policy_module(brctl, 1.7.0) ######################################## # # Declarations # attribute_role brctl_roles; type brctl_t; type brctl_exec_t; init_system_domain(brctl_t, brctl_exec_t) role brctl_roles types brctl_t; ######################################## # # Local policy # allow brctl_t self:capability net_admin; allow brctl_t self:fifo_file rw_fifo_file_perms; allow brctl_t self:unix_stream_socket create_stream_socket_perms; allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; kernel_request_load_module(brctl_t) kernel_read_system_state(brctl_t) kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) corenet_rw_tun_tap_dev(brctl_t) dev_rw_sysfs(brctl_t) dev_write_sysfs_dirs(brctl_t) domain_use_interactive_fds(brctl_t) term_dontaudit_use_console(brctl_t) optional_policy(` xen_append_log(brctl_t) xen_dontaudit_rw_unix_stream_sockets(brctl_t) ')