[people/stevee/selinux-policy.git] / policy / modules / admin / consoletype.te

policy_module(consoletype, 1.10.0)

########################################
#
# Declarations
#

type consoletype_t;
type consoletype_exec_t;
init_domain(consoletype_t, consoletype_exec_t)
init_system_domain(consoletype_t, consoletype_exec_t)

########################################
#
# Local declarations
#

allow consoletype_t self:capability { sys_admin sys_tty_config };
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_fifo_file_perms;
allow consoletype_t self:sock_file read_sock_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
allow consoletype_t self:unix_stream_socket connectto;
allow consoletype_t self:shm create_shm_perms;
allow consoletype_t self:sem create_sem_perms;
allow consoletype_t self:msgq create_msgq_perms;
allow consoletype_t self:msg { send receive };

kernel_use_fds(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)

dev_dontaudit_rw_generic_chr_files(consoletype_t)

domain_use_interactive_fds(consoletype_t)

files_dontaudit_read_root_files(consoletype_t)
files_list_usr(consoletype_t)

fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t)
fs_list_inotifyfs(consoletype_t)

mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)

term_use_all_inherited_terms(consoletype_t)
term_use_ptmx(consoletype_t)

init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
init_rw_script_pipes(consoletype_t)
init_rw_inherited_script_tmp_files(consoletype_t)

userdom_use_inherited_user_terminals(consoletype_t)

ifdef(`distro_redhat',`
	fs_rw_tmpfs_chr_files(consoletype_t)
')

optional_policy(`
	apm_use_fds(consoletype_t)
	apm_write_pipes(consoletype_t)
')

optional_policy(`
	auth_read_pam_pid(consoletype_t)
')

optional_policy(`
	cron_read_pipes(consoletype_t)
	cron_use_system_job_fds(consoletype_t)
')

optional_policy(`
	dbus_use_system_bus_fds(consoletype_t)
')

optional_policy(`
	devicekit_dontaudit_read_pid_files(consoletype_t)
	devicekit_dontaudit_rw_log(consoletype_t)
')

optional_policy(`
	files_read_etc_files(consoletype_t)
	firstboot_use_fds(consoletype_t)
	firstboot_rw_pipes(consoletype_t)
')

optional_policy(`
	hal_dontaudit_leaks(consoletype_t)
')

optional_policy(`
	hotplug_dontaudit_use_fds(consoletype_t)
')

optional_policy(`
	logrotate_dontaudit_use_fds(consoletype_t)
')

optional_policy(`
	lpd_read_config(consoletype_t)
')

optional_policy(`
	nis_use_ypbind(consoletype_t)
')

optional_policy(`
	# Commonly used from postinst scripts
	rpm_read_pipes(consoletype_t)
')

optional_policy(`
	userdom_use_unpriv_users_fds(consoletype_t)
	userdom_dontaudit_rw_dgram_socket(consoletype_t)
')

