1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
policy_module(vnstatd)
########################################
#
# Declarations
#
attribute_role vnstat_roles;
type vnstat_t;
type vnstat_exec_t;
application_domain(vnstat_t, vnstat_exec_t)
role vnstat_roles types vnstat_t;
type vnstatd_t;
type vnstatd_exec_t;
init_daemon_domain(vnstatd_t, vnstatd_exec_t)
type vnstatd_initrc_exec_t;
init_script_file(vnstatd_initrc_exec_t)
type vnstatd_pid_t;
files_runtime_file(vnstatd_pid_t)
type vnstatd_unit_t;
init_unit_file(vnstatd_unit_t)
type vnstatd_var_lib_t;
files_type(vnstatd_var_lib_t)
########################################
#
# Daemon local policy
#
allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket { accept listen };
manage_files_pattern(vnstatd_t, vnstatd_pid_t, vnstatd_pid_t)
files_runtime_filetrans(vnstatd_t, vnstatd_pid_t, file)
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
kernel_read_network_state(vnstatd_t)
kernel_read_system_state(vnstatd_t)
# read /sys/class/net/eth0
dev_read_sysfs(vnstatd_t)
files_read_etc_files(vnstatd_t)
files_search_var_lib(vnstatd_t)
fs_getattr_xattr_fs(vnstatd_t)
logging_send_syslog_msg(vnstatd_t)
miscfiles_read_localization(vnstatd_t)
########################################
#
# Client local policy
#
# dac_override : write /var/lib/vnstat/*
allow vnstat_t self:capability dac_override;
allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
# read /sys/class/net/eth0
dev_read_sysfs(vnstat_t)
domain_use_interactive_fds(vnstat_t)
files_dontaudit_search_home(vnstat_t)
files_read_etc_files(vnstat_t)
files_search_var_lib(vnstat_t)
fs_getattr_xattr_fs(vnstat_t)
miscfiles_read_localization(vnstat_t)
userdom_dontaudit_search_user_home_dirs(vnstat_t)
userdom_use_inherited_user_terminals(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
ifdef(`distro_gentoo',`
dev_read_sysfs(vnstat_t)
userdom_use_user_terminals(vnstat_t)
')
|
GitWeb