[people/stevee/selinux-policy.git] / policy / modules / services / devicekit.if

## <summary>Devicekit modular hardware abstraction layer</summary>

########################################
## <summary>
##	Execute a domain transition to run devicekit.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`devicekit_domtrans',`
	gen_require(`
		type devicekit_t, devicekit_exec_t;
	')

	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
')

########################################
## <summary>
##	Execute a domain transition to run devicekit_disk.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`devicekit_domtrans_disk',`
	gen_require(`
		type devicekit_disk_t, devicekit_disk_exec_t;
	')

	domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
')

########################################
## <summary>
##	Send to devicekit over a unix domain
##	datagram socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_dgram_send',`
	gen_require(`
		type devicekit_t;
	')

	allow $1 devicekit_t:unix_dgram_socket sendto;
')

########################################
## <summary>
##	Send and receive messages from
##	devicekit over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_dbus_chat',`
	gen_require(`
		type devicekit_t;
		class dbus send_msg;
	')

	allow $1 devicekit_t:dbus send_msg;
	allow devicekit_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	devicekit disk over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_dbus_chat_disk',`
	gen_require(`
		type devicekit_disk_t;
		class dbus send_msg;
	')

	allow $1 devicekit_disk_t:dbus send_msg;
	allow devicekit_disk_t $1:dbus send_msg;
')

########################################
## <summary>
##	Dontaudit Send and receive messages from
##	devicekit disk over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`devicekit_dontaudit_dbus_chat_disk',`
	gen_require(`
		type devicekit_disk_t;
		class dbus send_msg;
	')

	dontaudit $1 devicekit_disk_t:dbus send_msg;
	dontaudit devicekit_disk_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send signal devicekit power
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_signal_power',`
	gen_require(`
		type devicekit_power_t;
	')

	allow $1 devicekit_power_t:process signal;
')

########################################
## <summary>
##	Send and receive messages from
##	devicekit power over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_dbus_chat_power',`
	gen_require(`
		type devicekit_power_t;
		class dbus send_msg;
	')

	allow $1 devicekit_power_t:dbus send_msg;
	allow devicekit_power_t $1:dbus send_msg;
')

#######################################
## <summary>
##  Do not audit attempts to write the devicekit
##  log files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain to not audit.
##  </summary>
## </param>
#
interface(`devicekit_dontaudit_rw_log',`
	gen_require(`
		type devicekit_var_log_t;
	')

	dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
')

########################################
## <summary>
##	Allow the domain to read devicekit_power state files in /proc.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_read_state_power',`
	gen_require(`
		type devicekit_power_t;
	')

	kernel_search_proc($1)
	ps_process_pattern($1, devicekit_power_t)
')

########################################
## <summary>
##	Read devicekit PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_read_pid_files',`
	gen_require(`
		type devicekit_var_run_t;
	')

	files_search_pids($1)
	read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
')

########################################
## <summary>
##	Do not audit attempts to read
##	devicekit PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`devicekit_dontaudit_read_pid_files',`
	gen_require(` 
		type devicekit_var_run_t;
	')

	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
')


########################################
## <summary>
##	Manage devicekit PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`devicekit_manage_pid_files',`
	gen_require(`
		type devicekit_var_run_t;
	')

	files_search_pids($1)
	rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an devicekit environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`devicekit_admin',`
	gen_require(`
		type devicekit_t, devicekit_disk_t, devicekit_power_t;
		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
	')

	allow $1 devicekit_t:process { ptrace signal_perms };
	ps_process_pattern($1, devicekit_t)

	allow $1 devicekit_disk_t:process { ptrace signal_perms };
	ps_process_pattern($1, devicekit_disk_t)

	allow $1 devicekit_power_t:process { ptrace signal_perms };
	ps_process_pattern($1, devicekit_power_t)

	admin_pattern($1, devicekit_tmp_t)
	files_list_tmp($1)

	admin_pattern($1, devicekit_var_lib_t)
	files_list_var_lib($1)

