Add auditd's rules of SELinux to 8.1.7

2025-07-29 16:45:50 +02:00 · 2020-07-07 17:27:14 +08:00 · 2020-07-07 17:27:14 +08:00 · cdc65bb494
commit cdc65bb494
parent 985ce35353
1 changed files with 9 additions and 4 deletions
--- a/bin/hardening/8.1.7_record_mac_edit.sh
+++ b/bin/hardening/8.1.7_record_mac_edit.sh
@ -20,10 +20,15 @@ SELINUX_PKG_CENTOS="selinux-policy"

 SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
 -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng"
+-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"

 APPARMOR_PKG="apparmor"
 AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy