policy_module(ladvd,1.0.0) require { type net_conf_t; type sysctl_net_t; type var_run_t; type ladvd_t; type sysfs_t; type sysctl_t; class capability { setuid net_raw setgid }; class file { write getattr read lock create }; class netlink_route_socket { write getattr read bind create nlmsg_read }; class packet_socket { write create }; class lnk_file read; class udp_socket { create ioctl }; class dir { write search add_name getattr }; } ######################################## # # Declarations # type ladvd_t; type ladvd_exec_t; init_daemon_domain(ladvd_t, ladvd_exec_t) type ladvd_script_exec_t; init_script_file(ladvd_script_exec_t) ######################################## # # ladvd local policy # # Init script handling domain_use_interactive_fds(ladvd_t) # internal communication is often done using fifo and unix sockets. allow ladvd_t self:fifo_file rw_file_perms; allow ladvd_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(ladvd_t) libs_use_ld_so(ladvd_t) libs_use_shared_libs(ladvd_t) miscfiles_read_localization(ladvd_t) logging_send_syslog_msg(ladvd_t) allow ladvd_t net_conf_t:file { read getattr }; allow ladvd_t self:capability { setuid net_raw setgid }; allow ladvd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow ladvd_t self:packet_socket { write create }; allow ladvd_t self:udp_socket { create ioctl }; allow ladvd_t sysctl_net_t:dir search; allow ladvd_t sysctl_net_t:file read; allow ladvd_t sysctl_t:dir search; allow ladvd_t sysfs_t:dir { search getattr }; allow ladvd_t sysfs_t:file { read getattr }; allow ladvd_t sysfs_t:lnk_file read; allow ladvd_t var_run_t:dir { write add_name }; allow ladvd_t var_run_t:file { write lock create };