policy/modules/services/rhev.te

   1 policy_module(rhev,1.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type rhev_agentd_t;
   9 type rhev_agentd_exec_t;
  10 init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
  11
  12 type rhev_agentd_var_run_t;
  13 files_pid_file(rhev_agentd_var_run_t)
  14
  15 type rhev_agentd_tmp_t;
  16 files_tmp_file(rhev_agentd_tmp_t)
  17
  18 ########################################
  19 #
  20 # rhev_agentd_t local policy
  21 #
  22
  23 allow rhev_agentd_t self:capability sys_nice;
  24 allow rhev_agentd_t self:process setsched;
  25
  26 allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
  27 allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
  28
  29 manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
  30 manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
  31 manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
  32 files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
  33
  34 manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
  35 manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
  36 files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
  37 can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
  38
  39 kernel_read_system_state(rhev_agentd_t)
  40 kernel_read_kernel_sysctls(rhev_agentd_t)
  41
  42 corecmd_exec_bin(rhev_agentd_t)
  43 corecmd_exec_shell(rhev_agentd_t)
  44
  45 dev_read_urand(rhev_agentd_t)
  46
  47 term_use_virtio_console(rhev_agentd_t)
  48
  49 files_getattr_all_mountpoints(rhev_agentd_t)
  50 files_read_usr_files(rhev_agentd_t)
  51
  52 auth_use_nsswitch(rhev_agentd_t)
  53
  54 init_read_utmp(rhev_agentd_t)
  55
  56 libs_exec_ldconfig(rhev_agentd_t)
  57 logging_send_syslog_msg(rhev_agentd_t)
  58
  59 miscfiles_read_localization(rhev_agentd_t)
  60
  61 optional_policy(`
  62         rpm_read_db(rhev_agentd_t)
  63         rpm_dontaudit_manage_db(rhev_agentd_t)
  64 ')
  65
  66 optional_policy(`
  67         ssh_signull(rhev_agentd_t)
  68 ')
  69
  70 optional_policy(`
  71     dbus_system_bus_client(rhev_agentd_t)
  72     dbus_connect_system_bus(rhev_agentd_t)
  73 ')
  74
  75 optional_policy(`
  76         userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
  77 ')
  78
  79 optional_policy(`
  80    xserver_dbus_chat_xdm(rhev_agentd_t)
  81 ')