Blob Blame History Raw
#DESC Watchdog - Software watchdog daemon
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: watchdog
#

#################################
#
# Rules for the watchdog_t domain.
#

daemon_domain(watchdog, `, privmail')
type watchdog_device_t, device_type, dev_fs;

log_domain(watchdog)

allow watchdog_t etc_t:file r_file_perms;
allow watchdog_t etc_t:lnk_file read;
allow watchdog_t self:unix_dgram_socket create_socket_perms;

allow watchdog_t proc_t:file r_file_perms;

allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
can_network(watchdog_t)
can_ypbind(watchdog_t)
allow watchdog_t bin_t:dir search;
allow watchdog_t bin_t:lnk_file read;
allow watchdog_t init_t:process signal;
allow watchdog_t kernel_t:process sigstop;

allow watchdog_t watchdog_device_t:chr_file { getattr write };

# for orderly shutdown
can_exec(watchdog_t, shell_exec_t)
allow watchdog_t domain:process { signal_perms getsession };
allow watchdog_t self:capability kill;
allow watchdog_t sbin_t:dir search;

# for updating mtab on umount
file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)

allow watchdog_t self:capability { sys_admin net_admin sys_boot };
allow watchdog_t fixed_disk_device_t:blk_file swapon;
allow watchdog_t { proc_t fs_t }:filesystem unmount;

# record the fact that we are going down
allow watchdog_t wtmp_t:file append;

# do not care about saving the random seed
dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;