projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| dfb86add | 1 | |
| 81fa19ed | 2 | policy_module(udev, 1.10.1) |
| 3a9aef92 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| f0574fa9 | 9 | type udev_t; |
| e070dd2d | 10 | type udev_exec_t; |
| dfb86add | 11 | type udev_helper_exec_t; |
| 270d428a | 12 | kernel_domtrans_to(udev_t,udev_exec_t) |
| 1815bad1 | 13 | domain_obj_id_change_exemption(udev_t) |
| c9428d33 | 14 | domain_entry_file(udev_t,udev_helper_exec_t) |
| 15722ec9 | 15 | domain_interactive_fd(udev_t) |
| c9428d33 | 16 | init_daemon_domain(udev_t,udev_exec_t) |
| dfb86add CP |
17 | |
| 18 | type udev_etc_t alias etc_udev_t; | |
| 9bbc757a | 19 | files_config_file(udev_etc_t) |
| dfb86add CP |
20 | |
| 21 | type udev_tbl_t alias udev_tdb_t; | |
| 8fd36732 | 22 | files_type(udev_tbl_t) |
| 3a9aef92 CP |
23 | |
| 24 | type udev_var_run_t; | |
| c9428d33 | 25 | files_pid_file(udev_var_run_t) |
| 3a9aef92 | 26 | |
| e070dd2d CP |
27 | ifdef(`enable_mcs',` |
| 28 | kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh) | |
| 29 | init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh) | |
| 30 | ') | |
| 31 | ||
| 3a9aef92 CP |
32 | ######################################## |
| 33 | # | |
| 34 | # Local policy | |
| 35 | # | |
| dfb86add | 36 | |
| 46551033 | 37 | allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; |
| 30910b37 | 38 | dontaudit udev_t self:capability sys_tty_config; |
| 46551033 | 39 | allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
| dfb86add CP |
40 | allow udev_t self:process { execmem setfscreate }; |
| 41 | allow udev_t self:fd use; | |
| c0868a7a | 42 | allow udev_t self:fifo_file rw_fifo_file_perms; |
| 0b36a214 | 43 | allow udev_t self:sock_file read_sock_file_perms; |
| 7edd02d4 CP |
44 | allow udev_t self:shm create_shm_perms; |
| 45 | allow udev_t self:sem create_sem_perms; | |
| 46 | allow udev_t self:msgq create_msgq_perms; | |
| dfb86add | 47 | allow udev_t self:msg { send receive }; |
| 77f6e2cd CP |
48 | allow udev_t self:unix_stream_socket { listen accept }; |
| 49 | allow udev_t self:unix_dgram_socket sendto; | |
| 50 | allow udev_t self:unix_stream_socket connectto; | |
| 51 | allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; | |
| 7edd02d4 | 52 | allow udev_t self:rawip_socket create_socket_perms; |
| dfb86add | 53 | |
| 7edd02d4 CP |
54 | allow udev_t udev_exec_t:file write; |
| 55 | can_exec(udev_t, udev_exec_t) | |
| f5c42bd8 | 56 | |
| c0868a7a | 57 | allow udev_t udev_helper_exec_t:dir list_dir_perms; |
| dfb86add CP |
58 | |
| 59 | # read udev config | |
| c0868a7a | 60 | allow udev_t udev_etc_t:file read_file_perms; |
| dfb86add CP |
61 | |
| 62 | # create udev database in /dev/.udevdb | |
| c0868a7a | 63 | allow udev_t udev_tbl_t:file manage_file_perms; |
| 103fe280 | 64 | dev_filetrans(udev_t,udev_tbl_t,file) |
| dfb86add | 65 | |
| 8241b538 | 66 | manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t) |
| c0868a7a | 67 | manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t) |
| 8241b538 | 68 | files_pid_filetrans(udev_t,udev_var_run_t,{ dir file }) |
| 3a9aef92 | 69 | |
| dfb86add | 70 | kernel_read_system_state(udev_t) |
| 445522dc | 71 | kernel_getattr_core_if(udev_t) |
