2005-04-29 17:45:15 +00:00
|
|
|
#DESC Watchdog - Software watchdog daemon
|
|
|
|
#
|
|
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
|
|
# X-Debian-Packages: watchdog
|
|
|
|
#
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Rules for the watchdog_t domain.
|
|
|
|
#
|
|
|
|
|
|
|
|
daemon_domain(watchdog, `, privmail')
|
|
|
|
type watchdog_device_t, device_type, dev_fs;
|
|
|
|
|
2005-09-12 21:40:56 +00:00
|
|
|
allow watchdog_t self:process setsched;
|
|
|
|
|
2005-04-29 17:45:15 +00:00
|
|
|
log_domain(watchdog)
|
|
|
|
|
|
|
|
allow watchdog_t etc_t:file r_file_perms;
|
|
|
|
allow watchdog_t etc_t:lnk_file read;
|
|
|
|
allow watchdog_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
|
|
allow watchdog_t proc_t:file r_file_perms;
|
|
|
|
|
|
|
|
allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
|
|
|
|
allow watchdog_t self:fifo_file rw_file_perms;
|
|
|
|
allow watchdog_t self:unix_stream_socket create_socket_perms;
|
|
|
|
can_network(watchdog_t)
|
2005-09-12 21:40:56 +00:00
|
|
|
allow watchdog_t port_type:tcp_socket name_connect;
|
2005-04-29 17:45:15 +00:00
|
|
|
can_ypbind(watchdog_t)
|
|
|
|
allow watchdog_t bin_t:dir search;
|
|
|
|
allow watchdog_t bin_t:lnk_file read;
|
|
|
|
allow watchdog_t init_t:process signal;
|
|
|
|
allow watchdog_t kernel_t:process sigstop;
|
|
|
|
|
|
|
|
allow watchdog_t watchdog_device_t:chr_file { getattr write };
|
|
|
|
|
|
|
|
# for orderly shutdown
|
|
|
|
can_exec(watchdog_t, shell_exec_t)
|
|
|
|
allow watchdog_t domain:process { signal_perms getsession };
|
|
|
|
allow watchdog_t self:capability kill;
|
|
|
|
allow watchdog_t sbin_t:dir search;
|
|
|
|
|
|
|
|
# for updating mtab on umount
|
|
|
|
file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
|
|
|
|
|
|
|
|
allow watchdog_t self:capability { sys_admin net_admin sys_boot };
|
|
|
|
allow watchdog_t fixed_disk_device_t:blk_file swapon;
|
|
|
|
allow watchdog_t { proc_t fs_t }:filesystem unmount;
|
|
|
|
|
|
|
|
# record the fact that we are going down
|
|
|
|
allow watchdog_t wtmp_t:file append;
|
|
|
|
|
|
|
|
# do not care about saving the random seed
|
|
|
|
dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
|