ansible/roles/collectd/base/files/selinux/fi-collectd.te

module fi-collectd 1.10.0;

require {
    type shell_exec_t;
    type bin_t;
    type collectd_t;
    type configfs_t;
    type hostname_exec_t;
    type init_t;
    type postfix_postqueue_exec_t;
    type postfix_public_t;
    type sendmail_exec_t;
    type tmp_t;
    type var_run_t;
    type anon_inodefs_t;
    type initrc_t;

    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
    class dir { getattr read };
    class file { execute read write getattr execute_no_trans ioctl open };
    class lnk_file read;
    class sock_file { read write getattr };
    class unix_stream_socket connectto;
}

#============= collectd_t ==============
allow collectd_t bin_t:file { read getattr open execute execute_no_trans ioctl };
allow collectd_t bin_t:lnk_file read;
allow collectd_t configfs_t:dir getattr;
allow collectd_t hostname_exec_t:file {getattr execute read open ioctl execute_no_trans};
allow collectd_t init_t:unix_stream_socket connectto;
allow collectd_t postfix_postqueue_exec_t:file { read execute open execute_no_trans };
allow collectd_t postfix_public_t:sock_file write;
allow collectd_t self:capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
allow collectd_t sendmail_exec_t:file { read getattr open execute execute_no_trans };
allow collectd_t shell_exec_t:file { read open execute };
allow collectd_t tmp_t:dir read;
allow collectd_t var_run_t:sock_file { read write getattr };
allow collectd_t anon_inodefs_t:file { write read };
allow collectd_t initrc_t:unix_stream_socket connectto;