2 policy_module(watchdog, 1.6.1)
4 #################################
6 # Rules for the watchdog_t domain.
11 init_daemon_domain(watchdog_t, watchdog_exec_t)
14 logging_log_file(watchdog_log_t)
16 type watchdog_var_run_t;
17 files_pid_file(watchdog_var_run_t)
19 ########################################
24 allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
25 dontaudit watchdog_t self:capability sys_tty_config;
26 allow watchdog_t self:process { setsched signal_perms };
27 allow watchdog_t self:fifo_file rw_fifo_file_perms;
28 allow watchdog_t self:unix_stream_socket create_socket_perms;
29 allow watchdog_t self:tcp_socket create_stream_socket_perms;
30 allow watchdog_t self:udp_socket create_socket_perms;
32 allow watchdog_t watchdog_log_t:file manage_file_perms;
33 logging_log_filetrans(watchdog_t, watchdog_log_t, file)
35 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
36 files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
38 kernel_read_system_state(watchdog_t)
39 kernel_read_kernel_sysctls(watchdog_t)
40 kernel_unmount_proc(watchdog_t)
42 # for orderly shutdown
43 corecmd_exec_shell(watchdog_t)
45 # cjp: why networking?
46 corenet_all_recvfrom_unlabeled(watchdog_t)
47 corenet_all_recvfrom_netlabel(watchdog_t)
48 corenet_tcp_sendrecv_generic_if(watchdog_t)
49 corenet_udp_sendrecv_generic_if(watchdog_t)
50 corenet_tcp_sendrecv_generic_node(watchdog_t)
51 corenet_udp_sendrecv_generic_node(watchdog_t)
52 corenet_tcp_sendrecv_all_ports(watchdog_t)
53 corenet_udp_sendrecv_all_ports(watchdog_t)
54 corenet_tcp_connect_all_ports(watchdog_t)
55 corenet_sendrecv_all_client_packets(watchdog_t)
57 dev_read_sysfs(watchdog_t)
58 dev_write_watchdog(watchdog_t)
59 # do not care about saving the random seed
60 dev_dontaudit_read_rand(watchdog_t)
61 dev_dontaudit_read_urand(watchdog_t)
63 domain_use_interactive_fds(watchdog_t)
64 domain_getsession_all_domains(watchdog_t)
65 domain_sigchld_all_domains(watchdog_t)
66 domain_sigstop_all_domains(watchdog_t)
67 domain_signull_all_domains(watchdog_t)
68 domain_signal_all_domains(watchdog_t)
69 domain_kill_all_domains(watchdog_t)
71 files_read_etc_files(watchdog_t)
72 # for updating mtab on umount
73 files_manage_etc_runtime_files(watchdog_t)
74 files_etc_filetrans_etc_runtime(watchdog_t, file)
76 fs_unmount_xattr_fs(watchdog_t)
77 fs_getattr_all_fs(watchdog_t)
78 fs_search_auto_mountpoints(watchdog_t)
80 # record the fact that we are going down
81 auth_append_login_records(watchdog_t)
83 logging_send_syslog_msg(watchdog_t)
85 miscfiles_read_localization(watchdog_t)
87 sysnet_read_config(watchdog_t)
89 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
90 userdom_dontaudit_search_user_home_dirs(watchdog_t)
93 mta_send_mail(watchdog_t)
97 nis_use_ypbind(watchdog_t)
101 seutil_sigchld_newrole(watchdog_t)
105 udev_read_db(watchdog_t)