#DESC Sysstat - Sar and similar programs

#

# Authors:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: sysstat

#

#################################

#

# Rules for the sysstat_t domain.

#

# sysstat_exec_t is the type of the sysstat executable.

#

type sysstat_t, domain, privlog;

type sysstat_exec_t, file_type, sysadmfile, exec_type;

role system_r types sysstat_t;

allow sysstat_t device_t:dir search;

allow sysstat_t self:process { sigchld fork };

#for date

can_exec(sysstat_t, { sysstat_exec_t bin_t })

allow sysstat_t bin_t:dir r_dir_perms;

dontaudit sysstat_t sbin_t:dir search;

dontaudit sysstat_t self:capability sys_admin;

allow sysstat_t self:capability sys_resource;

allow sysstat_t devtty_t:chr_file rw_file_perms;

allow sysstat_t urandom_device_t:chr_file read;

# for mtab

allow sysstat_t etc_runtime_t:file { read getattr };

# for fstab

allow sysstat_t etc_t:file { read getattr };

dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;

allow sysstat_t self:fifo_file rw_file_perms;

# Type for files created during execution of sysstatd.

logdir_domain(sysstat)

allow sysstat_t var_t:dir search;

allow sysstat_t etc_t:dir r_dir_perms;

read_locale(sysstat_t)

allow sysstat_t fs_t:filesystem getattr;

# get info from /proc

allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;

allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };

domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)

allow sysstat_t init_t:fd use;

allow sysstat_t console_device_t:chr_file { read write };

uses_shlib(sysstat_t)

system_crond_entry(sysstat_exec_t, sysstat_t)

allow system_crond_t sysstat_log_t:dir { write remove_name add_name };

allow system_crond_t sysstat_log_t:file create_file_perms;

allow sysstat_t initrc_devpts_t:chr_file { read write };