selinux-policy/strict/domains/program/unused/watchdog.te

56 lines
1.7 KiB
Plaintext
Raw Normal View History

2005-04-29 17:45:15 +00:00
#DESC Watchdog - Software watchdog daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: watchdog
#
#################################
#
# Rules for the watchdog_t domain.
#
daemon_domain(watchdog, `, privmail')
type watchdog_device_t, device_type, dev_fs;
allow watchdog_t self:process setsched;
2005-04-29 17:45:15 +00:00
log_domain(watchdog)
allow watchdog_t etc_t:file r_file_perms;
allow watchdog_t etc_t:lnk_file read;
allow watchdog_t self:unix_dgram_socket create_socket_perms;
allow watchdog_t proc_t:file r_file_perms;
allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
can_network(watchdog_t)
allow watchdog_t port_type:tcp_socket name_connect;
2005-04-29 17:45:15 +00:00
can_ypbind(watchdog_t)
allow watchdog_t bin_t:dir search;
allow watchdog_t bin_t:lnk_file read;
allow watchdog_t init_t:process signal;
allow watchdog_t kernel_t:process sigstop;
allow watchdog_t watchdog_device_t:chr_file { getattr write };
# for orderly shutdown
can_exec(watchdog_t, shell_exec_t)
allow watchdog_t domain:process { signal_perms getsession };
allow watchdog_t self:capability kill;
allow watchdog_t sbin_t:dir search;
# for updating mtab on umount
file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
allow watchdog_t self:capability { sys_admin net_admin sys_boot };
allow watchdog_t fixed_disk_device_t:blk_file swapon;
allow watchdog_t { proc_t fs_t }:filesystem unmount;
# record the fact that we are going down
allow watchdog_t wtmp_t:file append;
# do not care about saving the random seed
dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;