Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

put in sink with working version from puppet

Browse source
This commit is contained in:
Stephen Smoogen 2014-12-06 23:21:13 +00:00
parent c451f5e40e
commit 1d2c31fc3e
1 changed files with 26 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

40
roles/collectd/base/files/selinux/fi-collectd.te
View file

@ -1,24 +1,36 @@
module fi-collectd 1.9.1;
module fi-collectd 1.9.4;
require {
type shell_exec_t;
type var_run_t;
type bin_t;
type configfs_t;
type init_t;
type collectd_t;
class sock_file { read write getattr };
class unix_stream_socket connectto;
class capability { setuid dac_read_search sys_ptrace setgid dac_override };
class file { read getattr open execute execute_no_trans };
class dir getattr;
type bin_t;
type collectd_t;
type configfs_t;
type hostname_exec_t;
type init_t;
type postfix_postqueue_exec_t;
type postfix_public_t;
type sendmail_exec_t;
type tmp_t;
type var_run_t;
class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
class dir { getattr read };
class file { execute read getattr execute_no_trans ioctl open };
class lnk_file read;
class sock_file { read write getattr };
class unix_stream_socket connectto;
}
#============= collectd_t ==============
allow collectd_t bin_t:file { read getattr open execute execute_no_trans };
allow collectd_t bin_t:file { read getattr open execute execute_no_trans ioctl };
allow collectd_t bin_t:lnk_file read;
allow collectd_t configfs_t:dir getattr;
allow collectd_t hostname_exec_t:file {getattr execute read open ioctl execute_no_trans};
allow collectd_t init_t:unix_stream_socket connectto;
allow collectd_t self:capability { setuid dac_read_search sys_ptrace setgid dac_override };
allow collectd_t var_run_t:sock_file { read write getattr };
allow collectd_t postfix_postqueue_exec_t:file { read execute open execute_no_trans };
allow collectd_t postfix_public_t:sock_file write;
allow collectd_t self:capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
allow collectd_t sendmail_exec_t:file { read getattr open execute execute_no_trans };
allow collectd_t shell_exec_t:file { read open execute };
allow collectd_t tmp_t:dir read;
allow collectd_t var_run_t:sock_file { read write getattr };