Blame strict/domains/program/unused/resmgrd.te
|
Chris PeBenito |
0fbfa5 |
# DESC resmgrd - resource manager daemon
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(resmgrd)
|
|
Chris PeBenito |
0fbfa5 |
var_run_domain(resmgrd, { file sock_file })
|
|
Chris PeBenito |
0fbfa5 |
etc_domain(resmgrd)
|
|
Chris PeBenito |
0fbfa5 |
read_locale(resmgrd_t)
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# hardware access
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t device_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
# not sure if it needs write access, needs to be investigated further...
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
|
|
Chris PeBenito |
0fbfa5 |
allow resmgrd_t scanner_device_t:chr_file { getattr };
|
|
Chris PeBenito |
0fbfa5 |
# I think a dontaudit should be enough there
|
|
Chris PeBenito |
0fbfa5 |
dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
|
|
Chris PeBenito |
0fbfa5 |
|