158 lines
4.3 KiB
Text
158 lines
4.3 KiB
Text
policy_module(collectd, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether collectd can connect
|
|
## to the network using TCP.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(collectd_tcp_network_connect, false)
|
|
|
|
type collectd_t;
|
|
type collectd_exec_t;
|
|
init_daemon_domain(collectd_t, collectd_exec_t)
|
|
|
|
type collectd_initrc_exec_t;
|
|
init_script_file(collectd_initrc_exec_t)
|
|
|
|
type collectd_log_t;
|
|
logging_log_file(collectd_log_t)
|
|
|
|
type collectd_var_lib_t;
|
|
files_type(collectd_var_lib_t)
|
|
|
|
type collectd_var_run_t;
|
|
files_pid_file(collectd_var_run_t)
|
|
|
|
type collectd_unit_file_t;
|
|
systemd_unit_file(collectd_unit_file_t)
|
|
|
|
apache_content_template(collectd)
|
|
apache_content_alias_template(collectd, collectd)
|
|
|
|
type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
|
|
files_tmp_file(collectd_script_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid };
|
|
allow collectd_t self:process { getsched setsched signal };
|
|
allow collectd_t self:fifo_file rw_fifo_file_perms;
|
|
allow collectd_t self:packet_socket { create_socket_perms map };
|
|
allow collectd_t self:rawip_socket create_socket_perms;
|
|
allow collectd_t self:unix_stream_socket { accept listen connectto };
|
|
allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
allow collectd_t self:netlink_generic_socket create_socket_perms;
|
|
allow collectd_t self:netlink_rdma_socket create_socket_perms;
|
|
allow collectd_t self:udp_socket create_socket_perms;
|
|
allow collectd_t self:rawip_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(collectd_t, collectd_log_t, collectd_log_t)
|
|
manage_files_pattern(collectd_t, collectd_log_t, collectd_log_t)
|
|
logging_log_filetrans(collectd_t, collectd_log_t, { dir file })
|
|
|
|
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
|
|
allow collectd_t collectd_var_lib_t:file map;
|
|
|
|
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
|
manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
|
manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
|
files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
|
|
|
|
kernel_read_all_sysctls(collectd_t)
|
|
kernel_read_all_proc(collectd_t)
|
|
kernel_list_all_proc(collectd_t)
|
|
|
|
auth_use_nsswitch(collectd_t)
|
|
|
|
corecmd_exec_bin(collectd_t)
|
|
|
|
corenet_udp_bind_generic_node(collectd_t)
|
|
corenet_udp_bind_collectd_port(collectd_t)
|
|
corenet_tcp_connect_lmtp_port(collectd_t)
|
|
corenet_tcp_bind_bacula_port(collectd_t)
|
|
|
|
dev_getattr_infiniband_dev(collectd_t)
|
|
dev_read_rand(collectd_t)
|
|
dev_read_sysfs(collectd_t)
|
|
dev_read_urand(collectd_t)
|
|
|
|
domain_use_interactive_fds(collectd_t)
|
|
domain_read_all_domains_state(collectd_t)
|
|
|
|
files_getattr_all_dirs(collectd_t)
|
|
|
|
fs_getattr_all_fs(collectd_t)
|
|
fs_getattr_all_dirs(collectd_t)
|
|
|
|
init_read_utmp(collectd_t)
|
|
|
|
logging_send_syslog_msg(collectd_t)
|
|
|
|
sysnet_dns_name_resolve(collectd_t)
|
|
|
|
tunable_policy(`use_ecryptfs_home_dirs',`
|
|
fs_manage_ecryptfs_files(collectd_t)
|
|
')
|
|
|
|
tunable_policy(`collectd_tcp_network_connect',`
|
|
corenet_sendrecv_all_client_packets(collectd_t)
|
|
corenet_tcp_connect_all_ports(collectd_t)
|
|
corenet_tcp_sendrecv_all_ports(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_read_config(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pdns_stream_connect(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_domtrans_ping(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_read_snmp_var_lib_dirs(collectd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_read_config(collectd_t)
|
|
virt_stream_connect(collectd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Web collectd local policy
|
|
#
|
|
|
|
|
|
files_search_var_lib(collectd_script_t)
|
|
read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
|
|
|
|
manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
|
|
manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
|
|
files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
|
|
|
|
auth_read_passwd(collectd_script_t)
|