]>
Commit | Line | Data |
---|---|---|
67962667 | 1 | |
c1262146 | 2 | policy_module(mrtg, 1.6.1) |
67962667 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type mrtg_t; | |
10 | type mrtg_exec_t; | |
0bfccda4 | 11 | init_system_domain(mrtg_t, mrtg_exec_t) |
67962667 CP |
12 | |
13 | type mrtg_etc_t; | |
14 | files_config_file(mrtg_etc_t) | |
15 | ||
16 | type mrtg_lock_t; | |
17 | files_lock_file(mrtg_lock_t) | |
18 | ||
19 | type mrtg_log_t; | |
20 | logging_log_file(mrtg_log_t) | |
21 | ||
22 | type mrtg_var_lib_t; | |
23 | files_type(mrtg_var_lib_t) | |
24 | ||
4846dc8a CP |
25 | type mrtg_var_run_t; |
26 | files_pid_file(mrtg_var_run_t) | |
27 | ||
67962667 CP |
28 | ######################################## |
29 | # | |
30 | # Local policy | |
31 | # | |
32 | ||
4846dc8a | 33 | allow mrtg_t self:capability { setgid setuid chown }; |
67962667 CP |
34 | dontaudit mrtg_t self:capability sys_tty_config; |
35 | allow mrtg_t self:process signal_perms; | |
0b36a214 | 36 | allow mrtg_t self:fifo_file rw_fifo_file_perms; |
67962667 CP |
37 | allow mrtg_t self:unix_stream_socket create_socket_perms; |
38 | allow mrtg_t self:tcp_socket create_socket_perms; | |
39 | allow mrtg_t self:udp_socket create_socket_perms; | |
40 | ||
c0868a7a | 41 | allow mrtg_t mrtg_etc_t:dir list_dir_perms; |
0bfccda4 CP |
42 | read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) |
43 | read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) | |
c0868a7a CP |
44 | dontaudit mrtg_t mrtg_etc_t:dir write; |
45 | dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; | |
67962667 | 46 | |
0bfccda4 CP |
47 | manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) |
48 | manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) | |
67962667 | 49 | |
0bfccda4 CP |
50 | manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) |
51 | logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) | |
67962667 | 52 | |
0bfccda4 CP |
53 | manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) |
54 | manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) | |
67962667 | 55 | |
4846dc8a | 56 | allow mrtg_t mrtg_var_run_t:file manage_file_perms; |
3f67f722 | 57 | files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) |
4846dc8a | 58 | |
67962667 CP |
59 | kernel_read_system_state(mrtg_t) |
60 | kernel_read_network_state(mrtg_t) | |
61 | kernel_read_kernel_sysctls(mrtg_t) | |
62 | ||
63 | corecmd_exec_bin(mrtg_t) | |
67962667 CP |
64 | corecmd_exec_shell(mrtg_t) |
65 | ||
19006686 CP |
66 | corenet_all_recvfrom_unlabeled(mrtg_t) |
67 | corenet_all_recvfrom_netlabel(mrtg_t) | |
67962667 CP |
68 | corenet_tcp_sendrecv_generic_if(mrtg_t) |
69 | corenet_udp_sendrecv_generic_if(mrtg_t) | |
c1262146 CP |
70 | corenet_tcp_sendrecv_generic_node(mrtg_t) |
71 | corenet_udp_sendrecv_generic_node(mrtg_t) | |
67962667 CP |
72 | corenet_tcp_sendrecv_all_ports(mrtg_t) |
73 | corenet_udp_sendrecv_all_ports(mrtg_t) | |
67962667 | 74 | corenet_tcp_connect_all_ports(mrtg_t) |
9d0c9b3e | 75 | corenet_sendrecv_all_client_packets(mrtg_t) |
67962667 CP |
76 | |
77 | dev_read_sysfs(mrtg_t) | |
78 | dev_read_urand(mrtg_t) | |
79 | ||
15722ec9 | 80 | domain_use_interactive_fds(mrtg_t) |
74993c4d | 81 | domain_dontaudit_search_all_domains_state(mrtg_t) |
67962667 CP |
82 | |
83 | files_read_usr_files(mrtg_t) | |
84 | files_search_var(mrtg_t) | |
85 | files_search_locks(mrtg_t) | |
86 | files_search_var_lib(mrtg_t) | |
87 | files_search_spool(mrtg_t) | |
88 | files_getattr_tmp_dirs(mrtg_t) | |
89 | # for uptime | |
90 | files_read_etc_runtime_files(mrtg_t) | |
c0868a7a CP |
91 | # read config files |
92 | files_read_etc_files(mrtg_t) | |
67962667 CP |
93 | |
94 | fs_search_auto_mountpoints(mrtg_t) | |
95 | fs_getattr_xattr_fs(mrtg_t) | |
74993c4d | 96 | fs_list_inotifyfs(mrtg_t) |
67962667 CP |
97 | |
98 | term_dontaudit_use_console(mrtg_t) | |
99 | ||
1c1ac67f | 100 | init_use_fds(mrtg_t) |
1815bad1 | 101 | init_use_script_ptys(mrtg_t) |
67962667 CP |
102 | # for uptime |
103 | init_read_utmp(mrtg_t) | |
104 | init_dontaudit_write_utmp(mrtg_t) | |
105 | ||
74993c4d CP |
106 | auth_use_nsswitch(mrtg_t) |
107 | ||
1815bad1 | 108 | libs_read_lib_files(mrtg_t) |
67962667 CP |
109 | |
110 | logging_send_syslog_msg(mrtg_t) | |
111 | ||
112 | miscfiles_read_localization(mrtg_t) | |
113 | ||
114 | selinux_dontaudit_getattr_dir(mrtg_t) | |
115 | ||
296273a7 CP |
116 | userdom_use_user_terminals(mrtg_t) |
117 | userdom_dontaudit_read_user_home_content_files(mrtg_t) | |
15722ec9 | 118 | userdom_dontaudit_use_unpriv_user_fds(mrtg_t) |
e9c6cda7 | 119 | |
4846dc8a CP |
120 | ifdef(`enable_mls',` |
121 | corenet_udp_sendrecv_lo_if(mrtg_t) | |
122 | ') | |
123 | ||
67962667 | 124 | ifdef(`distro_redhat',` |
c0868a7a | 125 | allow mrtg_t mrtg_lock_t:file manage_file_perms; |
0bfccda4 | 126 | filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) |
67962667 CP |
127 | ') |
128 | ||
bb7170f6 | 129 | optional_policy(` |
67962667 CP |
130 | apache_manage_sys_content(mrtg_t) |
131 | ') | |
132 | ||
bb7170f6 | 133 | optional_policy(` |
0bfccda4 | 134 | cron_system_entry(mrtg_t, mrtg_exec_t) |
67962667 CP |
135 | ') |
136 | ||
bb7170f6 | 137 | optional_policy(` |
67962667 CP |
138 | hostname_exec(mrtg_t) |
139 | ') | |
140 | ||
bb7170f6 | 141 | optional_policy(` |
67962667 CP |
142 | seutil_sigchld_newrole(mrtg_t) |
143 | ') | |
144 | ||
bb7170f6 | 145 | optional_policy(` |
67962667 CP |
146 | quota_dontaudit_getattr_db(mrtg_t) |
147 | ') | |
148 | ||
bb7170f6 | 149 | optional_policy(` |
1815bad1 | 150 | snmp_read_snmp_var_lib_files(mrtg_t) |
67962667 CP |
151 | ') |
152 | ||
bb7170f6 | 153 | optional_policy(` |
67962667 CP |
154 | udev_read_db(mrtg_t) |
155 | ') |