From cdc65bb494dac3fe210310594b1a858ee6b59e22 Mon Sep 17 00:00:00 2001
From: Samson-W <samson@hardenedlinux.org>
Date: Tue, 7 Jul 2020 17:27:14 +0800
Subject: [PATCH] Add auditd's rules of SELinux to 8.1.7

---
 bin/hardening/8.1.7_record_mac_edit.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh
index d9501ab..575698e 100755
--- a/bin/hardening/8.1.7_record_mac_edit.sh
+++ b/bin/hardening/8.1.7_record_mac_edit.sh
@@ -20,10 +20,15 @@ SELINUX_PKG_CENTOS="selinux-policy"
 
 SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
 -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng"
+-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
+-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
 
 APPARMOR_PKG="apparmor"
 AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy