#DESC Watchdog - Software watchdog daemon

#

# Author:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: watchdog

#

#################################

#

# Rules for the watchdog_t domain.

#

daemon_domain(watchdog, `, privmail')

type watchdog_device_t, device_type, dev_fs;

allow watchdog_t self:process setsched;

log_domain(watchdog)

allow watchdog_t etc_t:file r_file_perms;

allow watchdog_t etc_t:lnk_file read;

allow watchdog_t self:unix_dgram_socket create_socket_perms;

allow watchdog_t proc_t:file r_file_perms;

allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };

allow watchdog_t self:fifo_file rw_file_perms;

allow watchdog_t self:unix_stream_socket create_socket_perms;

can_network(watchdog_t)

allow watchdog_t port_type:tcp_socket name_connect;

can_ypbind(watchdog_t)

allow watchdog_t bin_t:dir search;

allow watchdog_t bin_t:lnk_file read;

allow watchdog_t init_t:process signal;

allow watchdog_t kernel_t:process sigstop;

allow watchdog_t watchdog_device_t:chr_file { getattr write };

# for orderly shutdown

can_exec(watchdog_t, shell_exec_t)

allow watchdog_t domain:process { signal_perms getsession };

allow watchdog_t self:capability kill;

allow watchdog_t sbin_t:dir search;

# for updating mtab on umount

file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)

allow watchdog_t self:capability { sys_admin net_admin sys_boot };

allow watchdog_t fixed_disk_device_t:blk_file swapon;

allow watchdog_t { proc_t fs_t }:filesystem unmount;

# record the fact that we are going down

allow watchdog_t wtmp_t:file append;

# do not care about saving the random seed

dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;