policy_module(raid, 1.21.0) ######################################## # # Declarations # attribute_role mdadm_roles; type mdadm_t; type mdadm_exec_t; init_daemon_domain(mdadm_t, mdadm_exec_t) role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) type mdadm_runtime_t alias mdadm_var_run_t; files_runtime_file(mdadm_runtime_t) dev_associate(mdadm_runtime_t) type mdadm_unit_t; init_unit_file(mdadm_unit_t) ######################################## # # Local policy # allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) manage_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) manage_lnk_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) manage_sock_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) dev_filetrans(mdadm_t, mdadm_runtime_t, file) files_runtime_filetrans(mdadm_t, mdadm_runtime_t, { dir file }) kernel_getattr_core_if(mdadm_t) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) kernel_request_load_module(mdadm_t) kernel_rw_software_raid_state(mdadm_t) corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_read_realtime_clock(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) files_dontaudit_getattr_all_files(mdadm_t) fs_getattr_all_fs(mdadm_t) fs_list_auto_mountpoints(mdadm_t) fs_list_hugetlbfs(mdadm_t) fs_read_efivarfs_files(mdadm_t) fs_rw_cgroup_files(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) term_dontaudit_list_ptys(mdadm_t) term_dontaudit_use_unallocated_ttys(mdadm_t) init_dontaudit_getattr_initctl(mdadm_t) logging_send_syslog_msg(mdadm_t) miscfiles_read_localization(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) userdom_dontaudit_use_user_terminals(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) ') optional_policy(` gpm_dontaudit_getattr_gpmctl(mdadm_t) ') optional_policy(` mta_send_mail(mdadm_t) ') optional_policy(` seutil_sigchld_newrole(mdadm_t) ')