Exclude audit-related capabilities from unconfined domains. Require them to be explicitly granted by specific allow rules. audit_write is required to write an audit message from userspace. audit_control is required to configure the audit subsystem. Change-Id: I5aa4e3228f9b0bde3570689fe7a0d68e56861a17 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: e8c9fdac46c2ae972fd9e0f97b442d59b349e718 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Thu Apr 03 08:51:38 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Thu Apr 03 08:51:38 2014 -0400
tree: 07b4d852471258117f0acbfa47e9aaac84042e92
parent: 888d283c30784bb61d4bd10878c85634b31da1d3 [diff]
diff --git a/unconfined.te b/unconfined.te
index c3355c7..9b5f8c9 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -16,7 +16,7 @@
 # The use of this template is discouraged.
 ######################################################
 
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
commit	e8c9fdac46c2ae972fd9e0f97b442d59b349e718	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu Apr 03 08:51:38 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Thu Apr 03 08:51:38 2014 -0400
tree	07b4d852471258117f0acbfa47e9aaac84042e92
parent	888d283c30784bb61d4bd10878c85634b31da1d3 [diff]