| 1c1ac67f | 72 | kernel_use_fds(udev_t) |
| 445522dc CP |
73 | kernel_read_device_sysctls(udev_t) |
| 74 | kernel_read_hotplug_sysctls(udev_t) | |
| 75 | kernel_read_modprobe_sysctls(udev_t) | |
| 76 | kernel_read_kernel_sysctls(udev_t) | |
| 77 | kernel_rw_hotplug_sysctls(udev_t) | |
| 78 | kernel_rw_unix_dgram_sockets(udev_t) | |
| 37f15c52 | 79 | kernel_dgram_send(udev_t) |
| 0907bda1 | 80 | kernel_signal(udev_t) |
| d35c621e | 81 | |
| 8241b538 CP |
82 | #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 |
| 83 | kernel_rw_net_sysctls(udev_t) | |
| 84 | kernel_read_network_state(udev_t) | |
| 85 | ||
| eac818f0 CP |
86 | corecmd_exec_all_executables(udev_t) |
| 87 | ||
| 98a8ead4 | 88 | dev_rw_sysfs(udev_t) |
| 207c4763 CP |
89 | dev_manage_all_dev_nodes(udev_t) |
| 90 | dev_rw_generic_files(udev_t) | |
| 91 | dev_delete_generic_files(udev_t) | |
| 8241b538 CP |
92 | dev_search_usbfs(udev_t) |
| 93 | dev_relabel_all_dev_nodes(udev_t) | |
| 08dccef2 CP |
94 | # udev_node.c/node_symlink() symlink labels are explicitly |
| 95 | # preserved, instead of short circuiting the relabel | |
| 96 | dev_relabel_generic_symlinks(udev_t) | |
| d35c621e | 97 | |
| eac818f0 | 98 | domain_read_all_domains_state(udev_t) |
| 693d4aed | 99 | domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these |
| eac818f0 | 100 | |
| 8241b538 | 101 | files_read_usr_files(udev_t) |
| eac818f0 CP |
102 | files_read_etc_runtime_files(udev_t) |
| 103 | files_read_etc_files(udev_t) | |
| 104 | files_exec_etc_files(udev_t) | |
| 105 | files_dontaudit_search_isid_type_dirs(udev_t) | |
| 106 | files_getattr_generic_locks(udev_t) | |
| 107 | files_search_mnt(udev_t) | |
| 108 | ||
| d35c621e | 109 | fs_getattr_all_fs(udev_t) |
| b0d2243c | 110 | fs_list_inotifyfs(udev_t) |
| d35c621e | 111 | |
| eac818f0 CP |
112 | mcs_ptrace_all(udev_t) |
| 113 | ||
| f8233ab7 CP |
114 | mls_file_read_all_levels(udev_t) |
| 115 | mls_file_write_all_levels(udev_t) | |
| eac818f0 CP |
116 | mls_file_upgrade(udev_t) |
| 117 | mls_file_downgrade(udev_t) | |
| 118 | mls_process_write_down(udev_t) | |
| 119 | ||
| 5e0da6a0 CP |
120 | selinux_get_fs_mount(udev_t) |
| 121 | selinux_validate_context(udev_t) | |
| 122 | selinux_compute_access_vector(udev_t) | |
| 123 | selinux_compute_create_context(udev_t) | |
| 124 | selinux_compute_relabel_context(udev_t) | |
| 125 | selinux_compute_user_contexts(udev_t) | |
| 3a9aef92 | 126 | |
| 3ef029db CP |
127 | auth_read_pam_console_data(udev_t) |
| 128 | auth_domtrans_pam_console(udev_t) | |
| 77f6e2cd CP |
129 | auth_use_nsswitch(udev_t) |
| 130 | ||
| 68228b33 CP |
131 | init_read_utmp(udev_t) |
| 132 | init_dontaudit_write_utmp(udev_t) | |
| 6c911897 | 133 | init_getattr_initctl(udev_t) |
| dfb86add | 134 | |
| 7a2f20a3 | 135 | logging_search_logs(udev_t) |
| c9428d33 | 136 | logging_send_syslog_msg(udev_t) |
| dfb86add | 137 | |
| f5c42bd8 CP |
138 | miscfiles_read_localization(udev_t) |
| 139 | ||
| c9428d33 | 140 | modutils_domtrans_insmod(udev_t) |
| ed38ca9f CP |
141 | # read modules.inputmap: |
| 142 | modutils_read_module_deps(udev_t) | |
| f5c42bd8 | 143 | |
| 5e0da6a0 CP |
144 | seutil_read_config(udev_t) |
| 145 | seutil_read_default_contexts(udev_t) | |
