From e8c9fdac46c2ae972fd9e0f97b442d59b349e718 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 3 Apr 2014 08:51:38 -0400
Subject: [PATCH] Exclude audit-related capabilities from unconfined domains.

Require them to be explicitly granted by specific allow rules.
audit_write is required to write an audit message from userspace.
audit_control is required to configure the audit subsystem.

Change-Id: I5aa4e3228f9b0bde3570689fe7a0d68e56861a17
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/unconfined.te b/unconfined.te
index c3355c745..9b5f8c9e6 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,7 @@
 # The use of this template is discouraged.
 ######################################################
 
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
-- 
GitLab