1
#DESC LRRD - network-wide load graphing
3
# Author: Erich Schubert <erich@debian.org>
4
# X-Debian-Packages: lrrd-client, lrrd-server
7
#################################
9
# Rules for the lrrd_t domain.
11
# lrrd_exec_t is the type of the lrrd executable.
15
allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
18
typealias lrrd_etc_t alias etc_lrrd_t;
19
type lrrd_var_lib_t, file_type, sysadmfile;
20
type lrrd_port_t, port_type;
26
system_crond_entry(lrrd_exec_t, lrrd_t)
27
allow crond_t lrrd_var_lib_t:dir search;
30
allow initrc_t lrrd_log_t:file { write append setattr ioctl };
32
# allow to drop privileges and renice
33
allow lrrd_t self:capability { setgid setuid };
34
allow lrrd_t self:process { getsched setsched };
36
allow lrrd_t urandom_device_t:chr_file { getattr read };
37
allow lrrd_t proc_t:file { getattr read };
38
allow lrrd_t usr_t:file { read ioctl };
40
can_exec(lrrd_t, bin_t)
41
allow lrrd_t bin_t:dir { search };
42
allow lrrd_t usr_t:lnk_file { read };
44
# Allow access to the lrrd databases
45
create_dir_file(lrrd_t, lrrd_var_lib_t)
46
allow lrrd_t var_lib_t:dir search;
49
r_dir_file(initrc_t, lrrd_etc_t)
50
allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
51
# for accessing the output directory
53
allow lrrd_t httpd_sys_content_t:dir { search };
56
allow lrrd_t etc_t:dir search;
58
can_unix_connect(sysadm_t, lrrd_t)
59
can_unix_connect(lrrd_t, lrrd_t)
60
can_unix_send(lrrd_t, lrrd_t)
63
ifdef(`logrotate.te', `
64
r_dir_file(logrotate_t, lrrd_etc_t)
65
allow logrotate_t lrrd_var_lib_t:dir search;
66
allow logrotate_t lrrd_var_run_t:dir search;
67
allow logrotate_t lrrd_var_run_t:sock_file write;
68
can_unix_connect(logrotate_t, lrrd_t)