diff --git a/watchdog.fc b/watchdog.fc
index 27ee394..eecd0e0 100644
--- a/watchdog.fc
+++ b/watchdog.fc
@@ -1,5 +1,7 @@
+/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
-/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
+/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
index f8acf10..6461a77 100644
--- a/watchdog.if
+++ b/watchdog.if
@@ -1 +1,39 @@
-## Software watchdog
+## Software watchdog.
+
+########################################
+##
+## All of the rules required to
+## administrate an watchdog environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`watchdog_admin',`
+ gen_require(`
+ type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t;
+ type watchdog_var_run_t;
+ ')
+
+ allow $1 watchdog_t:process { ptrace signal_perms };
+ ps_process_pattern($1, watchdog_t)
+
+ init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 watchdog_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, watchdog_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, watchdog_var_run_t)
+')
diff --git a/watchdog.te b/watchdog.te
index b10bb05..29f79e8 100644
--- a/watchdog.te
+++ b/watchdog.te
@@ -1,14 +1,17 @@
-policy_module(watchdog, 1.7.0)
+policy_module(watchdog, 1.7.1)
#################################
#
-# Rules for the watchdog_t domain.
+# Declarations
#
type watchdog_t;
type watchdog_exec_t;
init_daemon_domain(watchdog_t, watchdog_exec_t)
+type watchdog_initrc_exec_t;
+init_script_file(watchdog_initrc_exec_t)
+
type watchdog_log_t;
logging_log_file(watchdog_log_t)
@@ -17,18 +20,16 @@ files_pid_file(watchdog_var_run_t)
########################################
#
-# Declarations
+# Local policy
#
allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
-allow watchdog_t self:unix_stream_socket create_socket_perms;
-allow watchdog_t self:tcp_socket create_stream_socket_perms;
-allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t self:tcp_socket { accept listen };
-allow watchdog_t watchdog_log_t:file manage_file_perms;
+allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(watchdog_t, watchdog_log_t, file)
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
@@ -38,24 +39,19 @@ kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
-# for orderly shutdown
corecmd_exec_shell(watchdog_t)
-# cjp: why networking?
corenet_all_recvfrom_unlabeled(watchdog_t)
corenet_all_recvfrom_netlabel(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
-corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_generic_node(watchdog_t)
-corenet_udp_sendrecv_generic_node(watchdog_t)
corenet_tcp_sendrecv_all_ports(watchdog_t)
-corenet_udp_sendrecv_all_ports(watchdog_t)
-corenet_tcp_connect_all_ports(watchdog_t)
+
corenet_sendrecv_all_client_packets(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
dev_read_sysfs(watchdog_t)
dev_write_watchdog(watchdog_t)
-# do not care about saving the random seed
dev_dontaudit_read_rand(watchdog_t)
dev_dontaudit_read_urand(watchdog_t)
@@ -68,7 +64,6 @@ domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
-# for updating mtab on umount
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
@@ -76,14 +71,13 @@ fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
-# record the fact that we are going down
auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
-sysnet_read_config(watchdog_t)
+sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_user_home_dirs(watchdog_t)