selinux-policy/mls/domains/program/mdadm.te

#DESC mdadm - Linux RAID tool
#
# Author: Colin Walters <walters@redhat.com>
#

daemon_base_domain(mdadm, `, fs_domain, privmail')
role sysadm_r types mdadm_t;

allow initrc_t mdadm_var_run_t:file create_file_perms;

# Kernel filesystem permissions
r_dir_file(mdadm_t, proc_t)
allow mdadm_t proc_mdstat_t:file rw_file_perms;
read_sysctl(mdadm_t)
r_dir_file(mdadm_t, sysfs_t) 

# Configuration
allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
read_locale(mdadm_t)

# Linux capabilities
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };

# Helper program access
can_exec(mdadm_t, { bin_t sbin_t })

# RAID block device access
allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
allow mdadm_t device_t:lnk_file { getattr read };

# Ignore attempts to read every device file
dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
dontaudit mdadm_t devpts_t:dir r_dir_perms;

# Ignore attempts to read/write sysadmin tty
dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;

# Other random ignores
dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
dontaudit mdadm_t initctl_t:fifo_file getattr;
var_run_domain(mdadm)
allow mdadm_t var_t:dir { getattr search };