[people/stevee/selinux-policy.git] / policy / modules / services / consolekit.te


policy_module(consolekit, 1.6.0)

########################################
#
# Declarations
#

type consolekit_t;
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)

type consolekit_log_t;
logging_log_file(consolekit_log_t)

type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)

########################################
#
# consolekit local policy
#

allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;

manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
logging_log_filetrans(consolekit_t, consolekit_log_t, file)

manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })

kernel_read_system_state(consolekit_t)

corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)

dev_read_urand(consolekit_t)
dev_read_sysfs(consolekit_t)

domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
domain_dontaudit_ptrace_all_domains(consolekit_t)

files_read_etc_files(consolekit_t)
files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)

fs_list_inotifyfs(consolekit_t)

mcs_ptrace_all(consolekit_t)

term_use_all_terms(consolekit_t)

auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)

init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)

logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)

miscfiles_read_localization(consolekit_t)

userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)

hal_ptrace(consolekit_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(consolekit_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(consolekit_t)
')

optional_policy(`
	dbus_system_domain(consolekit_t, consolekit_exec_t)

	optional_policy(`
		hal_dbus_chat(consolekit_t)
	')

	optional_policy(`
		rpm_dbus_chat(consolekit_t)
	')

	optional_policy(`
		unconfined_dbus_chat(consolekit_t)
	')
')

optional_policy(`
	policykit_dbus_chat(consolekit_t)
	policykit_domtrans_auth(consolekit_t)
	policykit_read_lib(consolekit_t)
	policykit_read_reload(consolekit_t)
')

optional_policy(`
	type consolekit_tmpfs_t;
	files_tmpfs_file(consolekit_tmpfs_t)

	xserver_read_xdm_pid(consolekit_t)
	xserver_read_user_xauth(consolekit_t)
	xserver_non_drawing_client(consolekit_t)
	corenet_tcp_connect_xserver_port(consolekit_t)
	xserver_stream_connect(consolekit_t)
	xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
')

optional_policy(`
	udev_domtrans(consolekit_t)
	udev_read_db(consolekit_t)
	udev_signal(consolekit_t)
')

optional_policy(`
	#reading .Xauthity
	unconfined_stream_connect(consolekit_t)
')
Commit	Line	Data
c224d91c	1
29af4c13	2	policy_module(consolekit, 1.6.0)
c224d91c CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type consolekit_t;
	10	type consolekit_exec_t;
	11	init_daemon_domain(consolekit_t, consolekit_exec_t)
	12
80348b73	13	type consolekit_log_t;
4e7c0a93	14	logging_log_file(consolekit_log_t)
80348b73	15
99064c9f CP	16	type consolekit_var_run_t;
	17	files_pid_file(consolekit_var_run_t)
	18
c224d91c CP	19	########################################
	20	#
	21	# consolekit local policy
	22	#
	23
a3108c60	24	allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
99064c9f	25	allow consolekit_t self:process { getsched signal };
c224d91c CP	26	allow consolekit_t self:fifo_file rw_fifo_file_perms;
c224d91c CP	27	allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
4967aaa3	28	allow consolekit_t self:unix_dgram_socket create_socket_perms;
c224d91c	29
80348b73 CP	30	manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
	31	logging_log_filetrans(consolekit_t, consolekit_log_t, file)
	32
	33	manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
0bfccda4	34	manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
80348b73	35	files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
99064c9f	36
4967aaa3 CP	37	kernel_read_system_state(consolekit_t)
	38
	39	corecmd_exec_bin(consolekit_t)
80348b73	40	corecmd_exec_shell(consolekit_t)
4967aaa3	41
c224d91c CP	42	dev_read_urand(consolekit_t)
	43	dev_read_sysfs(consolekit_t)
	44
	45	domain_read_all_domains_state(consolekit_t)
	46	domain_use_interactive_fds(consolekit_t)
80348b73	47	domain_dontaudit_ptrace_all_domains(consolekit_t)
c224d91c CP	48
c224d91c CP	49	files_read_etc_files(consolekit_t)
80348b73	50	files_read_usr_files(consolekit_t)
4029f116 CP	51	# needs to read /var/lib/dbus/machine-id
4029f116 CP	52	files_read_var_lib_files(consolekit_t)
4e7c0a93	53	files_search_all_mountpoints(consolekit_t)
c224d91c	54
4967aaa3 CP	55	fs_list_inotifyfs(consolekit_t)
4967aaa3 CP	56
80348b73 CP	57	mcs_ptrace_all(consolekit_t)
80348b73 CP	58
4967aaa3	59	term_use_all_terms(consolekit_t)
99064c9f	60
c0cf6e0a	61	auth_use_nsswitch(consolekit_t)
a3108c60 CP	62	auth_manage_pam_console_data(consolekit_t)
a3108c60 CP	63	auth_write_login_records(consolekit_t)
c0cf6e0a	64
80348b73 CP	65	init_telinit(consolekit_t)
	66	init_rw_utmp(consolekit_t)
	67
	68	logging_send_syslog_msg(consolekit_t)
4e7c0a93	69	logging_send_audit_msgs(consolekit_t)
80348b73	70
c224d91c CP	71	miscfiles_read_localization(consolekit_t)
c224d91c CP	72
80348b73	73	userdom_dontaudit_read_user_home_content_files(consolekit_t)
4e7c0a93	74	userdom_read_user_tmp_files(consolekit_t)
80348b73 CP	75
	76	hal_ptrace(consolekit_t)
	77
	78	tunable_policy(`use_nfs_home_dirs',`
a3108c60	79	fs_read_nfs_files(consolekit_t)
80348b73 CP	80	')
	81
	82	tunable_policy(`use_samba_home_dirs',`
a3108c60	83	fs_read_cifs_files(consolekit_t)
80348b73 CP	84	')
80348b73 CP	85
c224d91c	86	optional_policy(`
4e7c0a93	87	dbus_system_domain(consolekit_t, consolekit_exec_t)
c224d91c	88
80348b73 CP	89	optional_policy(`
	90	hal_dbus_chat(consolekit_t)
	91	')
	92
	93	optional_policy(`
	94	rpm_dbus_chat(consolekit_t)
	95	')
99064c9f CP	96
	97	optional_policy(`
	98	unconfined_dbus_chat(consolekit_t)
	99	')
c224d91c	100	')
4967aaa3 CP	101
4967aaa3 CP	102	optional_policy(`
a3108c60	103	policykit_dbus_chat(consolekit_t)
4e7c0a93 CP	104	policykit_domtrans_auth(consolekit_t)
	105	policykit_read_lib(consolekit_t)
	106	policykit_read_reload(consolekit_t)
	107	')
	108
	109	optional_policy(`
a3108c60 CP	110	type consolekit_tmpfs_t;
	111	files_tmpfs_file(consolekit_tmpfs_t)
	112
4e7c0a93	113	xserver_read_xdm_pid(consolekit_t)
296273a7	114	xserver_read_user_xauth(consolekit_t)
6246e7d3	115	xserver_non_drawing_client(consolekit_t)
4e7c0a93	116	corenet_tcp_connect_xserver_port(consolekit_t)
a3108c60 CP	117	xserver_stream_connect(consolekit_t)
	118	xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
	119	')
	120
	121	optional_policy(`
	122	udev_domtrans(consolekit_t)
	123	udev_read_db(consolekit_t)
	124	udev_signal(consolekit_t)
4967aaa3	125	')
80348b73 CP	126
	127	optional_policy(`
	128	#reading .Xauthity
	129	unconfined_stream_connect(consolekit_t)
	130	')