selinux-policy/policy/modules/services/sysstat.te

policy_module(sysstat, 1.6.0)

########################################
#
# Declarations
#

type sysstat_t;
type sysstat_exec_t;
init_system_domain(sysstat_t, sysstat_exec_t)
role system_r types sysstat_t;

type sysstat_log_t;
logging_log_file(sysstat_log_t)

########################################
#
# Local policy
#

allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
allow sysstat_t self:fifo_file rw_fifo_file_perms;

can_exec(sysstat_t, sysstat_exec_t)

manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })

# get info from /proc
kernel_read_system_state(sysstat_t)
kernel_read_network_state(sysstat_t)
kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)

corecmd_exec_bin(sysstat_t)

dev_read_urand(sysstat_t)
dev_read_sysfs(sysstat_t)

files_search_var(sysstat_t)
# for mtab
files_read_etc_runtime_files(sysstat_t)
#for fstab
files_read_etc_files(sysstat_t)

fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)

term_use_console(sysstat_t)
term_use_all_terms(sysstat_t)

init_use_fds(sysstat_t)

locallogin_use_fds(sysstat_t)

miscfiles_read_localization(sysstat_t)

userdom_dontaudit_list_user_home_dirs(sysstat_t)

optional_policy(`
	cron_system_entry(sysstat_t, sysstat_exec_t)
')

optional_policy(`
	logging_send_syslog_msg(sysstat_t)
')

optional_policy(`
	nscd_socket_use(sysstat_t)
')