policy_module(gpsd, 1.6.1) ######################################## # # Declarations # attribute_role gpsd_roles; type gpsd_t; type gpsd_exec_t; application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) role gpsd_roles types gpsd_t; type gpsd_initrc_exec_t; init_script_file(gpsd_initrc_exec_t) type gpsd_runtime_t alias gpsd_var_run_t; files_runtime_file(gpsd_runtime_t) type gpsd_tmpfs_t; files_tmpfs_file(gpsd_tmpfs_t) ######################################## # # Local policy # allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config }; dontaudit gpsd_t self:capability { dac_override dac_read_search }; allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; allow gpsd_t self:tcp_socket { accept listen }; manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) manage_files_pattern(gpsd_t, gpsd_runtime_t, gpsd_runtime_t) manage_sock_files_pattern(gpsd_t, gpsd_runtime_t, gpsd_runtime_t) files_runtime_filetrans(gpsd_t, gpsd_runtime_t, { file sock_file }) kernel_list_proc(gpsd_t) kernel_request_load_module(gpsd_t) corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) corenet_tcp_sendrecv_generic_node(gpsd_t) corenet_tcp_bind_all_nodes(gpsd_t) corenet_sendrecv_gpsd_server_packets(gpsd_t) corenet_tcp_bind_gpsd_port(gpsd_t) dev_read_sysfs(gpsd_t) dev_rw_realtime_clock(gpsd_t) domain_dontaudit_read_all_domains_state(gpsd_t) term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) auth_use_nsswitch(gpsd_t) logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` chronyd_rw_shm(gpsd_t) chronyd_stream_connect(gpsd_t) chronyd_dgram_send(gpsd_t) ') optional_policy(` dbus_system_bus_client(gpsd_t) ') optional_policy(` ntp_rw_shm(gpsd_t) ')