infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions
ansible/roles/collectd/base/files/selinux/fi-collectd.te
Aurélien Bompard d7fdbe58b9
Add one more perm for collecd's selinux package 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2023-06-02 08:30:16 +02:00

54 lines
2.1 KiB
Text
Raw Blame History

module fi-collectd 1.11.3;
require {
type shell_exec_t;
type bin_t;
type collectd_t;
type collectd_script_t;
type collectd_var_run_t;
type configfs_t;
type hostname_exec_t;
type init_t;
type postfix_postqueue_exec_t;
type postfix_public_t;
type sendmail_exec_t;
type tmp_t;
type var_run_t;
type anon_inodefs_t;
type initrc_t;
type proc_net_t;
class capability { kill setuid dac_read_search sys_ptrace setgid dac_override chown };
class dir { getattr read };
class file { execute read write getattr execute_no_trans ioctl open };
class lnk_file read;
class sock_file { read write getattr };
class unix_stream_socket connectto;
class netlink_generic_socket { create bind getattr };
}
#============= collectd_t ==============
allow collectd_t bin_t:file { read getattr open execute execute_no_trans ioctl };
allow collectd_t bin_t:lnk_file read;
allow collectd_t configfs_t:dir getattr;
allow collectd_t hostname_exec_t:file {getattr execute read open ioctl execute_no_trans};
allow collectd_t init_t:unix_stream_socket connectto;
allow collectd_t postfix_postqueue_exec_t:file { read execute open execute_no_trans };
allow collectd_t postfix_public_t:sock_file write;
allow collectd_t self:capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
allow collectd_t sendmail_exec_t:file { read getattr open execute execute_no_trans };
allow collectd_t shell_exec_t:file { read open execute };
allow collectd_t tmp_t:dir read;
allow collectd_t var_run_t:sock_file { read write getattr };
allow collectd_t anon_inodefs_t:file { write read };
allow collectd_t initrc_t:unix_stream_socket connectto;
allow collectd_t proc_net_t:lnk_file read;
allow collectd_t self:netlink_generic_socket { create bind getattr };
# allow chown for the unix socket
# https://bugzilla.redhat.com/show_bug.cgi?id=1304029#c9
allow collectd_t self:capability chown;
# Allow the CGI to request a flush of the RRDs through collectd's unix socket
#============= collectd_script_t ==============
allow collectd_script_t collectd_var_run_t:sock_file write;
allow collectd_script_t collectd_t:unix_stream_socket connectto;
View git blame Copy permalink