debian-selinux-policies/policy/modules/shutdown.te

policy_module(shutdown, 1.2.1)

########################################
#
# Declarations
#

attribute_role shutdown_roles;

type shutdown_t;
type shutdown_exec_t;
init_system_domain(shutdown_t, shutdown_exec_t)
application_domain(shutdown_t, shutdown_exec_t)
role shutdown_roles types shutdown_t;

type shutdown_etc_t;
files_config_file(shutdown_etc_t)

type shutdown_var_run_t;
files_pid_file(shutdown_var_run_t)

########################################
#
# Local policy
#

allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
allow shutdown_t self:process { setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;

manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
files_etc_filetrans(shutdown_t, shutdown_etc_t, file)

manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)

kernel_read_system_state(shutdown_t)

domain_use_interactive_fds(shutdown_t)

files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)

mls_file_write_to_clearance(shutdown_t)

term_use_all_terms(shutdown_t)

auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)

init_rw_utmp(shutdown_t)
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)

logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
logging_send_syslog_msg(shutdown_t)

miscfiles_read_localization(shutdown_t)

optional_policy(`
	cron_system_entry(shutdown_t, shutdown_exec_t)
')

optional_policy(`
	dbus_system_bus_client(shutdown_t)
	dbus_connect_system_bus(shutdown_t)
')

optional_policy(`
	oddjob_dontaudit_rw_fifo_files(shutdown_t)
	oddjob_sigchld(shutdown_t)
')

optional_policy(`
	xserver_dontaudit_write_log(shutdown_t)
')