@@ -32,6 +32,7 @@ F: package/vulkan-loader/
F: package/vulkan-tools/
N: Adam Duskett <adam.duskett@amarulasolutions.com>
+F: package/audit/selinux/
F: package/busybox/selinux/
F: package/depot-tools/
F: package/flutter-engine/
new file mode 100644
new file mode 100644
@@ -0,0 +1 @@
+## <summary>Buildroot audit rules</summary>
new file mode 100644
@@ -0,0 +1,13 @@
+policy_module(buildroot-audit, 1.0.0)
+
+#============= auditd_t ==============
+allow auditd_t auditd_etc_t:file map;
+allow auditd_t device_t:chr_file { open read write };
+allow auditd_t kernel_t:fd use;
+allow auditd_t root_t:chr_file { read write };
+allow auditd_t selinux_config_t:dir search;
+allow auditd_t tmpfs_t:dir { remove_name add_name search write };
+allow auditd_t tmpfs_t:file { create open write unlink };
+allow auditd_t tmp_t:dir { add_name getattr open read search setattr write };
+allow auditd_t tmp_t:file { append create setattr getattr read open };
+allow auditd_t var_t:lnk_file read;
This is a basic policy necessary for audit to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- DEVELOPERS | 1 + package/audit/selinux/buildroot-audit.fc | 0 package/audit/selinux/buildroot-audit.if | 1 + package/audit/selinux/buildroot-audit.te | 13 +++++++++++++ 4 files changed, 15 insertions(+) create mode 100644 package/audit/selinux/buildroot-audit.fc create mode 100644 package/audit/selinux/buildroot-audit.if create mode 100644 package/audit/selinux/buildroot-audit.te