69 lines
1.7 KiB
Plaintext
69 lines
1.7 KiB
Plaintext
|
#DESC LRRD - network-wide load graphing
|
||
|
#
|
||
|
# Author: Erich Schubert <erich@debian.org>
|
||
|
# X-Debian-Packages: lrrd-client, lrrd-server
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the lrrd_t domain.
|
||
|
#
|
||
|
# lrrd_exec_t is the type of the lrrd executable.
|
||
|
#
|
||
|
daemon_domain(lrrd)
|
||
|
|
||
|
allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
|
||
|
|
||
|
etcdir_domain(lrrd)
|
||
|
type lrrd_var_lib_t, file_type, sysadmfile;
|
||
|
|
||
|
log_domain(lrrd)
|
||
|
tmp_domain(lrrd)
|
||
|
|
||
|
# has cron jobs
|
||
|
system_crond_entry(lrrd_exec_t, lrrd_t)
|
||
|
allow crond_t lrrd_var_lib_t:dir search;
|
||
|
|
||
|
# init script
|
||
|
allow initrc_t lrrd_log_t:file { write append setattr ioctl };
|
||
|
|
||
|
# allow to drop privileges and renice
|
||
|
allow lrrd_t self:capability { setgid setuid };
|
||
|
allow lrrd_t self:process { getsched setsched };
|
||
|
|
||
|
allow lrrd_t urandom_device_t:chr_file { getattr read };
|
||
|
allow lrrd_t proc_t:file { getattr read };
|
||
|
allow lrrd_t usr_t:file { read ioctl };
|
||
|
|
||
|
can_exec(lrrd_t, bin_t)
|
||
|
allow lrrd_t bin_t:dir search;
|
||
|
allow lrrd_t usr_t:lnk_file read;
|
||
|
|
||
|
# Allow access to the lrrd databases
|
||
|
create_dir_file(lrrd_t, lrrd_var_lib_t)
|
||
|
allow lrrd_t var_lib_t:dir search;
|
||
|
|
||
|
# read config files
|
||
|
r_dir_file(initrc_t, lrrd_etc_t)
|
||
|
allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
|
||
|
# for accessing the output directory
|
||
|
ifdef(`apache.te', `
|
||
|
allow lrrd_t httpd_sys_content_t:dir search;
|
||
|
')
|
||
|
|
||
|
allow lrrd_t etc_t:dir search;
|
||
|
|
||
|
can_unix_connect(sysadm_t, lrrd_t)
|
||
|
can_unix_connect(lrrd_t, lrrd_t)
|
||
|
can_unix_send(lrrd_t, lrrd_t)
|
||
|
can_network_server(lrrd_t)
|
||
|
can_ypbind(lrrd_t)
|
||
|
|
||
|
ifdef(`logrotate.te', `
|
||
|
r_dir_file(logrotate_t, lrrd_etc_t)
|
||
|
allow logrotate_t lrrd_var_lib_t:dir search;
|
||
|
allow logrotate_t lrrd_var_run_t:dir search;
|
||
|
allow logrotate_t lrrd_var_run_t:sock_file write;
|
||
|
can_unix_connect(logrotate_t, lrrd_t)
|
||
|
')
|