]>
Commit | Line | Data |
---|---|---|
677c4c2f CP |
1 | ## <summary>Devicekit modular hardware abstraction layer</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Execute a domain transition to run devicekit. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
4b1644f4 | 8 | ## <summary> |
677c4c2f | 9 | ## Domain allowed to transition. |
4b1644f4 | 10 | ## </summary> |
677c4c2f CP |
11 | ## </param> |
12 | # | |
13 | interface(`devicekit_domtrans',` | |
14 | gen_require(` | |
15 | type devicekit_t, devicekit_exec_t; | |
16 | ') | |
17 | ||
18 | domtrans_pattern($1, devicekit_exec_t, devicekit_t) | |
19 | ') | |
20 | ||
7e9cab9c DW |
21 | ######################################## |
22 | ## <summary> | |
23 | ## Execute a domain transition to run devicekit_disk. | |
24 | ## </summary> | |
25 | ## <param name="domain"> | |
26 | ## <summary> | |
27 | ## Domain allowed to transition. | |
28 | ## </summary> | |
29 | ## </param> | |
30 | # | |
31 | interface(`devicekit_domtrans_disk',` | |
32 | gen_require(` | |
33 | type devicekit_disk_t, devicekit_disk_exec_t; | |
34 | ') | |
35 | ||
36 | domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) | |
37 | ') | |
38 | ||
677c4c2f CP |
39 | ######################################## |
40 | ## <summary> | |
41 | ## Send to devicekit over a unix domain | |
42 | ## datagram socket. | |
43 | ## </summary> | |
44 | ## <param name="domain"> | |
45 | ## <summary> | |
46 | ## Domain allowed access. | |
47 | ## </summary> | |
48 | ## </param> | |
49 | # | |
50 | interface(`devicekit_dgram_send',` | |
51 | gen_require(` | |
52 | type devicekit_t; | |
53 | ') | |
54 | ||
55 | allow $1 devicekit_t:unix_dgram_socket sendto; | |
56 | ') | |
57 | ||
58 | ######################################## | |
59 | ## <summary> | |
60 | ## Send and receive messages from | |
61 | ## devicekit over dbus. | |
62 | ## </summary> | |
63 | ## <param name="domain"> | |
64 | ## <summary> | |
65 | ## Domain allowed access. | |
66 | ## </summary> | |
67 | ## </param> | |
68 | # | |
69 | interface(`devicekit_dbus_chat',` | |
70 | gen_require(` | |
71 | type devicekit_t; | |
72 | class dbus send_msg; | |
73 | ') | |
74 | ||
75 | allow $1 devicekit_t:dbus send_msg; | |
76 | allow devicekit_t $1:dbus send_msg; | |
77 | ') | |
78 | ||
79 | ######################################## | |
80 | ## <summary> | |
81 | ## Send and receive messages from | |
82 | ## devicekit disk over dbus. | |
83 | ## </summary> | |
84 | ## <param name="domain"> | |
85 | ## <summary> | |
86 | ## Domain allowed access. | |
87 | ## </summary> | |
88 | ## </param> | |
89 | # | |
90 | interface(`devicekit_dbus_chat_disk',` | |
91 | gen_require(` | |
92 | type devicekit_disk_t; | |
93 | class dbus send_msg; | |
94 | ') | |
95 | ||
96 | allow $1 devicekit_disk_t:dbus send_msg; | |
97 | allow devicekit_disk_t $1:dbus send_msg; | |
98 | ') | |
99 | ||
1434371c DW |
100 | ######################################## |
101 | ## <summary> | |
102 | ## Dontaudit Send and receive messages from | |
103 | ## devicekit disk over dbus. | |
104 | ## </summary> | |
105 | ## <param name="domain"> | |
106 | ## <summary> | |
107 | ## Domain to not audit. | |
108 | ## </summary> | |
109 | ## </param> | |
110 | # | |
111 | interface(`devicekit_dontaudit_dbus_chat_disk',` | |
112 | gen_require(` | |
