/usr/share/selinux/ubuntu/include/system/daemontools.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 | ## <summary>Collection of tools for managing UNIX services</summary>
## <desc>
## <p>
## Policy for DJB's daemontools
## </p>
## </desc>
########################################
## <summary>
## An ipc channel between the supervised domain and svc_start_t
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access to svc_start_t.
## </summary>
## </param>
#
interface(`daemontools_ipc_domain',`
gen_require(`
type svc_start_t;
')
allow $1 svc_start_t:process sigchld;
allow $1 svc_start_t:fd use;
allow $1 svc_start_t:fifo_file { read write getattr };
allow svc_start_t $1:process signal;
')
########################################
## <summary>
## Define a specified domain as a supervised service.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## </summary>
## </param>
#
interface(`daemontools_service_domain',`
gen_require(`
type svc_run_t;
')
domain_auto_trans(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
allow $1 svc_run_t:fd use;
')
########################################
## <summary>
## Execute in the svc_start_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`daemontools_domtrans_start',`
gen_require(`
type svc_start_t, svc_start_exec_t;
')
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
########################################
## <summary>
## Execute in the svc_run_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`daemontools_domtrans_run',`
gen_require(`
type svc_run_t, svc_run_exec_t;
')
domtrans_pattern($1, svc_run_exec_t, svc_run_t)
')
########################################
## <summary>
## Execute in the svc_multilog_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`daemontools_domtrans_multilog',`
gen_require(`
type svc_multilog_t, svc_multilog_exec_t;
')
domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
')
########################################
## <summary>
## Allow a domain to read svc_svc_t files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`daemontools_read_svc',`
gen_require(`
type svc_svc_t;
')
allow $1 svc_svc_t:dir list_dir_perms;
allow $1 svc_svc_t:file read_file_perms;
')
########################################
## <summary>
## Allow a domain to create svc_svc_t files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`daemontools_manage_svc',`
gen_require(`
type svc_svc_t;
')
allow $1 svc_svc_t:dir manage_dir_perms;
allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
')
|