]>
Commit | Line | Data |
---|---|---|
c224d91c | 1 | |
29af4c13 | 2 | policy_module(consolekit, 1.6.0) |
c224d91c CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type consolekit_t; | |
10 | type consolekit_exec_t; | |
11 | init_daemon_domain(consolekit_t, consolekit_exec_t) | |
12 | ||
80348b73 | 13 | type consolekit_log_t; |
4e7c0a93 | 14 | logging_log_file(consolekit_log_t) |
80348b73 | 15 | |
99064c9f CP |
16 | type consolekit_var_run_t; |
17 | files_pid_file(consolekit_var_run_t) | |
18 | ||
c224d91c CP |
19 | ######################################## |
20 | # | |
21 | # consolekit local policy | |
22 | # | |
23 | ||
a3108c60 | 24 | allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; |
99064c9f | 25 | allow consolekit_t self:process { getsched signal }; |
c224d91c CP |
26 | allow consolekit_t self:fifo_file rw_fifo_file_perms; |
27 | allow consolekit_t self:unix_stream_socket create_stream_socket_perms; | |
4967aaa3 | 28 | allow consolekit_t self:unix_dgram_socket create_socket_perms; |
c224d91c | 29 | |
80348b73 CP |
30 | manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) |
31 | logging_log_filetrans(consolekit_t, consolekit_log_t, file) | |
32 | ||
33 | manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) | |
0bfccda4 | 34 | manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) |
80348b73 | 35 | files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) |
99064c9f | 36 | |
4967aaa3 CP |
37 | kernel_read_system_state(consolekit_t) |
38 | ||
39 | corecmd_exec_bin(consolekit_t) | |
80348b73 | 40 | corecmd_exec_shell(consolekit_t) |
4967aaa3 | 41 | |
c224d91c CP |
42 | dev_read_urand(consolekit_t) |
43 | dev_read_sysfs(consolekit_t) | |
44 | ||
45 | domain_read_all_domains_state(consolekit_t) | |
46 | domain_use_interactive_fds(consolekit_t) | |
80348b73 | 47 | domain_dontaudit_ptrace_all_domains(consolekit_t) |
c224d91c CP |
48 | |
49 | files_read_etc_files(consolekit_t) | |
80348b73 | 50 | files_read_usr_files(consolekit_t) |
4029f116 CP |
51 | # needs to read /var/lib/dbus/machine-id |
52 | files_read_var_lib_files(consolekit_t) | |
4e7c0a93 | 53 | files_search_all_mountpoints(consolekit_t) |
c224d91c | 54 | |
4967aaa3 CP |
55 | fs_list_inotifyfs(consolekit_t) |
56 | ||
80348b73 CP |
57 | mcs_ptrace_all(consolekit_t) |
58 | ||
4967aaa3 | 59 | term_use_all_terms(consolekit_t) |
99064c9f | 60 | |
c0cf6e0a | 61 | auth_use_nsswitch(consolekit_t) |
a3108c60 CP |
62 | auth_manage_pam_console_data(consolekit_t) |
63 | auth_write_login_records(consolekit_t) | |
c0cf6e0a | 64 | |
80348b73 CP |
65 | init_telinit(consolekit_t) |
66 | init_rw_utmp(consolekit_t) | |
67 | ||
68 | logging_send_syslog_msg(consolekit_t) | |
4e7c0a93 | 69 | logging_send_audit_msgs(consolekit_t) |
80348b73 | 70 | |
c224d91c CP |
71 | miscfiles_read_localization(consolekit_t) |
72 | ||
80348b73 | 73 | userdom_dontaudit_read_user_home_content_files(consolekit_t) |
4e7c0a93 | 74 | userdom_read_user_tmp_files(consolekit_t) |
80348b73 CP |
75 | |
76 | hal_ptrace(consolekit_t) | |
77 | ||
78 | tunable_policy(`use_nfs_home_dirs',` | |
a3108c60 | 79 | fs_read_nfs_files(consolekit_t) |
80348b73 CP |
80 | ') |
81 | ||
82 | tunable_policy(`use_samba_home_dirs',` | |
a3108c60 | 83 | fs_read_cifs_files(consolekit_t) |
80348b73 CP |
84 | ') |
85 | ||
c224d91c | 86 | optional_policy(` |
4e7c0a93 | 87 | dbus_system_domain(consolekit_t, consolekit_exec_t) |
c224d91c | 88 | |
80348b73 CP |
89 | optional_policy(` |
90 | hal_dbus_chat(consolekit_t) | |
91 | ') | |
92 | ||
93 | optional_policy(` | |
94 | rpm_dbus_chat(consolekit_t) | |
95 | ') | |
99064c9f CP |
96 | |
97 | optional_policy(` | |
98 | unconfined_dbus_chat(consolekit_t) | |
99 | ') | |
c224d91c | 100 | ') |
4967aaa3 CP |
101 | |
102 | optional_policy(` | |
a3108c60 | 103 | policykit_dbus_chat(consolekit_t) |
4e7c0a93 CP |
104 | policykit_domtrans_auth(consolekit_t) |
105 | policykit_read_lib(consolekit_t) | |
106 | policykit_read_reload(consolekit_t) | |
107 | ') | |
108 | ||
109 | optional_policy(` | |
a3108c60 CP |
110 | type consolekit_tmpfs_t; |
111 | files_tmpfs_file(consolekit_tmpfs_t) | |
112 | ||
4e7c0a93 | 113 | xserver_read_xdm_pid(consolekit_t) |
296273a7 | 114 | xserver_read_user_xauth(consolekit_t) |
6246e7d3 | 115 | xserver_non_drawing_client(consolekit_t) |
4e7c0a93 | 116 | corenet_tcp_connect_xserver_port(consolekit_t) |
a3108c60 CP |
117 | xserver_stream_connect(consolekit_t) |
118 | xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) | |
119 | ') | |
120 | ||
121 | optional_policy(` | |
122 | udev_domtrans(consolekit_t) | |
123 | udev_read_db(consolekit_t) | |
124 | udev_signal(consolekit_t) | |
4967aaa3 | 125 | ') |
80348b73 CP |
126 | |
127 | optional_policy(` | |
128 | #reading .Xauthity | |
129 | unconfined_stream_connect(consolekit_t) | |
130 | ') |