rhsmcertd_additions.te

# to use:
# make -f /usr/share/selinux/devel/Makefile 
# semodule -i rhsmcertd_additions.pp

module rhsmcertd_additions 1.0;

require {
	type devlog_t;
	type cert_t;
	type shell_exec_t;
	type syslogd_t;
	type rhsmcertd_t;
	type dmidecode_t;
	type dmidecode_exec_t;
	type http_port_t;
	type sysfs_t;
	type etc_t;
	type memory_device_t;
        class process setsched;
	class capability { sys_rawio sys_nice };
	class chr_file { read open };
	class sock_file write;
	class tcp_socket name_connect;
	class unix_dgram_socket { create connect sendto ioctl };
	class dir { write read add_name };
	class file { write getattr setattr read create open execute execute_no_trans };
}

# for storing consumer id certs, product certs, and entitlement certs
allow rhsmcertd_t cert_t:dir { write add_name };
allow rhsmcertd_t cert_t:file { write create setattr };

# syslogging entitlment validity status
allow rhsmcertd_t syslogd_t:unix_dgram_socket sendto;

# reading hardware details for facts population
allow rhsmcertd_t sysfs_t:dir read;
allow rhsmcertd_t sysfs_t:file { read getattr open };

# allow updating /etc/yum.repos.d/redhat.repo
allow rhsmcertd_t etc_t:dir { write add_name };
allow rhsmcertd_t etc_t:file { write create };

# communicate with candlepin on 443 or 8443
allow rhsmcertd_t http_port_t:tcp_socket name_connect;

# daemon nicing
allow rhsmcertd_t self:process setsched;
allow rhsmcertd_t self:capability sys_nice;

# logging
allow rhsmcertd_t self:unix_dgram_socket { create connect ioctl };
allow rhsmcertd_t devlog_t:sock_file write;

# allow reading dmi information
allow rhsmcertd_t memory_device_t:chr_file { read open };
allow rhsmcertd_t self:capability sys_rawio;

# for running virt-what and from it, dmidecode
allow rhsmcertd_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow rhsmcertd_t dmidecode_exec_t:file { read execute open getattr execute_no_trans };