policy_module(sysstat, 1.3.0) ######################################## # # Declarations # type sysstat_t; type sysstat_exec_t; init_system_domain(sysstat_t, sysstat_exec_t) role system_r types sysstat_t; type sysstat_log_t; logging_log_file(sysstat_log_t) ######################################## # # Local policy # allow sysstat_t self:capability sys_resource; dontaudit sysstat_t self:capability sys_admin; allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc kernel_read_system_state(sysstat_t) kernel_read_network_state(sysstat_t) kernel_read_kernel_sysctls(sysstat_t) kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) corecmd_exec_bin(sysstat_t) dev_read_urand(sysstat_t) dev_read_sysfs(sysstat_t) files_search_var(sysstat_t) # for mtab files_read_etc_runtime_files(sysstat_t) #for fstab files_read_etc_files(sysstat_t) fs_getattr_xattr_fs(sysstat_t) term_use_console(sysstat_t) term_use_all_terms(sysstat_t) init_use_fds(sysstat_t) locallogin_use_fds(sysstat_t) miscfiles_read_localization(sysstat_t) sysadm_dontaudit_list_home_dirs(sysstat_t) optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) ') optional_policy(` logging_send_syslog_msg(sysstat_t) ')