Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/collectd.te

166 lines
4.5 KiB
Text

policy_module(collectd, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether collectd can connect
## to the network using TCP.
## </p>
## </desc>
gen_tunable(collectd_tcp_network_connect, false)
type collectd_t;
type collectd_exec_t;
init_daemon_domain(collectd_t, collectd_exec_t)
type collectd_initrc_exec_t;
init_script_file(collectd_initrc_exec_t)
type collectd_log_t;
logging_log_file(collectd_log_t)
type collectd_var_lib_t;
files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
type collectd_unit_file_t;
systemd_unit_file(collectd_unit_file_t)
apache_content_template(collectd)
apache_content_alias_template(collectd, collectd)
type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
files_tmp_file(collectd_script_tmp_t)
########################################
#
# Local policy
#
allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket { create_socket_perms map };
allow collectd_t self:rawip_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen connectto };
allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow collectd_t self:netlink_generic_socket create_socket_perms;
allow collectd_t self:netlink_rdma_socket create_socket_perms;
allow collectd_t self:udp_socket create_socket_perms;
allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_log_t, collectd_log_t)
manage_files_pattern(collectd_t, collectd_log_t, collectd_log_t)
logging_log_filetrans(collectd_t, collectd_log_t, { dir file })
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
allow collectd_t collectd_var_lib_t:file map;
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
kernel_read_all_sysctls(collectd_t)
kernel_read_all_proc(collectd_t)
kernel_list_all_proc(collectd_t)
kernel_read_network_state_symlinks(collectd_t)
auth_use_nsswitch(collectd_t)
corecmd_exec_bin(collectd_t)
corenet_udp_bind_generic_node(collectd_t)
corenet_udp_bind_collectd_port(collectd_t)
corenet_udp_bind_statsd_port(collectd_t)
corenet_tcp_connect_lmtp_port(collectd_t)
corenet_tcp_bind_bacula_port(collectd_t)
dev_getattr_infiniband_dev(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
domain_use_interactive_fds(collectd_t)
domain_read_all_domains_state(collectd_t)
files_getattr_all_dirs(collectd_t)
fs_getattr_all_fs(collectd_t)
fs_getattr_all_dirs(collectd_t)
init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
storage_raw_read_fixed_disk_blk_device(collectd_t)
sysnet_dns_name_resolve(collectd_t)
tunable_policy(`use_ecryptfs_home_dirs',`
fs_manage_ecryptfs_files(collectd_t)
')
tunable_policy(`collectd_tcp_network_connect',`
corenet_sendrecv_all_client_packets(collectd_t)
corenet_tcp_connect_all_ports(collectd_t)
corenet_tcp_sendrecv_all_ports(collectd_t)
')
optional_policy(`
lvm_read_config(collectd_t)
')
optional_policy(`
pdns_stream_connect(collectd_t)
')
optional_policy(`
mysql_stream_connect(collectd_t)
')
optional_policy(`
netutils_domtrans_ping(collectd_t)
')
optional_policy(`
postgresql_stream_connect(collectd_t)
')
optional_policy(`
snmp_read_snmp_var_lib_dirs(collectd_t)
')
optional_policy(`
udev_read_pid_files(collectd_t)
')
optional_policy(`
virt_read_config(collectd_t)
virt_stream_connect(collectd_t)
')
########################################
#
# Web collectd local policy
#
files_search_var_lib(collectd_script_t)
read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
auth_read_passwd(collectd_script_t)