67 lines
1.9 KiB
Plaintext
67 lines
1.9 KiB
Plaintext
#DESC Sysstat - Sar and similar programs
|
|
#
|
|
# Authors: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: sysstat
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the sysstat_t domain.
|
|
#
|
|
# sysstat_exec_t is the type of the sysstat executable.
|
|
#
|
|
type sysstat_t, domain, privlog;
|
|
type sysstat_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
role system_r types sysstat_t;
|
|
|
|
allow sysstat_t device_t:dir search;
|
|
|
|
allow sysstat_t self:process { sigchld fork };
|
|
|
|
#for date
|
|
can_exec(sysstat_t, { sysstat_exec_t bin_t })
|
|
allow sysstat_t bin_t:dir r_dir_perms;
|
|
dontaudit sysstat_t sbin_t:dir search;
|
|
|
|
dontaudit sysstat_t self:capability sys_admin;
|
|
allow sysstat_t self:capability sys_resource;
|
|
|
|
allow sysstat_t devtty_t:chr_file rw_file_perms;
|
|
|
|
allow sysstat_t urandom_device_t:chr_file read;
|
|
|
|
# for mtab
|
|
allow sysstat_t etc_runtime_t:file { read getattr };
|
|
# for fstab
|
|
allow sysstat_t etc_t:file { read getattr };
|
|
|
|
dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
|
|
|
|
allow sysstat_t self:fifo_file rw_file_perms;
|
|
|
|
# Type for files created during execution of sysstatd.
|
|
logdir_domain(sysstat)
|
|
typealias sysstat_log_t alias var_log_sysstat_t;
|
|
allow sysstat_t var_t:dir search;
|
|
|
|
allow sysstat_t etc_t:dir r_dir_perms;
|
|
read_locale(sysstat_t)
|
|
|
|
allow sysstat_t fs_t:filesystem getattr;
|
|
|
|
# get info from /proc
|
|
allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
|
|
allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
|
|
|
|
domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
|
|
allow sysstat_t init_t:fd use;
|
|
allow sysstat_t console_device_t:chr_file { read write };
|
|
|
|
uses_shlib(sysstat_t)
|
|
|
|
system_crond_entry(sysstat_exec_t, sysstat_t)
|
|
allow system_crond_t sysstat_log_t:dir { write remove_name add_name };
|
|
allow system_crond_t sysstat_log_t:file create_file_perms;
|
|
allow sysstat_t initrc_devpts_t:chr_file { read write };
|