policy_module(acct, 1.5.1)

########################################
#
# Declarations
#

type acct_t;
type acct_exec_t;
init_system_domain(acct_t, acct_exec_t)

type acct_initrc_exec_t;
init_script_file(acct_initrc_exec_t)

type acct_data_t;
logging_log_file(acct_data_t)

########################################
#
# Local Policy
#

allow acct_t self:capability { chown fsetid kill sys_pacct };
dontaudit acct_t self:capability sys_tty_config;
allow acct_t self:process signal_perms;
allow acct_t self:fifo_file rw_fifo_file_perms;

manage_files_pattern(acct_t, acct_data_t, acct_data_t)
manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)

can_exec(acct_t, acct_exec_t)

kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctls(acct_t)

corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)

dev_read_sysfs(acct_t)
dev_read_urand(acct_t)

fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)

term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)

files_read_etc_runtime_files(acct_t)

auth_use_nsswitch(acct_t)

init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)

logging_send_syslog_msg(acct_t)

userdom_dontaudit_search_user_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)

optional_policy(`
	optional_policy(`
		# for monthly cron job
		auth_log_filetrans_login_records(acct_t)
		auth_manage_login_records(acct_t)
	')

	cron_system_entry(acct_t, acct_exec_t)
')

optional_policy(`
	seutil_sigchld_newrole(acct_t)
')

optional_policy(`
	udev_read_db(acct_t)
')