selinux-policy/policy/modules/services/watchdog.te
2006-12-12 20:08:08 +00:00

121 lines
3.1 KiB
Plaintext

policy_module(watchdog,1.1.0)
#################################
#
# Rules for the watchdog_t domain.
#
type watchdog_t;
type watchdog_exec_t;
init_daemon_domain(watchdog_t,watchdog_exec_t)
type watchdog_log_t;
logging_log_file(watchdog_log_t)
type watchdog_var_run_t;
files_pid_file(watchdog_var_run_t)
########################################
#
# Declarations
#
allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
allow watchdog_t self:tcp_socket create_stream_socket_perms;
allow watchdog_t self:udp_socket create_socket_perms;
allow watchdog_t watchdog_log_t:file manage_file_perms;
logging_log_filetrans(watchdog_t,watchdog_log_t,file)
manage_files_pattern(watchdog_t,watchdog_var_run_t,watchdog_var_run_t)
files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
corecmd_search_sbin(watchdog_t)
# for orderly shutdown
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
corenet_non_ipsec_sendrecv(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_all_nodes(watchdog_t)
corenet_udp_sendrecv_all_nodes(watchdog_t)
corenet_tcp_sendrecv_all_ports(watchdog_t)
corenet_udp_sendrecv_all_ports(watchdog_t)
corenet_tcp_connect_all_ports(watchdog_t)
corenet_sendrecv_all_client_packets(watchdog_t)
dev_read_sysfs(watchdog_t)
dev_write_watchdog(watchdog_t)
# do not care about saving the random seed
dev_dontaudit_read_rand(watchdog_t)
dev_dontaudit_read_urand(watchdog_t)
domain_use_interactive_fds(watchdog_t)
domain_getsession_all_domains(watchdog_t)
domain_sigchld_all_domains(watchdog_t)
domain_sigstop_all_domains(watchdog_t)
domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
# for updating mtab on umount
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t,file)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
term_dontaudit_use_console(watchdog_t)
# record the fact that we are going down
auth_append_login_records(watchdog_t)
init_use_fds(watchdog_t)
init_use_script_ptys(watchdog_t)
libs_use_ld_so(watchdog_t)
libs_use_shared_libs(watchdog_t)
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
sysnet_read_config(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(watchdog_t)
term_dontaudit_use_generic_ptys(watchdog_t)
files_dontaudit_read_root_files(watchdog_t)
')
optional_policy(`
mta_send_mail(watchdog_t)
')
optional_policy(`
nis_use_ypbind(watchdog_t)
')
optional_policy(`
seutil_sigchld_newrole(watchdog_t)
')
optional_policy(`
udev_read_db(watchdog_t)
')