	admin_pattern($1, devicekit_var_run_t)
	files_list_pids($1)
')
Commit	Line	Data
677c4c2f CP	1	## <summary>Devicekit modular hardware abstraction layer</summary>
	2
	3	########################################
	4	## <summary>
	5	## Execute a domain transition to run devicekit.
	6	## </summary>
	7	## <param name="domain">
4b1644f4	8	## <summary>
677c4c2f	9	## Domain allowed to transition.
4b1644f4	10	## </summary>
677c4c2f CP	11	## </param>
	12	#
	13	interface(`devicekit_domtrans',`
	14	gen_require(`
	15	type devicekit_t, devicekit_exec_t;
	16	')
	17
	18	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
	19	')
	20
7e9cab9c DW	21	########################################
	22	## <summary>
	23	## Execute a domain transition to run devicekit_disk.
	24	## </summary>
	25	## <param name="domain">
	26	## <summary>
	27	## Domain allowed to transition.
	28	## </summary>
	29	## </param>
	30	#
	31	interface(`devicekit_domtrans_disk',`
	32	gen_require(`
	33	type devicekit_disk_t, devicekit_disk_exec_t;
	34	')
	35
	36	domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
	37	')
	38
677c4c2f CP	39	########################################
	40	## <summary>
	41	## Send to devicekit over a unix domain
	42	## datagram socket.
	43	## </summary>
	44	## <param name="domain">
	45	## <summary>
	46	## Domain allowed access.
	47	## </summary>
	48	## </param>
	49	#
	50	interface(`devicekit_dgram_send',`
	51	gen_require(`
	52	type devicekit_t;
	53	')
	54
	55	allow $1 devicekit_t:unix_dgram_socket sendto;
	56	')
	57
	58	########################################
	59	## <summary>
	60	## Send and receive messages from
	61	## devicekit over dbus.
	62	## </summary>
	63	## <param name="domain">
	64	## <summary>
	65	## Domain allowed access.
	66	## </summary>
	67	## </param>
	68	#
	69	interface(`devicekit_dbus_chat',`
	70	gen_require(`
	71	type devicekit_t;
	72	class dbus send_msg;
	73	')
	74
	75	allow $1 devicekit_t:dbus send_msg;
	76	allow devicekit_t $1:dbus send_msg;
	77	')
	78
	79	########################################
	80	## <summary>
	81	## Send and receive messages from
	82	## devicekit disk over dbus.
	83	## </summary>
	84	## <param name="domain">
	85	## <summary>
	86	## Domain allowed access.
	87	## </summary>
	88	## </param>
	89	#
	90	interface(`devicekit_dbus_chat_disk',`
	91	gen_require(`
	92	type devicekit_disk_t;
	93	class dbus send_msg;
	94	')
	95
	96	allow $1 devicekit_disk_t:dbus send_msg;
	97	allow devicekit_disk_t $1:dbus send_msg;
	98	')
	99
1434371c DW	100	########################################
	101	## <summary>
	102	## Dontaudit Send and receive messages from
	103	## devicekit disk over dbus.
	104	## </summary>
	105	## <param name="domain">
	106	## <summary>
	107	## Domain to not audit.
	108	## </summary>
	109	## </param>
	110	#
	111	interface(`devicekit_dontaudit_dbus_chat_disk',`
	112	gen_require(`
	113	type devicekit_disk_t;
	114	class dbus send_msg;
	115	')
	116
	117	dontaudit $1 devicekit_disk_t:dbus send_msg;
	118	dontaudit devicekit_disk_t $1:dbus send_msg;
	119	')
	120
677c4c2f CP	121	########################################
	122	## <summary>
	123	## Send signal devicekit power
	124	## </summary>
	125	## <param name="domain">
	126	## <summary>
	127	## Domain allowed access.
	128	## </summary>
	129	## </param>
	130	#
	131	interface(`devicekit_signal_power',`
	132	gen_require(`
	133	type devicekit_power_t;
	134	')
	135
	136	allow $1 devicekit_power_t:process signal;
	137	')
	138
	139	########################################
	140	## <summary>
	141	## Send and receive messages from
	142	## devicekit power over dbus.
	143	## </summary>
	144	## <param name="domain">
	145	## <summary>
	146	## Domain allowed access.
	147	## </summary>
	148	## </param>
	149	#
	150	interface(`devicekit_dbus_chat_power',`
	151	gen_require(`
	152	type devicekit_power_t;
	153	class dbus send_msg;
	154	')
	155
