diff options
Diffstat (limited to 'policy/modules/admin/brctl.te')
| -rw-r--r-- | policy/modules/admin/brctl.te | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te new file mode 100644 index 000000000..fad614761 --- /dev/null +++ b/policy/modules/admin/brctl.te @@ -0,0 +1,47 @@ +policy_module(brctl, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role brctl_roles; + +type brctl_t; +type brctl_exec_t; +init_system_domain(brctl_t, brctl_exec_t) +role brctl_roles types brctl_t; + +######################################## +# +# Local policy +# + +allow brctl_t self:capability net_admin; +allow brctl_t self:fifo_file rw_fifo_file_perms; +allow brctl_t self:unix_stream_socket create_stream_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; +allow brctl_t self:tcp_socket create_socket_perms; + +kernel_request_load_module(brctl_t) +kernel_read_network_state(brctl_t) +kernel_read_sysctl(brctl_t) + +corenet_rw_tun_tap_dev(brctl_t) + +dev_create_sysfs_files(brctl_t) +dev_rw_sysfs(brctl_t) +dev_write_sysfs_dirs(brctl_t) + +domain_use_interactive_fds(brctl_t) + +files_read_etc_files(brctl_t) + +term_dontaudit_use_console(brctl_t) + +miscfiles_read_localization(brctl_t) + +optional_policy(` + xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) +') |