#DESC LRRD - network-wide load graphing

#

# Author:  Erich Schubert <erich@debian.org>

# X-Debian-Packages: lrrd-client, lrrd-server

#

#################################

#

# Rules for the lrrd_t domain.

#

# lrrd_exec_t is the type of the lrrd executable.

#

daemon_domain(lrrd)

allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;

etcdir_domain(lrrd)

type lrrd_var_lib_t, file_type, sysadmfile;

log_domain(lrrd)

tmp_domain(lrrd)

# has cron jobs

system_crond_entry(lrrd_exec_t, lrrd_t)

allow crond_t lrrd_var_lib_t:dir search;

# init script

allow initrc_t lrrd_log_t:file { write append setattr ioctl };

# allow to drop privileges and renice

allow lrrd_t self:capability { setgid setuid };

allow lrrd_t self:process { getsched setsched };

allow lrrd_t urandom_device_t:chr_file { getattr read };

allow lrrd_t proc_t:file { getattr read };

allow lrrd_t usr_t:file { read ioctl };

can_exec(lrrd_t, bin_t)

allow lrrd_t bin_t:dir search;

allow lrrd_t usr_t:lnk_file read;

# Allow access to the lrrd databases

create_dir_file(lrrd_t, lrrd_var_lib_t)

allow lrrd_t var_lib_t:dir search;

# read config files

r_dir_file(initrc_t, lrrd_etc_t)

allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };

# for accessing the output directory

ifdef(`apache.te', `

allow lrrd_t httpd_sys_content_t:dir search;

')

allow lrrd_t etc_t:dir search;

can_unix_connect(sysadm_t, lrrd_t)

can_unix_connect(lrrd_t, lrrd_t)

can_unix_send(lrrd_t, lrrd_t)

can_network_server(lrrd_t)

can_ypbind(lrrd_t)

ifdef(`logrotate.te', `

r_dir_file(logrotate_t, lrrd_etc_t)

allow logrotate_t lrrd_var_lib_t:dir search;

allow logrotate_t lrrd_var_run_t:dir search;

allow logrotate_t lrrd_var_run_t:sock_file write;

can_unix_connect(logrotate_t, lrrd_t)

')