refpolicy/policy/modules/services/sysstat.te

   1
   2 policy_module(sysstat,1.0.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type sysstat_t;
  10 type sysstat_exec_t;
  11 init_system_domain(sysstat_t,sysstat_exec_t)
  12 role system_r types sysstat_t;
  13
  14 type sysstat_log_t;
  15 logging_log_file(sysstat_log_t)
  16
  17 ########################################
  18 #
  19 # Local policy
  20 #
  21
  22 allow sysstat_t self:capability sys_resource;
  23 dontaudit sysstat_t self:capability sys_admin;
  24 allow sysstat_t self:fifo_file rw_file_perms;
  25
  26 can_exec(sysstat_t, sysstat_exec_t)
  27
  28 allow sysstat_t sysstat_log_t:file create_file_perms;
  29 allow sysstat_t sysstat_log_t:dir rw_dir_perms;
  30 logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir })
  31
  32 # get info from /proc
  33 kernel_read_system_state(sysstat_t)
  34 kernel_read_network_state(sysstat_t)
  35 kernel_read_kernel_sysctls(sysstat_t)
  36 kernel_read_fs_sysctls(sysstat_t)
  37 kernel_read_rpc_sysctls(sysstat_t)
  38
  39 corecmd_dontaudit_search_sbin(sysstat_t)
  40 corecmd_exec_bin(sysstat_t)
  41
  42 dev_read_urand(sysstat_t)
  43
  44 files_search_var(sysstat_t)
  45 # for mtab
  46 files_read_etc_runtime_files(sysstat_t)
  47 #for fstab
  48 files_read_etc_files(sysstat_t)
  49
  50 fs_getattr_xattr_fs(sysstat_t)
  51
  52 term_use_console(sysstat_t)
  53
  54 init_use_fds(sysstat_t)
  55 init_use_script_ptys(sysstat_t)
  56
  57 libs_use_ld_so(sysstat_t)
  58 libs_use_shared_libs(sysstat_t)
  59
  60 miscfiles_read_localization(sysstat_t)
  61
  62 userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
  63
  64 optional_policy(`
  65         cron_system_entry(sysstat_t,sysstat_exec_t)
  66 ')
  67
  68 optional_policy(`
  69         logging_send_syslog_msg(sysstat_t)
  70 ')