Suppose I want to use SELinux to lock down audit logs even more tightly than ordinary logs. Ordinary logs typically have type var_log_t, but audit logs have type auditd_log_t. So there's at least a basis for discriminating their access.
What (I think) I want to do is have a couple of different administrator role types, both of which can access objects of type var_log_t, but only the more privileged of which can access objects of type auditd_log_t. But so far I haven't found how to view (let alone adjust) the core rules that say "May subject do action to object?"
As it stands now, if I have an "ordinary" administrator of user class staff_u, with a sudo upgrade path to sysadm_r as described at 3.9. Confining an administrator by using sudo and the sysadm_r role, that user can access both the "ordinary" logs and the audit logs (that is, objects of both types var_log_t and auditd_log_t). I want to deny this "ordinary" admin access to the audit logs, and restrict that access to some higher-level admin.
Or perhaps I'm on the wrong track?
I realize that sysadm_r is already the highest-level, most-privileged administrator, so perhaps I merely have to find an existing but lesser admin role and only allow my staff_u user to upgrade to that.
And if I knew how to list the roles which are allowed to access objects of various types, I'm thinking that would be a good way to find clues about what that lesser admin role might be.
