, acct_exec_t, acct_t)
')
########################################
## <summary>
## Execute accounting management tools
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_exec',`
gen_require(`
type acct_exec_t;
')
corecmd_search_bin($1)
can_exec($1, acct_exec_t)
')
########################################
## <summary>
## Execute accounting management data
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_exec_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1, acct_data_t)
')
########################################
## <summary>
## Create, read, write, and delete
## process accounting data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_manage_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')
########################################
## <summary>
## Dontaudit Attempts to list acct_data directory
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`acct_dontaudit_list_data',`
gen_require(`
type acct_data_t;
')
dontaudit $1 acct_data_t:dir list_dir_perms;
')
#######################################
## <summary>
## All of the rules required to
## administrate an acct environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`acct_admin',`
gen_require(`
type acct_t, acct_initrc_exec_t, acct_data_t;
')
allow $1 acct_t:process { signal_perms };
ps_process_pattern($1, acct_t)
tunable_policy(`deny_ptrace',`',`
allow $1 acct_t:process ptrace;
')
init_labeled_script_domtrans($1, acct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, acct_data_t)
')