[people/stevee/selinux-policy.git] / policy / modules / admin / mrtg.te


policy_module(mrtg, 1.6.1)

########################################
#
# Declarations
#

type mrtg_t;
type mrtg_exec_t;
init_system_domain(mrtg_t, mrtg_exec_t)

type mrtg_etc_t;
files_config_file(mrtg_etc_t)

type mrtg_lock_t;
files_lock_file(mrtg_lock_t)

type mrtg_log_t;
logging_log_file(mrtg_log_t)

type mrtg_var_lib_t;
files_type(mrtg_var_lib_t)

type mrtg_var_run_t;
files_pid_file(mrtg_var_run_t)

########################################
#
# Local policy
#

allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;

allow mrtg_t mrtg_etc_t:dir list_dir_perms;
read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };

manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)

manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })

manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)

allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)

kernel_read_system_state(mrtg_t)
kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)

corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)

corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
corenet_udp_sendrecv_generic_node(mrtg_t)
corenet_tcp_sendrecv_all_ports(mrtg_t)
corenet_udp_sendrecv_all_ports(mrtg_t)
corenet_tcp_connect_all_ports(mrtg_t)
corenet_sendrecv_all_client_packets(mrtg_t)

dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)

domain_use_interactive_fds(mrtg_t)
domain_dontaudit_search_all_domains_state(mrtg_t)

files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
files_search_spool(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
# for uptime
files_read_etc_runtime_files(mrtg_t)
# read config files
files_read_etc_files(mrtg_t)

fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
fs_list_inotifyfs(mrtg_t)

term_dontaudit_use_console(mrtg_t)

init_use_fds(mrtg_t)
init_use_script_ptys(mrtg_t)
# for uptime
init_read_utmp(mrtg_t)
init_dontaudit_write_utmp(mrtg_t)

auth_use_nsswitch(mrtg_t)

libs_read_lib_files(mrtg_t)

logging_send_syslog_msg(mrtg_t)

miscfiles_read_localization(mrtg_t)

selinux_dontaudit_getattr_dir(mrtg_t)

userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)

ifdef(`enable_mls',`
	corenet_udp_sendrecv_lo_if(mrtg_t)
')

ifdef(`distro_redhat',`
	allow mrtg_t mrtg_lock_t:file manage_file_perms;
	filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
')

optional_policy(`
	apache_manage_sys_content(mrtg_t)
')

optional_policy(`
	cron_system_entry(mrtg_t, mrtg_exec_t)
')

optional_policy(`
	hostname_exec(mrtg_t)
')

optional_policy(`
	seutil_sigchld_newrole(mrtg_t)
')

optional_policy(`
	quota_dontaudit_getattr_db(mrtg_t)
')

optional_policy(`
	snmp_read_snmp_var_lib_files(mrtg_t)
')

