Blame strict/domains/program/fs_daemon.te
|
Chris PeBenito |
0fbfa5 |
#DESC file system daemons
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: smartmontools
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(fsdaemon, `, fs_domain, privmail')
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for config
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t device_t:dir read;
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
a08248 |
allow fsdaemon_t proc_mdstat_t:file { getattr read };
|
|
Chris PeBenito |
a08248 |
|
|
Chris PeBenito |
0fbfa5 |
can_exec_any(fsdaemon_t)
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
can_network_udp(fsdaemon_t)
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(fsdaemon)
|
|
Chris PeBenito |
0fbfa5 |
allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
dontaudit fsdaemon_t devpts_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow fsdaemon_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit system_mail_t fixed_disk_device_t:blk_file read;
|