policy/modules/services/watchdog.te

   1
   2 policy_module(watchdog, 1.6.1)
   3
   4 #################################
   5 #
   6 # Rules for the watchdog_t domain.
   7 #
   8
   9 type watchdog_t;
  10 type watchdog_exec_t;
  11 init_daemon_domain(watchdog_t, watchdog_exec_t)
  12
  13 type watchdog_log_t;
  14 logging_log_file(watchdog_log_t)
  15
  16 type watchdog_var_run_t;
  17 files_pid_file(watchdog_var_run_t)
  18
  19 ########################################
  20 #
  21 # Declarations
  22 #
  23
  24 allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
  25 dontaudit watchdog_t self:capability sys_tty_config;
  26 allow watchdog_t self:process { setsched signal_perms };
  27 allow watchdog_t self:fifo_file rw_fifo_file_perms;
  28 allow watchdog_t self:unix_stream_socket create_socket_perms;
  29 allow watchdog_t self:tcp_socket create_stream_socket_perms;
  30 allow watchdog_t self:udp_socket create_socket_perms;
  31
  32 allow watchdog_t watchdog_log_t:file manage_file_perms;
  33 logging_log_filetrans(watchdog_t, watchdog_log_t, file)
  34
  35 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
  36 files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
  37
  38 kernel_read_system_state(watchdog_t)
  39 kernel_read_kernel_sysctls(watchdog_t)
  40 kernel_unmount_proc(watchdog_t)
  41
  42 # for orderly shutdown
  43 corecmd_exec_shell(watchdog_t)
  44
  45 # cjp: why networking?
  46 corenet_all_recvfrom_unlabeled(watchdog_t)
  47 corenet_all_recvfrom_netlabel(watchdog_t)
  48 corenet_tcp_sendrecv_generic_if(watchdog_t)
  49 corenet_udp_sendrecv_generic_if(watchdog_t)
  50 corenet_tcp_sendrecv_generic_node(watchdog_t)
  51 corenet_udp_sendrecv_generic_node(watchdog_t)
  52 corenet_tcp_sendrecv_all_ports(watchdog_t)
  53 corenet_udp_sendrecv_all_ports(watchdog_t)
  54 corenet_tcp_connect_all_ports(watchdog_t)
  55 corenet_sendrecv_all_client_packets(watchdog_t)
  56
  57 dev_read_sysfs(watchdog_t)
  58 dev_write_watchdog(watchdog_t)
  59 # do not care about saving the random seed
  60 dev_dontaudit_read_rand(watchdog_t)
  61 dev_dontaudit_read_urand(watchdog_t)
  62
  63 domain_use_interactive_fds(watchdog_t)
  64 domain_getsession_all_domains(watchdog_t)
  65 domain_sigchld_all_domains(watchdog_t)
  66 domain_sigstop_all_domains(watchdog_t)
  67 domain_signull_all_domains(watchdog_t)
  68 domain_signal_all_domains(watchdog_t)
  69 domain_kill_all_domains(watchdog_t)
  70
  71 files_read_etc_files(watchdog_t)
  72 # for updating mtab on umount
  73 files_manage_etc_runtime_files(watchdog_t)
  74 files_etc_filetrans_etc_runtime(watchdog_t, file)
  75
  76 fs_unmount_xattr_fs(watchdog_t)
  77 fs_getattr_all_fs(watchdog_t)
  78 fs_search_auto_mountpoints(watchdog_t)
  79
  80 # record the fact that we are going down
  81 auth_append_login_records(watchdog_t)
  82
  83 logging_send_syslog_msg(watchdog_t)
  84
  85 miscfiles_read_localization(watchdog_t)
  86
  87 sysnet_read_config(watchdog_t)
  88
  89 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
  90 userdom_dontaudit_search_user_home_dirs(watchdog_t)
  91
  92 optional_policy(`
  93         mta_send_mail(watchdog_t)
  94 ')
  95
  96 optional_policy(`
  97         nis_use_ypbind(watchdog_t)
  98 ')
  99
 100 optional_policy(`
 101         seutil_sigchld_newrole(watchdog_t)
 102 ')
 103
 104 optional_policy(`
 105         udev_read_db(watchdog_t)
 106 ')