optional_policy(`
	udev_read_db(mrtg_t)
')
Commit	Line	Data
67962667	1
c1262146	2	policy_module(mrtg, 1.6.1)
67962667 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type mrtg_t;
	10	type mrtg_exec_t;
0bfccda4	11	init_system_domain(mrtg_t, mrtg_exec_t)
67962667 CP	12
	13	type mrtg_etc_t;
	14	files_config_file(mrtg_etc_t)
	15
	16	type mrtg_lock_t;
	17	files_lock_file(mrtg_lock_t)
	18
	19	type mrtg_log_t;
	20	logging_log_file(mrtg_log_t)
	21
	22	type mrtg_var_lib_t;
	23	files_type(mrtg_var_lib_t)
	24
4846dc8a CP	25	type mrtg_var_run_t;
	26	files_pid_file(mrtg_var_run_t)
	27
67962667 CP	28	########################################
	29	#
	30	# Local policy
	31	#
	32
4846dc8a	33	allow mrtg_t self:capability { setgid setuid chown };
67962667 CP	34	dontaudit mrtg_t self:capability sys_tty_config;
67962667 CP	35	allow mrtg_t self:process signal_perms;
0b36a214	36	allow mrtg_t self:fifo_file rw_fifo_file_perms;
67962667 CP	37	allow mrtg_t self:unix_stream_socket create_socket_perms;
	38	allow mrtg_t self:tcp_socket create_socket_perms;
	39	allow mrtg_t self:udp_socket create_socket_perms;
	40
c0868a7a	41	allow mrtg_t mrtg_etc_t:dir list_dir_perms;
0bfccda4 CP	42	read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
0bfccda4 CP	43	read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
c0868a7a CP	44	dontaudit mrtg_t mrtg_etc_t:dir write;
c0868a7a CP	45	dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
67962667	46
0bfccda4 CP	47	manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
0bfccda4 CP	48	manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
67962667	49
0bfccda4 CP	50	manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
0bfccda4 CP	51	logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
67962667	52
0bfccda4 CP	53	manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
0bfccda4 CP	54	manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
67962667	55
4846dc8a	56	allow mrtg_t mrtg_var_run_t:file manage_file_perms;
3f67f722	57	files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
4846dc8a	58
67962667 CP	59	kernel_read_system_state(mrtg_t)
	60	kernel_read_network_state(mrtg_t)
	61	kernel_read_kernel_sysctls(mrtg_t)
	62
	63	corecmd_exec_bin(mrtg_t)
67962667 CP	64	corecmd_exec_shell(mrtg_t)
67962667 CP	65
19006686 CP	66	corenet_all_recvfrom_unlabeled(mrtg_t)
19006686 CP	67	corenet_all_recvfrom_netlabel(mrtg_t)
67962667 CP	68	corenet_tcp_sendrecv_generic_if(mrtg_t)
67962667 CP	69	corenet_udp_sendrecv_generic_if(mrtg_t)
c1262146 CP	70	corenet_tcp_sendrecv_generic_node(mrtg_t)
c1262146 CP	71	corenet_udp_sendrecv_generic_node(mrtg_t)
67962667 CP	72	corenet_tcp_sendrecv_all_ports(mrtg_t)
67962667 CP	73	corenet_udp_sendrecv_all_ports(mrtg_t)
67962667	74	corenet_tcp_connect_all_ports(mrtg_t)
9d0c9b3e	75	corenet_sendrecv_all_client_packets(mrtg_t)
67962667 CP	76
	77	dev_read_sysfs(mrtg_t)
	78	dev_read_urand(mrtg_t)
	79
15722ec9	80	domain_use_interactive_fds(mrtg_t)
74993c4d	81	domain_dontaudit_search_all_domains_state(mrtg_t)
67962667 CP	82
	83	files_read_usr_files(mrtg_t)
	84	files_search_var(mrtg_t)
	85	files_search_locks(mrtg_t)
	86	files_search_var_lib(mrtg_t)
	87	files_search_spool(mrtg_t)
	88	files_getattr_tmp_dirs(mrtg_t)
	89	# for uptime
	90	files_read_etc_runtime_files(mrtg_t)
c0868a7a CP	91	# read config files
c0868a7a CP	92	files_read_etc_files(mrtg_t)
67962667 CP	93
	94	fs_search_auto_mountpoints(mrtg_t)
	95	fs_getattr_xattr_fs(mrtg_t)
74993c4d	96	fs_list_inotifyfs(mrtg_t)
67962667 CP	97
	98	term_dontaudit_use_console(mrtg_t)
	99
1c1ac67f	100	init_use_fds(mrtg_t)
1815bad1	101	init_use_script_ptys(mrtg_t)
67962667 CP	102	# for uptime
	103	init_read_utmp(mrtg_t)
	104	init_dontaudit_write_utmp(mrtg_t)
	105
74993c4d CP	106	auth_use_nsswitch(mrtg_t)
74993c4d CP	107
1815bad1	108	libs_read_lib_files(mrtg_t)
67962667 CP	109
	110	logging_send_syslog_msg(mrtg_t)
	111
	112	miscfiles_read_localization(mrtg_t)
	113
	114	selinux_dontaudit_getattr_dir(mrtg_t)
	115
296273a7 CP	116	userdom_use_user_terminals(mrtg_t)
296273a7 CP	117	userdom_dontaudit_read_user_home_content_files(mrtg_t)
15722ec9	118	userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
e9c6cda7	119
4846dc8a CP	120	ifdef(`enable_mls',`
	121	corenet_udp_sendrecv_lo_if(mrtg_t)
	122	')
	123
67962667	124	ifdef(`distro_redhat',`
c0868a7a	125	allow mrtg_t mrtg_lock_t:file manage_file_perms;
0bfccda4	126	filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
67962667 CP	127	')
67962667 CP	128
bb7170f6	129	optional_policy(`
67962667 CP	130	apache_manage_sys_content(mrtg_t)
	131	')
	132
bb7170f6	133	optional_policy(`
0bfccda4	134	cron_system_entry(mrtg_t, mrtg_exec_t)
67962667 CP	135	')
67962667 CP	136
bb7170f6	137	optional_policy(`
67962667 CP	138	hostname_exec(mrtg_t)
	139	')
	140
bb7170f6	141	optional_policy(`
67962667 CP	142	seutil_sigchld_newrole(mrtg_t)
	143	')
	144
bb7170f6	145	optional_policy(`
67962667 CP	146	quota_dontaudit_getattr_db(mrtg_t)
	147	')
	148
bb7170f6	149	optional_policy(`
1815bad1	150	snmp_read_snmp_var_lib_files(mrtg_t)
67962667 CP	151	')
67962667 CP	152
bb7170f6	153	optional_policy(`
67962667 CP	154	udev_read_db(mrtg_t)
67962667 CP	155	')