[Buildroot] [PATCH 06/12] package/audit/selinux: Add buildroot audit policy

Adam Duskett adam.duskett at amarulasolutions.com
Thu Oct 12 10:32:03 UTC 2023 

This is a basic policy necessary for audit to work properly in enforcing mode
without any denials.

Signed-off-by: Adam Duskett <adam.duskett at amarulasolutions.com>
---
 DEVELOPERS                               |  1 +
 package/audit/selinux/buildroot-audit.fc |  0
 package/audit/selinux/buildroot-audit.if |  1 +
 package/audit/selinux/buildroot-audit.te | 13 +++++++++++++
 4 files changed, 15 insertions(+)
 create mode 100644 package/audit/selinux/buildroot-audit.fc
 create mode 100644 package/audit/selinux/buildroot-audit.if
 create mode 100644 package/audit/selinux/buildroot-audit.te

diff --git a/DEVELOPERS b/DEVELOPERS
index a90f453261..5f4b7320ba 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -32,6 +32,7 @@ F:	package/vulkan-loader/
 F:	package/vulkan-tools/
 
 N:	Adam Duskett <adam.duskett at amarulasolutions.com>
+F:	package/audit/selinux/
 F:	package/busybox/selinux/
 F:	package/depot-tools/
 F:	package/flutter-engine/
diff --git a/package/audit/selinux/buildroot-audit.fc b/package/audit/selinux/buildroot-audit.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/audit/selinux/buildroot-audit.if b/package/audit/selinux/buildroot-audit.if
new file mode 100644
index 0000000000..2a739a1113
--- /dev/null
+++ b/package/audit/selinux/buildroot-audit.if
@@ -0,0 +1 @@
+## <summary>Buildroot audit rules</summary>
diff --git a/package/audit/selinux/buildroot-audit.te b/package/audit/selinux/buildroot-audit.te
new file mode 100644
index 0000000000..3cac330d30
--- /dev/null
+++ b/package/audit/selinux/buildroot-audit.te
@@ -0,0 +1,13 @@
+policy_module(buildroot-audit, 1.0.0)
+
+#============= auditd_t ==============
+allow auditd_t auditd_etc_t:file map;
+allow auditd_t device_t:chr_file { open read write };
+allow auditd_t kernel_t:fd use;
+allow auditd_t root_t:chr_file { read write };
+allow auditd_t selinux_config_t:dir search;
+allow auditd_t tmpfs_t:dir { remove_name add_name search write };
+allow auditd_t tmpfs_t:file { create open write unlink };
+allow auditd_t tmp_t:dir { add_name getattr open read search setattr write };
+allow auditd_t tmp_t:file { append create setattr getattr read open };
+allow auditd_t var_t:lnk_file read;
-- 
2.41.0

More information about the buildroot mailing list