26 lines
1014 B
Plaintext
26 lines
1014 B
Plaintext
# DESC resmgrd - resource manager daemon
|
|
#
|
|
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
|
|
daemon_base_domain(resmgrd)
|
|
var_run_domain(resmgrd, { file sock_file })
|
|
etc_domain(resmgrd)
|
|
read_locale(resmgrd_t)
|
|
allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
|
|
|
|
allow resmgrd_t etc_t:file { getattr read };
|
|
allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow resmgrd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
# hardware access
|
|
allow resmgrd_t device_t:lnk_file { getattr read };
|
|
# not sure if it needs write access, needs to be investigated further...
|
|
allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
|
|
allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
|
|
allow resmgrd_t scanner_device_t:chr_file { getattr };
|
|
# I think a dontaudit should be enough there
|
|
dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
|
|
|
|
# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
|
|
|