policy_module(acct, 1.6.0) ######################################## # # Declarations # type acct_t; type acct_exec_t; init_system_domain(acct_t, acct_exec_t) type acct_initrc_exec_t; init_script_file(acct_initrc_exec_t) type acct_data_t; logging_log_file(acct_data_t) ######################################## # # Local Policy # allow acct_t self:capability { chown fsetid kill sys_pacct }; dontaudit acct_t self:capability sys_tty_config; allow acct_t self:process signal_perms; allow acct_t self:fifo_file rw_fifo_file_perms; manage_files_pattern(acct_t, acct_data_t, acct_data_t) manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) can_exec(acct_t, acct_exec_t) kernel_list_proc(acct_t) kernel_read_system_state(acct_t) kernel_read_kernel_sysctls(acct_t) corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) dev_read_sysfs(acct_t) dev_read_urand(acct_t) fs_search_auto_mountpoints(acct_t) fs_getattr_xattr_fs(acct_t) term_dontaudit_use_console(acct_t) term_dontaudit_use_generic_ptys(acct_t) files_read_etc_runtime_files(acct_t) auth_use_nsswitch(acct_t) init_use_fds(acct_t) init_use_script_ptys(acct_t) init_exec_script_files(acct_t) logging_send_syslog_msg(acct_t) userdom_dontaudit_search_user_home_dirs(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) optional_policy(` optional_policy(` # for monthly cron job auth_log_filetrans_login_records(acct_t) auth_manage_login_records(acct_t) ') cron_system_entry(acct_t, acct_exec_t) ') optional_policy(` seutil_sigchld_newrole(acct_t) ') optional_policy(` udev_read_db(acct_t) ')