| 146 | seutil_read_file_contexts(udev_t) | |
| 762d2cb9 | 147 | seutil_domtrans_setfiles(udev_t) |
| f5c42bd8 | 148 | |
| c9428d33 | 149 | sysnet_domtrans_ifconfig(udev_t) |
| 3ef029db | 150 | sysnet_domtrans_dhcpc(udev_t) |
| 8241b538 CP |
151 | sysnet_rw_dhcp_config(udev_t) |
| 152 | sysnet_read_dhcpc_pid(udev_t) | |
| 153 | sysnet_delete_dhcpc_pid(udev_t) | |
| 154 | sysnet_signal_dhcpc(udev_t) | |
| 155 | sysnet_manage_config(udev_t) | |
| 156 | sysnet_etc_filetrans_config(udev_t) | |
| 1e5c2a41 | 157 | |
| 296273a7 | 158 | userdom_dontaudit_search_user_home_content(udev_t) |
| fd89e19f | 159 | |
| ed38ca9f CP |
160 | ifdef(`distro_gentoo',` |
| 161 | # during boot, init scripts use /dev/.rcsysinit | |
| 162 | # existance to determine if we are in early booting | |
| 163 | init_getattr_script_status_files(udev_t) | |
| 164 | ') | |
| 165 | ||
| 254bbc7b | 166 | ifdef(`distro_redhat',` |
| 98a8ead4 CP |
167 | fs_manage_tmpfs_dirs(udev_t) |
| 168 | fs_manage_tmpfs_files(udev_t) | |
| ebdc3b79 CP |
169 | fs_manage_tmpfs_symlinks(udev_t) |
| 170 | fs_manage_tmpfs_sockets(udev_t) | |
| 4d851fe9 CP |
171 | fs_manage_tmpfs_blk_files(udev_t) |
| 172 | fs_manage_tmpfs_chr_files(udev_t) | |
| 173 | fs_relabel_tmpfs_blk_file(udev_t) | |
| 174 | fs_relabel_tmpfs_chr_file(udev_t) | |
| daa0e0b0 | 175 | |
| 69748904 CP |
176 | term_search_ptys(udev_t) |
| 177 | ||
| 0c73cd25 | 178 | # for arping used for static IP addresses on PCMCIA ethernet |
| c9428d33 | 179 | netutils_domtrans(udev_t) |
| 254bbc7b | 180 | ') |
| daa0e0b0 | 181 | |
| 6c911897 CP |
182 | optional_policy(` |
| 183 | alsa_domtrans(udev_t) | |
| 184 | alsa_read_rw_config(udev_t) | |
| 185 | ') | |
| 186 | ||
| 8241b538 CP |
187 | optional_policy(` |
| 188 | brctl_domtrans(udev_t) | |
| 189 | ') | |
| 190 | ||
| bb7170f6 | 191 | optional_policy(` |
| c9428d33 | 192 | consoletype_exec(udev_t) |
| dfb86add CP |
193 | ') |
| 194 | ||
| bb7170f6 | 195 | optional_policy(` |
| 296273a7 | 196 | dbus_system_bus_client(udev_t) |
| 0c3d1705 CP |
197 | ') |
| 198 | ||
| 8241b538 CP |
199 | optional_policy(` |
| 200 | fstools_domtrans(udev_t) | |
| 201 | ') | |
| 202 | ||
| bb7170f6 | 203 | optional_policy(` |
| 1c1ac67f | 204 | hal_dgram_send(udev_t) |
| 9fd4b818 CP |
205 | ') |
| 206 | ||
| bb7170f6 | 207 | optional_policy(` |
| 0c73cd25 | 208 | hotplug_read_config(udev_t) |
| ed38ca9f CP |
209 | # usb.agent searches /var/run/usb |
| 210 | hotplug_search_pids(udev_t) | |
| 1e5c2a41 CP |
211 | ') |
| 212 | ||
| 8241b538 CP |
213 | optional_policy(` |
| 214 | openct_read_pid_files(udev_t) | |
| 215 | openct_domtrans(udev_t) | |
| 216 | ') | |
| 217 | ||
| 218 | optional_policy(` | |
| 219 | pcscd_read_pub_files(udev_t) | |
| 220 | pcscd_domtrans(udev_t) | |
| 221 | ') | |
| 222 | ||
| 6c911897 CP |
223 | optional_policy(` |
| 224 | raid_domtrans_mdadm(udev_t) | |
| 225 | ') | |
| 226 | ||
| 8241b538 CP |
227 | optional_policy(` |
| 228 | kernel_write_xen_state(udev_t) | |
| 229 | kernel_read_xen_state(udev_t) | |
| 230 | xen_manage_log(udev_t) | |
| 231 | xen_read_image_files(udev_t) | |
| 232 | ') | |
| 233 | ||
| 3b914745 CP |
234 | optional_policy(` |
| 235 | xserver_read_xdm_pid(udev_t) | |
| 236 | ') |