diff options
Diffstat (limited to 'policy/modules/contrib/watchdog.te')
-rw-r--r-- | policy/modules/contrib/watchdog.te | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te new file mode 100644 index 00000000..b10bb053 --- /dev/null +++ b/policy/modules/contrib/watchdog.te @@ -0,0 +1,105 @@ +policy_module(watchdog, 1.7.0) + +################################# +# +# Rules for the watchdog_t domain. +# + +type watchdog_t; +type watchdog_exec_t; +init_daemon_domain(watchdog_t, watchdog_exec_t) + +type watchdog_log_t; +logging_log_file(watchdog_log_t) + +type watchdog_var_run_t; +files_pid_file(watchdog_var_run_t) + +######################################## +# +# Declarations +# + +allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; +dontaudit watchdog_t self:capability sys_tty_config; +allow watchdog_t self:process { setsched signal_perms }; +allow watchdog_t self:fifo_file rw_fifo_file_perms; +allow watchdog_t self:unix_stream_socket create_socket_perms; +allow watchdog_t self:tcp_socket create_stream_socket_perms; +allow watchdog_t self:udp_socket create_socket_perms; + +allow watchdog_t watchdog_log_t:file manage_file_perms; +logging_log_filetrans(watchdog_t, watchdog_log_t, file) + +manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) +files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) + +kernel_read_system_state(watchdog_t) +kernel_read_kernel_sysctls(watchdog_t) +kernel_unmount_proc(watchdog_t) + +# for orderly shutdown +corecmd_exec_shell(watchdog_t) + +# cjp: why networking? +corenet_all_recvfrom_unlabeled(watchdog_t) +corenet_all_recvfrom_netlabel(watchdog_t) +corenet_tcp_sendrecv_generic_if(watchdog_t) +corenet_udp_sendrecv_generic_if(watchdog_t) +corenet_tcp_sendrecv_generic_node(watchdog_t) +corenet_udp_sendrecv_generic_node(watchdog_t) +corenet_tcp_sendrecv_all_ports(watchdog_t) +corenet_udp_sendrecv_all_ports(watchdog_t) +corenet_tcp_connect_all_ports(watchdog_t) +corenet_sendrecv_all_client_packets(watchdog_t) + +dev_read_sysfs(watchdog_t) +dev_write_watchdog(watchdog_t) +# do not care about saving the random seed +dev_dontaudit_read_rand(watchdog_t) +dev_dontaudit_read_urand(watchdog_t) + +domain_use_interactive_fds(watchdog_t) +domain_getsession_all_domains(watchdog_t) +domain_sigchld_all_domains(watchdog_t) +domain_sigstop_all_domains(watchdog_t) +domain_signull_all_domains(watchdog_t) +domain_signal_all_domains(watchdog_t) +domain_kill_all_domains(watchdog_t) + +files_read_etc_files(watchdog_t) +# for updating mtab on umount +files_manage_etc_runtime_files(watchdog_t) +files_etc_filetrans_etc_runtime(watchdog_t, file) + +fs_unmount_xattr_fs(watchdog_t) +fs_getattr_all_fs(watchdog_t) +fs_search_auto_mountpoints(watchdog_t) + +# record the fact that we are going down +auth_append_login_records(watchdog_t) + +logging_send_syslog_msg(watchdog_t) + +miscfiles_read_localization(watchdog_t) + +sysnet_read_config(watchdog_t) + +userdom_dontaudit_use_unpriv_user_fds(watchdog_t) +userdom_dontaudit_search_user_home_dirs(watchdog_t) + +optional_policy(` + mta_send_mail(watchdog_t) +') + +optional_policy(` + nis_use_ypbind(watchdog_t) +') + +optional_policy(` + seutil_sigchld_newrole(watchdog_t) +') + +optional_policy(` + udev_read_db(watchdog_t) +') |