policy_module(sysstat,1.0.0) ######################################## # # Declarations # type sysstat_t; type sysstat_exec_t; init_system_domain(sysstat_t,sysstat_exec_t) role system_r types sysstat_t; type sysstat_log_t; logging_log_file(sysstat_log_t) ######################################## # # Local policy # allow sysstat_t self:capability sys_resource; dontaudit sysstat_t self:capability sys_admin; allow sysstat_t self:fifo_file rw_file_perms; can_exec(sysstat_t, sysstat_exec_t) allow sysstat_t sysstat_log_t:file create_file_perms; allow sysstat_t sysstat_log_t:dir rw_dir_perms; logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir }) # get info from /proc kernel_read_system_state(sysstat_t) kernel_read_network_state(sysstat_t) kernel_read_kernel_sysctls(sysstat_t) kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) corecmd_dontaudit_search_sbin(sysstat_t) corecmd_exec_bin(sysstat_t) dev_read_urand(sysstat_t) files_search_var(sysstat_t) # for mtab files_read_etc_runtime_files(sysstat_t) #for fstab files_read_etc_files(sysstat_t) fs_getattr_xattr_fs(sysstat_t) term_use_console(sysstat_t) init_use_fd(sysstat_t) init_use_script_ptys(sysstat_t) libs_use_ld_so(sysstat_t) libs_use_shared_libs(sysstat_t) miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_sysadm_home_dir(sysstat_t) optional_policy(`cron',` cron_system_entry(sysstat_t,sysstat_exec_t) ') optional_policy(`logging',` logging_send_syslog_msg(sysstat_t) ')