	156	allow $1 devicekit_power_t:dbus send_msg;
	157	allow devicekit_power_t $1:dbus send_msg;
	158	')
	159
6920ca91 MG	160	#######################################
	161	## <summary>
	162	## Do not audit attempts to write the devicekit
	163	## log files.
	164	## </summary>
	165	## <param name="domain">
	166	## <summary>
	167	## Domain to not audit.
	168	## </summary>
	169	## </param>
	170	#
dfa6eba1	171	interface(`devicekit_dontaudit_rw_log',`
6920ca91 MG	172	gen_require(`
6920ca91 MG	173	type devicekit_var_log_t;
a768052f	174	')
6920ca91	175
dfa6eba1	176	dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
6920ca91 MG	177	')
6920ca91 MG	178
773094ba DW	179	########################################
	180	## <summary>
	181	## Allow the domain to read devicekit_power state files in /proc.
	182	## </summary>
	183	## <param name="domain">
	184	## <summary>
	185	## Domain allowed access.
	186	## </summary>
	187	## </param>
	188	#
	189	interface(`devicekit_read_state_power',`
	190	gen_require(`
	191	type devicekit_power_t;
	192	')
	193
	194	kernel_search_proc($1)
	195	ps_process_pattern($1, devicekit_power_t)
	196	')
	197
677c4c2f CP	198	########################################
	199	## <summary>
	200	## Read devicekit PID files.
	201	## </summary>
	202	## <param name="domain">
	203	## <summary>
	204	## Domain allowed access.
	205	## </summary>
	206	## </param>
	207	#
	208	interface(`devicekit_read_pid_files',`
	209	gen_require(`
	210	type devicekit_var_run_t;
	211	')
	212
	213	files_search_pids($1)
	214	read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
	215	')
	216
07b0b3e3 DW	217	########################################
	218	## <summary>
	219	## Do not audit attempts to read
	220	## devicekit PID files.
	221	## </summary>
	222	## <param name="domain">
	223	## <summary>
	224	## Domain to not audit.
	225	## </summary>
	226	## </param>
	227	#
	228	interface(`devicekit_dontaudit_read_pid_files',`
	229	gen_require(`
	230	type devicekit_var_run_t;
	231	')
	232
	233	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
	234	')
	235
e160b2c6 MG	236
	237	########################################
	238	## <summary>
	239	## Manage devicekit PID files.
	240	## </summary>
	241	## <param name="domain">
	242	## <summary>
	243	## Domain allowed access.
	244	## </summary>
	245	## </param>
	246	#
	247	interface(`devicekit_manage_pid_files',`
	248	gen_require(`
	249	type devicekit_var_run_t;
	250	')
	251
	252	files_search_pids($1)
	253	rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
	254	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
	255	')
	256
677c4c2f CP	257	########################################
677c4c2f CP	258	## <summary>
61738f11	259	## All of the rules required to administrate
677c4c2f CP	260	## an devicekit environment
	261	## </summary>
	262	## <param name="domain">
	263	## <summary>
	264	## Domain allowed access.
	265	## </summary>
	266	## </param>
677c4c2f CP	267	## <rolecap/>
	268	#
	269	interface(`devicekit_admin',`
	270	gen_require(`
	271	type devicekit_t, devicekit_disk_t, devicekit_power_t;
61738f11	272	type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
677c4c2f CP	273	')
677c4c2f CP	274
47cf98dd	275	allow $1 devicekit_t:process { ptrace signal_perms };
677c4c2f CP	276	ps_process_pattern($1, devicekit_t)
677c4c2f CP	277
47cf98dd	278	allow $1 devicekit_disk_t:process { ptrace signal_perms };
677c4c2f CP	279	ps_process_pattern($1, devicekit_disk_t)
677c4c2f CP	280
47cf98dd	281	allow $1 devicekit_power_t:process { ptrace signal_perms };
677c4c2f CP	282	ps_process_pattern($1, devicekit_power_t)
	283
	284	admin_pattern($1, devicekit_tmp_t)
61f40642	285	files_list_tmp($1)
677c4c2f CP	286
677c4c2f CP	287	admin_pattern($1, devicekit_var_lib_t)
61f40642	288	files_list_var_lib($1)
677c4c2f CP	289
677c4c2f CP	290	admin_pattern($1, devicekit_var_run_t)
61f40642	291	files_list_pids($1)
677c4c2f	292	')