[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / sysstat.te


policy_module(sysstat,1.0.0)

########################################
#
# Declarations
#

type sysstat_t;
type sysstat_exec_t;
init_system_domain(sysstat_t,sysstat_exec_t)
role system_r types sysstat_t;

type sysstat_log_t;
logging_log_file(sysstat_log_t)

########################################
#
# Local policy
#

allow sysstat_t self:capability sys_resource;
dontaudit sysstat_t self:capability sys_admin;
allow sysstat_t self:fifo_file rw_file_perms;

can_exec(sysstat_t, sysstat_exec_t)

allow sysstat_t sysstat_log_t:file create_file_perms;
allow sysstat_t sysstat_log_t:dir rw_dir_perms;
logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir })

# get info from /proc
kernel_read_system_state(sysstat_t)
kernel_read_network_state(sysstat_t)
kernel_read_kernel_sysctl(sysstat_t)
kernel_read_fs_sysctl(sysstat_t)
kernel_read_rpc_sysctl(sysstat_t)

corecmd_dontaudit_search_sbin(sysstat_t)
corecmd_exec_bin(sysstat_t)

dev_read_urand(sysstat_t)

files_search_var(sysstat_t)
# for mtab
files_read_etc_runtime_files(sysstat_t)
#for fstab
files_read_etc_files(sysstat_t)

fs_getattr_xattr_fs(sysstat_t)

term_use_console(sysstat_t)

init_use_fd(sysstat_t)
init_use_script_pty(sysstat_t)

libs_use_ld_so(sysstat_t)
libs_use_shared_libs(sysstat_t)

miscfiles_read_localization(sysstat_t)

userdom_dontaudit_list_sysadm_home_dir(sysstat_t)

optional_policy(`cron',`
	cron_system_entry(sysstat_t,sysstat_exec_t)
')

optional_policy(`logging',`
	logging_send_syslog_msg(sysstat_t)
')
Commit	Line	Data
0f73fdea CP	1
	2	policy_module(sysstat,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type sysstat_t;
	10	type sysstat_exec_t;
	11	init_system_domain(sysstat_t,sysstat_exec_t)
	12	role system_r types sysstat_t;
	13
	14	type sysstat_log_t;
	15	logging_log_file(sysstat_log_t)
	16
	17	########################################
	18	#
	19	# Local policy
	20	#
	21
	22	allow sysstat_t self:capability sys_resource;
	23	dontaudit sysstat_t self:capability sys_admin;
	24	allow sysstat_t self:fifo_file rw_file_perms;
	25
	26	can_exec(sysstat_t, sysstat_exec_t)
	27
	28	allow sysstat_t sysstat_log_t:file create_file_perms;
	29	allow sysstat_t sysstat_log_t:dir rw_dir_perms;
9d594986	30	logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir })
0f73fdea CP	31
	32	# get info from /proc
	33	kernel_read_system_state(sysstat_t)
	34	kernel_read_network_state(sysstat_t)
	35	kernel_read_kernel_sysctl(sysstat_t)
	36	kernel_read_fs_sysctl(sysstat_t)
	37	kernel_read_rpc_sysctl(sysstat_t)
	38
	39	corecmd_dontaudit_search_sbin(sysstat_t)
	40	corecmd_exec_bin(sysstat_t)
	41
	42	dev_read_urand(sysstat_t)
	43
	44	files_search_var(sysstat_t)
	45	# for mtab
	46	files_read_etc_runtime_files(sysstat_t)
	47	#for fstab
	48	files_read_etc_files(sysstat_t)
	49
	50	fs_getattr_xattr_fs(sysstat_t)
	51
9667c156	52	term_use_console(sysstat_t)
0f73fdea CP	53
	54	init_use_fd(sysstat_t)
	55	init_use_script_pty(sysstat_t)
	56
	57	libs_use_ld_so(sysstat_t)
	58	libs_use_shared_libs(sysstat_t)
	59
	60	miscfiles_read_localization(sysstat_t)
	61
9667c156	62	userdom_dontaudit_list_sysadm_home_dir(sysstat_t)
0f73fdea CP	63
	64	optional_policy(`cron',`
	65	cron_system_entry(sysstat_t,sysstat_exec_t)
	66	')
	67
	68	optional_policy(`logging',`
	69	logging_send_syslog_msg(sysstat_t)
	70	')