selinux-policy/strict/domains/program/unused/watchdog.te

#DESC Watchdog - Software watchdog daemon
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: watchdog
#

#################################
#
# Rules for the watchdog_t domain.
#

daemon_domain(watchdog, `, privmail')
type watchdog_device_t, device_type, dev_fs;

log_domain(watchdog)

allow watchdog_t etc_t:file r_file_perms;
allow watchdog_t etc_t:lnk_file read;
allow watchdog_t self:unix_dgram_socket create_socket_perms;

allow watchdog_t proc_t:file r_file_perms;

allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
can_network(watchdog_t)
can_ypbind(watchdog_t)
allow watchdog_t bin_t:dir search;
allow watchdog_t bin_t:lnk_file read;
allow watchdog_t init_t:process signal;
allow watchdog_t kernel_t:process sigstop;

allow watchdog_t watchdog_device_t:chr_file { getattr write };

# for orderly shutdown
can_exec(watchdog_t, shell_exec_t)
allow watchdog_t domain:process { signal_perms getsession };
allow watchdog_t self:capability kill;
allow watchdog_t sbin_t:dir search;

# for updating mtab on umount
file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)

allow watchdog_t self:capability { sys_admin net_admin sys_boot };
allow watchdog_t fixed_disk_device_t:blk_file swapon;
allow watchdog_t { proc_t fs_t }:filesystem unmount;

# record the fact that we are going down
allow watchdog_t wtmp_t:file append;

# do not care about saving the random seed
dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
initial commit 2005-04-29 17:45:15 +00:00			`#DESC Watchdog - Software watchdog daemon`
			`#`
			`# Author: Russell Coker <russell@coker.com.au>`
			`# X-Debian-Packages: watchdog`
			`#`

			`#################################`
			`#`
			`# Rules for the watchdog_t domain.`
			`#`

			daemon_domain(watchdog, `, privmail')
			`type watchdog_device_t, device_type, dev_fs;`

			`log_domain(watchdog)`

			`allow watchdog_t etc_t:file r_file_perms;`
			`allow watchdog_t etc_t:lnk_file read;`
			`allow watchdog_t self:unix_dgram_socket create_socket_perms;`

			`allow watchdog_t proc_t:file r_file_perms;`

			`allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };`
			`allow watchdog_t self:fifo_file rw_file_perms;`
			`allow watchdog_t self:unix_stream_socket create_socket_perms;`
			`can_network(watchdog_t)`
			`can_ypbind(watchdog_t)`
			`allow watchdog_t bin_t:dir search;`
			`allow watchdog_t bin_t:lnk_file read;`
			`allow watchdog_t init_t:process signal;`
			`allow watchdog_t kernel_t:process sigstop;`

			`allow watchdog_t watchdog_device_t:chr_file { getattr write };`

			`# for orderly shutdown`
			`can_exec(watchdog_t, shell_exec_t)`
			`allow watchdog_t domain:process { signal_perms getsession };`
			`allow watchdog_t self:capability kill;`
			`allow watchdog_t sbin_t:dir search;`

			`# for updating mtab on umount`
			`file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)`

			`allow watchdog_t self:capability { sys_admin net_admin sys_boot };`
			`allow watchdog_t fixed_disk_device_t:blk_file swapon;`
			`allow watchdog_t { proc_t fs_t }:filesystem unmount;`

			`# record the fact that we are going down`
			`allow watchdog_t wtmp_t:file append;`

			`# do not care about saving the random seed`
			`dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;`