Changes to the sysstat policy module

Ported from Fedora with changes
Add init script file
Add sysstat_admin()

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

1 files changed, 37 insertions, 2 deletions

diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 7a23b3b85..14ae3f2a8 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -1,8 +1,9 @@
-## <summary>Policy for sysstat. Reports on various system states</summary>
+## <summary>Reports on various system states.</summary>
 
 ########################################
 ## <summary>
-##	Manage sysstat logs.
+##	Create, read, write, and delete
+##	sysstat log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -19,3 +20,37 @@ interface(`sysstat_manage_log',`
 	logging_search_logs($1)
 	manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an sysstat environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysstat_admin',`
+	gen_require(`
+		type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t;
+	')
+
+	allow $1 sysstat_t:process { ptrace signal_perms };
+	ps_process_pattern($1, sysstat_t)
+
+	init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 sysstat_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, sysstat_log_t)
+')