## Berkeley process accounting. ######################################## ## ## Transition to the accounting ## management domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`acct_domtrans',` gen_require(` type acct_t, acct_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, acct_exec_t, acct_t) ') ######################################## ## ## Execute accounting management tools ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`acct_exec',` gen_require(` type acct_exec_t; ') corecmd_search_bin($1) can_exec($1, acct_exec_t) ') ######################################## ## ## Execute accounting management data ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`acct_exec_data',` gen_require(` type acct_data_t; ') files_search_var($1) can_exec($1, acct_data_t) ') ######################################## ## ## Search process accounting data. ## ## ## ## Domain allowed access. ## ## # interface(`acct_search_data',` gen_require(` type acct_data_t; ') search_dirs_pattern($1, acct_data_t, acct_data_t) ') ######################################## ## ## Create, read, write, and delete ## process accounting data. ## ## ## ## Domain allowed access. ## ## # interface(`acct_manage_data',` gen_require(` type acct_data_t; ') files_search_var($1) manage_files_pattern($1, acct_data_t, acct_data_t) manage_lnk_files_pattern($1, acct_data_t, acct_data_t) ') ######################################## ## ## Dontaudit Attempts to list acct_data directory ## ## ## ## Domain to not audit. ## ## # interface(`acct_dontaudit_list_data',` gen_require(` type acct_data_t; ') dontaudit $1 acct_data_t:dir list_dir_perms; ') ####################################### ## ## All of the rules required to ## administrate an acct environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`acct_admin',` gen_require(` type acct_t, acct_initrc_exec_t, acct_data_t; ') allow $1 acct_t:process { signal_perms }; ps_process_pattern($1, acct_t) tunable_policy(`deny_ptrace',`',` allow $1 acct_t:process ptrace; ') init_labeled_script_domtrans($1, acct_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 acct_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, acct_data_t) ')