diff --git a/selinux/sau.fc b/selinux/sau.fc new file mode 100644 index 0000000..c00c6e5 --- /dev/null +++ b/selinux/sau.fc @@ -0,0 +1,2 @@ +/usr/bin/sau gen_context(system_u:object_r:sau_t,s0) +/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0) diff --git a/selinux/sau.te b/selinux/sau.te new file mode 100644 index 0000000..78dd2bf --- /dev/null +++ b/selinux/sau.te @@ -0,0 +1,32 @@ +policy_module(sau, 0.1) + +gen_require(` + type system_cronjob_t; + type sysadm_t; + + role sysadm_r; + roly system_r; +') + +type sau_t; +type sau_exec_t; +type sau_config_t; + +domain_type(sau_t) +domain_entry_file(sau_t, sau_exec_t) +files_config_file(sau_config_t) +read_files_pattern(sau_t, etc_t, sau_config_t); + +role sysadm_r types sau_t; +role system_r types sau_t; + +domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t) +domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t) + +# this should be fixed, but I don't know enough selinux magic to restrict this +# while still allowing it to inspect all open files for all processes +unconfined_domain_noaudit(sau_t) + +# Gentoo specific +portage_domtrans(sau_t) +