selinux-policy/strict/domains/program/unused/resmgrd.te
2005-04-29 17:45:15 +00:00

26 lines
1014 B
Plaintext

# DESC resmgrd - resource manager daemon
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
daemon_base_domain(resmgrd)
var_run_domain(resmgrd, { file sock_file })
etc_domain(resmgrd)
read_locale(resmgrd_t)
allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
allow resmgrd_t etc_t:file { getattr read };
allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
allow resmgrd_t self:unix_dgram_socket create_socket_perms;
# hardware access
allow resmgrd_t device_t:lnk_file { getattr read };
# not sure if it needs write access, needs to be investigated further...
allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
allow resmgrd_t scanner_device_t:chr_file { getattr };
# I think a dontaudit should be enough there
dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te