78 lines
1.7 KiB
Text
78 lines
1.7 KiB
Text
|
policy_module(mon_statd, 1.0.0)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
attribute mon_statd_domain;
|
||
|
|
||
|
type mon_statd_t, mon_statd_domain;
|
||
|
type mon_statd_exec_t;
|
||
|
init_daemon_domain(mon_statd_t, mon_statd_exec_t)
|
||
|
|
||
|
type mon_procd_t, mon_statd_domain;
|
||
|
type mon_procd_exec_t;
|
||
|
init_daemon_domain(mon_procd_t, mon_procd_exec_t)
|
||
|
|
||
|
type mon_statd_initrc_exec_t;
|
||
|
init_script_file(mon_statd_initrc_exec_t)
|
||
|
|
||
|
type mon_statd_var_run_t;
|
||
|
files_pid_file(mon_statd_var_run_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# mon_statd domain policy
|
||
|
#
|
||
|
|
||
|
manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t)
|
||
|
files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file)
|
||
|
|
||
|
domain_read_all_domains_state(mon_statd_domain)
|
||
|
|
||
|
dev_rw_monitor_dev(mon_statd_domain)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# mon_fstatd local policy
|
||
|
#
|
||
|
allow mon_statd_t self:process { fork signal };
|
||
|
allow mon_statd_t self:fifo_file rw_fifo_file_perms;
|
||
|
|
||
|
allow mon_statd_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow mon_statd_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
kernel_dgram_send(mon_statd_t)
|
||
|
kernel_read_fs_sysctls(mon_statd_t)
|
||
|
|
||
|
fs_getattr_all_fs(mon_statd_t)
|
||
|
fs_getattr_all_dirs(mon_statd_t)
|
||
|
|
||
|
fs_search_cgroup_dirs(mon_statd_t)
|
||
|
|
||
|
logging_send_syslog_msg(mon_statd_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
rpc_read_nfs_state_data(mon_statd_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# mon_procd local policy
|
||
|
#
|
||
|
allow mon_procd_t self:capability sys_ptrace;
|
||
|
allow mon_procd_t self:cap_userns sys_ptrace;
|
||
|
|
||
|
allow mon_procd_t self:unix_dgram_socket { create connect };
|
||
|
|
||
|
auth_read_passwd(mon_procd_t)
|
||
|
|
||
|
kernel_dgram_send(mon_procd_t)
|
||
|
kernel_read_system_state(mon_procd_t)
|
||
|
|
||
|
init_read_utmp(mon_procd_t)
|
||
|
|
||
|
logging_send_syslog_msg(mon_procd_t)
|
||
|
|