|
@@ -1,4 +1,4 @@
|
|
|
-policy_module(atop, 0.1.13)
|
|
|
|
|
|
|
+policy_module(atop, 0.1.15)
|
|
|
|
|
|
|
|
########################################
|
|
########################################
|
|
|
#
|
|
#
|
|
@@ -12,15 +12,25 @@ type atop_exec_t;
|
|
|
init_daemon_domain(atop_t, atop_exec_t)
|
|
init_daemon_domain(atop_t, atop_exec_t)
|
|
|
role atop_roles types atop_t;
|
|
role atop_roles types atop_t;
|
|
|
|
|
|
|
|
|
|
+type atopacct_t;
|
|
|
|
|
+type atopacct_exec_t;
|
|
|
|
|
+init_daemon_domain(atopacct_t, atopacct_exec_t)
|
|
|
|
|
+
|
|
|
type atop_initrc_exec_t;
|
|
type atop_initrc_exec_t;
|
|
|
init_script_file(atop_initrc_exec_t)
|
|
init_script_file(atop_initrc_exec_t)
|
|
|
|
|
|
|
|
|
|
+type atopacct_initrc_exec_t;
|
|
|
|
|
+init_script_file(atopacct_initrc_exec_t)
|
|
|
|
|
+
|
|
|
type atop_var_log_t;
|
|
type atop_var_log_t;
|
|
|
logging_log_file(atop_var_log_t)
|
|
logging_log_file(atop_var_log_t)
|
|
|
|
|
|
|
|
type atop_var_run_t;
|
|
type atop_var_run_t;
|
|
|
files_pid_file(atop_var_run_t)
|
|
files_pid_file(atop_var_run_t)
|
|
|
|
|
|
|
|
|
|
+type atopacct_var_run_t;
|
|
|
|
|
+files_pid_file(atopacct_var_run_t)
|
|
|
|
|
+
|
|
|
type atop_var_cache_t;
|
|
type atop_var_cache_t;
|
|
|
files_type(atop_var_cache_t)
|
|
files_type(atop_var_cache_t)
|
|
|
|
|
|
|
@@ -52,6 +62,8 @@ manage_dirs_pattern(atop_t, atop_var_run_t, atop_var_run_t)
|
|
|
manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
|
|
manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
|
|
|
files_pid_filetrans(atop_t, atop_var_run_t, { file dir })
|
|
files_pid_filetrans(atop_t, atop_var_run_t, { file dir })
|
|
|
|
|
|
|
|
|
|
+read_files_pattern(atop_t, atopacct_var_run_t, atopacct_var_run_t)
|
|
|
|
|
+
|
|
|
corecmd_exec_bin(atop_t)
|
|
corecmd_exec_bin(atop_t)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
optional_policy(`
|
|
@@ -85,3 +97,30 @@ dev_getattr_lvm_control(atop_t)
|
|
|
cron_system_entry(atop_t, atop_exec_t)
|
|
cron_system_entry(atop_t, atop_exec_t)
|
|
|
|
|
|
|
|
init_read_utmp(atop_t)
|
|
init_read_utmp(atop_t)
|
|
|
|
|
+
|
|
|
|
|
+### atopacct policy
|
|
|
|
|
+
|
|
|
|
|
+allow atopacct_t self:capability { net_admin sys_nice sys_pacct };
|
|
|
|
|
+allow atopacct_t self:netlink_generic_socket { bind create read setopt write };
|
|
|
|
|
+allow atopacct_t self:process { setsched signal };
|
|
|
|
|
+allow atopacct_t self:unix_dgram_socket { connect create write };
|
|
|
|
|
+
|
|
|
|
|
+manage_dirs_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
|
|
|
|
|
+manage_files_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
|
|
|
|
|
+files_pid_filetrans(atopacct_t, atopacct_var_run_t, { file dir })
|
|
|
|
|
+
|
|
|
|
|
+logging_send_syslog_msg(atopacct_t)
|
|
|
|
|
+
|
|
|
|
|
+miscfiles_read_localization(atopacct_t)
|
|
|
|
|
+
|
|
|
|
|
+kernel_read_system_state(atopacct_t)
|
|
|
|
|
+
|
|
|
|
|
+fs_getattr_tmpfs(atopacct_t)
|
|
|
|
|
+
|
|
|
|
|
+optional_policy(`
|
|
|
|
|
+ gen_require(`
|
|
|
|
|
+ type initrc_t;
|
|
|
|
|
+ ')
|
|
|
|
|
+ allow atopacct_t initrc_t:sem { associate read unix_read unix_write write };
|
|
|
|
|
+')
|
|
|
|
|
+
|
