selinux-refpolicy/policy/modules/services/xfs.te

policy_module(xfs, 1.11.0)

########################################
#
# Declarations
#

type xfs_t;
type xfs_exec_t;
init_daemon_domain(xfs_t, xfs_exec_t)

type xfs_initrc_exec_t;
init_script_file(xfs_initrc_exec_t)

type xfs_runtime_t alias xfs_var_run_t;
files_pid_file(xfs_runtime_t)

type xfs_tmp_t;
files_tmp_file(xfs_tmp_t)

########################################
#
# Local policy
#

allow xfs_t self:capability { dac_override setgid setuid };
dontaudit xfs_t self:capability sys_tty_config;
allow xfs_t self:process { signal_perms setpgid };
allow xfs_t self:unix_stream_socket { accept listen };
allow xfs_t self:tcp_socket { accept listen };

manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })

manage_files_pattern(xfs_t, xfs_runtime_t, xfs_runtime_t)
files_pid_filetrans(xfs_t, xfs_runtime_t, file)

can_exec(xfs_t, xfs_exec_t)

kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)

corenet_all_recvfrom_netlabel(xfs_t)
corenet_tcp_sendrecv_generic_if(xfs_t)
corenet_tcp_sendrecv_generic_node(xfs_t)
corenet_tcp_bind_generic_node(xfs_t)

corenet_sendrecv_xfs_server_packets(xfs_t)
corenet_tcp_bind_xfs_port(xfs_t)

corecmd_list_bin(xfs_t)

dev_read_sysfs(xfs_t)
dev_read_urand(xfs_t)
dev_read_rand(xfs_t)

fs_getattr_all_fs(xfs_t)
fs_search_auto_mountpoints(xfs_t)

domain_use_interactive_fds(xfs_t)

files_read_etc_runtime_files(xfs_t)
files_read_usr_files(xfs_t)

auth_use_nsswitch(xfs_t)

init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")

logging_send_syslog_msg(xfs_t)

miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)

userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_user_home_dirs(xfs_t)

optional_policy(`
	seutil_sigchld_newrole(xfs_t)
')

optional_policy(`
	udev_read_db(xfs_t)
')