optional_policy(`
	kernel_read_xen_state(consoletype_t)
	kernel_write_xen_state(consoletype_t)
	xen_append_log(consoletype_t)
	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
	xen_dontaudit_use_fds(consoletype_t)
')
Commit	Line	Data
826d0142	1	policy_module(consoletype, 1.10.0)
6b93833b CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
f0574fa9	8	type consoletype_t;
6b93833b	9	type consoletype_exec_t;
0bfccda4 CP	10	init_domain(consoletype_t, consoletype_exec_t)
0bfccda4 CP	11	init_system_domain(consoletype_t, consoletype_exec_t)
6b93833b CP	12
	13	########################################
	14	#
	15	# Local declarations
	16	#
	17
da04234f	18	allow consoletype_t self:capability { sys_admin sys_tty_config };
9d3bdc25	19	allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
6b93833b	20	allow consoletype_t self:fd use;
c0868a7a CP	21	allow consoletype_t self:fifo_file rw_fifo_file_perms;
c0868a7a CP	22	allow consoletype_t self:sock_file read_sock_file_perms;
dc67f782 CP	23	allow consoletype_t self:unix_dgram_socket create_socket_perms;
dc67f782 CP	24	allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
6b93833b CP	25	allow consoletype_t self:unix_dgram_socket sendto;
6b93833b CP	26	allow consoletype_t self:unix_stream_socket connectto;
0fd9dc55 CP	27	allow consoletype_t self:shm create_shm_perms;
	28	allow consoletype_t self:sem create_sem_perms;
	29	allow consoletype_t self:msgq create_msgq_perms;
6b93833b CP	30	allow consoletype_t self:msg { send receive };
6b93833b CP	31
1c1ac67f	32	kernel_use_fds(consoletype_t)
0fd9dc55	33	kernel_dontaudit_read_system_state(consoletype_t)
6b93833b	34
29b1bff0 CP	35	dev_dontaudit_rw_generic_chr_files(consoletype_t)
	36
	37	domain_use_interactive_fds(consoletype_t)
	38
	39	files_dontaudit_read_root_files(consoletype_t)
	40	files_list_usr(consoletype_t)
	41
0fd9dc55	42	fs_getattr_all_fs(consoletype_t)
ab940a4c	43	fs_search_auto_mountpoints(consoletype_t)
725926c5	44	fs_write_nfs_files(consoletype_t)
da04234f	45	fs_list_inotifyfs(consoletype_t)
6b93833b	46
350b6ab7 CP	47	mls_file_read_all_levels(consoletype_t)
	48	mls_file_write_all_levels(consoletype_t)
	49
af2d8802	50	term_use_all_inherited_terms(consoletype_t)
fc6ecf1f	51	term_use_ptmx(consoletype_t)
6b93833b	52
1c1ac67f	53	init_use_fds(consoletype_t)
1815bad1	54	init_use_script_ptys(consoletype_t)
15722ec9	55	init_use_script_fds(consoletype_t)
f5085676	56	init_rw_script_pipes(consoletype_t)
30a4d4d5	57	init_rw_inherited_script_tmp_files(consoletype_t)
6b93833b	58
af2d8802	59	userdom_use_inherited_user_terminals(consoletype_t)
296273a7	60
605ba285	61	ifdef(`distro_redhat',`
4d851fe9	62	fs_rw_tmpfs_chr_files(consoletype_t)
daa0e0b0 CP	63	')
daa0e0b0 CP	64
bb7170f6	65	optional_policy(`
1c1ac67f	66	apm_use_fds(consoletype_t)
1815bad1	67	apm_write_pipes(consoletype_t)
4483ee84 CP	68	')
4483ee84 CP	69
bb7170f6	70	optional_policy(`
c9428d33	71	auth_read_pam_pid(consoletype_t)
6b93833b CP	72	')
6b93833b CP	73
bb7170f6	74	optional_policy(`
1815bad1	75	cron_read_pipes(consoletype_t)
15722ec9	76	cron_use_system_job_fds(consoletype_t)
fd89e19f CP	77	')
fd89e19f CP	78
6ea380d6 DG	79	optional_policy(`
	80	dbus_use_system_bus_fds(consoletype_t)
	81	')
	82
095debe0 DW	83	optional_policy(`
095debe0 DW	84	devicekit_dontaudit_read_pid_files(consoletype_t)
dfa6eba1	85	devicekit_dontaudit_rw_log(consoletype_t)
095debe0 DW	86	')
095debe0 DW	87
bb7170f6	88	optional_policy(`
57a96cbd	89	files_read_etc_files(consoletype_t)
1c1ac67f	90	firstboot_use_fds(consoletype_t)
d6d16b97	91	firstboot_rw_pipes(consoletype_t)
57a96cbd CP	92	')
57a96cbd CP	93
6b19be33	94	optional_policy(`
c71f02c0	95	hal_dontaudit_leaks(consoletype_t)
6b19be33 CP	96	')
6b19be33 CP	97
f5085676 CP	98	optional_policy(`
	99	hotplug_dontaudit_use_fds(consoletype_t)
	100	')
	101
bb7170f6	102	optional_policy(`
1c1ac67f	103	logrotate_dontaudit_use_fds(consoletype_t)
96ce00af CP	104	')
96ce00af CP	105
bb7170f6	106	optional_policy(`
33acca55 CP	107	lpd_read_config(consoletype_t)
	108	')
	109
bb7170f6	110	optional_policy(`
ab940a4c CP	111	nis_use_ypbind(consoletype_t)
	112	')
	113
bb7170f6	114	optional_policy(`
ebdc3b79	115	# Commonly used from postinst scripts
1815bad1	116	rpm_read_pipes(consoletype_t)
ebdc3b79 CP	117	')
ebdc3b79 CP	118
bb7170f6	119	optional_policy(`
103fe280	120	userdom_use_unpriv_users_fds(consoletype_t)
3d3d47e4	121	userdom_dontaudit_rw_dgram_socket(consoletype_t)
daa0e0b0	122	')
87eb5c84 CP	123
	124	optional_policy(`
	125	kernel_read_xen_state(consoletype_t)
	126	kernel_write_xen_state(consoletype_t)
	127	xen_append_log(consoletype_t)
	128	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
a5e2133b	129	xen_dontaudit_use_fds(consoletype_t)
87eb5c84	130	')