Berkeley process accounting

######################################## ##

## Transition to the accounting management domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`acct_domtrans',` gen_require(` type acct_t, acct_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, acct_exec_t, acct_t) ') ######################################## ##

## Execute accounting management tools in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`acct_exec',` gen_require(` type acct_exec_t; ') corecmd_search_bin($1) can_exec($1, acct_exec_t) ') ######################################## ##

## Execute accounting management data in the caller domain. ##

## ##

## Domain allowed access. ##

## # # cjp: this is added for logrotate, and does # not make sense to me. interface(`acct_exec_data',` gen_require(` type acct_data_t; ') files_search_var($1) can_exec($1, acct_data_t) ') ######################################## ##

## Create, read, write, and delete process accounting data. ##

## ##

## Domain allowed access. ##

## # interface(`acct_manage_data',` gen_require(` type acct_data_t; ') files_search_var($1) manage_files_pattern($1, acct_data_t, acct_data_t) manage_lnk_files_pattern($1, acct_data_t, acct_data_t) ') ######################################## ##

## Dontaudit Attempts to list acct_data directory ##

## ##

## Domain to not audit. ##

## # interface(`acct_dontaudit_list_data',` gen_require(` type acct_data_t; ') dontaudit $1 acct_data_t:dir list_dir_perms; ')