[selinux-policy: 258/3172] move audit to logging

Thu Oct 7 19:27:13 UTC 2010

commit eb7f9a34cbec9cdbbd1fb92aefcd5ea3d7380c8d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 7 14:27:19 2005 +0000

    move audit to logging

 refpolicy/policy/modules/system/logging.fc |    2 +
 refpolicy/policy/modules/system/logging.te |   80 ++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 0 deletions(-)
---

diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc
index bb41fdb..3e67b3f 100644
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@@ -1,6 +1,7 @@
 
 /dev/log		-s	context_template(system_u:object_r:devlog_t,s0)
 
+/sbin/auditd		--	context_tempalte(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	context_template(system_u:object_r:klogd_exec_t,s0)
 /sbin/minilogd		--	context_template(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslogd		--	context_template(system_u:object_r:syslogd_exec_t,s0)
@@ -15,6 +16,7 @@ ifdef(`distro_suse', `
 ')
 
 /var/log(/.*)?			context_template(system_u:object_r:var_log_t,s0)
+/var/log/audit.log		context_template(system_u:object_r:auditd_log_t,s0)
 
 /var/run/klogd\.pid	--	context_template(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	context_template(system_u:object_r:devlog_t,s0)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index fdbb76c..1053f7d 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,8 +1,23 @@
 
 policy_module(logging,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute logfile;
 
+type auditd_log_t;
+logging_make_log_file(auditd_t,auditd_log_t)
+
+type auditd_t;
+type auditd_exec_t;
+init_make_daemon_domain(auditd_t,auditd_exec_t)
+
+type auditd_var_run_t;
+files_make_daemon_runtime_file(auditd_var_run_t)
+
 type devlog_t;
 files_make_file(devlog_t)
 
@@ -31,6 +46,71 @@ files_make_file(var_log_t)
 
 ########################################
 #
+# Auditd local policy
+#
+
+allow auditd_t self:capability { audit_write audit_control };
+dontaudit auditd_t self:capability sys_tty_config;
+allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+
+allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+
+allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
+files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
+
+kernel_read_kernel_sysctl(auditd_t)
+kernel_read_hardware_state(auditd_t)
+
+filesystem_get_all_filesystems_attributes(auditd_t)
+
+terminal_ignore_use_console(auditd_t)
+
+init_use_file_descriptors(auditd_t)
+init_script_use_pseudoterminal(auditd_t)
+
+domain_use_widely_inheritable_file_descriptors(auditd_t)
+
+files_read_general_system_config(auditd_t)
+
+logging_send_system_log_message(auditd_t)
+
+libraries_use_dynamic_loader(auditd_t)
+libraries_use_shared_libraries(auditd_t)
+
+miscfiles_read_localization(auditd_t)
+
+tunable_policy(`targeted_policy', `
+	terminal_ignore_use_general_physical_terminal(auditd_t)
+	terminal_ignore_use_general_pseudoterminal(auditd_t)
+	files_ignore_read_rootfs_file(auditd_t)
+')
+
+optional_policy(`selinux.te',`
+	selinux_newrole_sigchld(auditd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_database(auditd_t)
+')
+
+ifdef(`TODO',`
+allow auditd_t proc_t:dir r_dir_perms;
+allow auditd_t proc_t:lnk_file read;
+dontaudit auditd_t unpriv_userdomain:fd use;
+allow auditd_t autofs_t:dir { search getattr };
+dontaudit auditd_t sysadm_home_dir_t:dir search;
+optional_policy(`rhgb.te', `
+allow auditd_t rhgb_t:process sigchld;
+allow auditd_t rhgb_t:fd use;
+allow auditd_t rhgb_t:fifo_file { read write };
+')
+
+# cjp: this is questionable:
+allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
+') dnl endif TODO
+
+########################################
+#
 # klogd local policy
 #
 