113 | type devicekit_disk_t; | |
114 | class dbus send_msg; | |
115 | ') | |
116 | ||
117 | dontaudit $1 devicekit_disk_t:dbus send_msg; | |
118 | dontaudit devicekit_disk_t $1:dbus send_msg; | |
119 | ') | |
120 | ||
677c4c2f CP |
121 | ######################################## |
122 | ## <summary> | |
123 | ## Send signal devicekit power | |
124 | ## </summary> | |
125 | ## <param name="domain"> | |
126 | ## <summary> | |
127 | ## Domain allowed access. | |
128 | ## </summary> | |
129 | ## </param> | |
130 | # | |
131 | interface(`devicekit_signal_power',` | |
132 | gen_require(` | |
133 | type devicekit_power_t; | |
134 | ') | |
135 | ||
136 | allow $1 devicekit_power_t:process signal; | |
137 | ') | |
138 | ||
139 | ######################################## | |
140 | ## <summary> | |
141 | ## Send and receive messages from | |
142 | ## devicekit power over dbus. | |
143 | ## </summary> | |
144 | ## <param name="domain"> | |
145 | ## <summary> | |
146 | ## Domain allowed access. | |
147 | ## </summary> | |
148 | ## </param> | |
149 | # | |
150 | interface(`devicekit_dbus_chat_power',` | |
151 | gen_require(` | |
152 | type devicekit_power_t; | |
153 | class dbus send_msg; | |
154 | ') | |
155 | ||
156 | allow $1 devicekit_power_t:dbus send_msg; | |
157 | allow devicekit_power_t $1:dbus send_msg; | |
158 | ') | |
159 | ||
6920ca91 MG |
160 | ####################################### |
161 | ## <summary> | |
162 | ## Do not audit attempts to write the devicekit | |
163 | ## log files. | |
164 | ## </summary> | |
165 | ## <param name="domain"> | |
166 | ## <summary> | |
167 | ## Domain to not audit. | |
168 | ## </summary> | |
169 | ## </param> | |
170 | # | |
dfa6eba1 | 171 | interface(`devicekit_dontaudit_rw_log',` |
6920ca91 MG |
172 | gen_require(` |
173 | type devicekit_var_log_t; | |
a768052f | 174 | ') |
6920ca91 | 175 | |
dfa6eba1 | 176 | dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms; |
6920ca91 MG |
177 | ') |
178 | ||
773094ba DW |
179 | ######################################## |
180 | ## <summary> | |
181 | ## Allow the domain to read devicekit_power state files in /proc. | |
182 | ## </summary> | |
183 | ## <param name="domain"> | |
184 | ## <summary> | |
185 | ## Domain allowed access. | |
186 | ## </summary> | |
187 | ## </param> | |
188 | # | |
189 | interface(`devicekit_read_state_power',` | |
190 | gen_require(` | |
191 | type devicekit_power_t; | |
192 | ') | |
193 | ||
194 | kernel_search_proc($1) | |
195 | ps_process_pattern($1, devicekit_power_t) | |
196 | ') | |
197 | ||
677c4c2f CP |
198 | ######################################## |
199 | ## <summary> | |
200 | ## Read devicekit PID files. | |
201 | ## </summary> | |
202 | ## <param name="domain"> | |
203 | ## <summary> | |
204 | ## Domain allowed access. | |
205 | ## </summary> | |
206 | ## </param> | |
207 | # | |
208 | interface(`devicekit_read_pid_files',` | |
209 | gen_require(` | |
210 | type devicekit_var_run_t; | |
211 | ') | |
212 | ||
213 | files_search_pids($1) | |
214 | read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) | |
215 | ') | |
216 | ||
07b0b3e3 DW |
217 | ######################################## |
218 | ## <summary> | |
219 | ## Do not audit attempts to read | |
220 | ## devicekit PID files. | |
221 | ## </summary> | |
222 | ## <param name="domain"> | |
223 | ## <summary> | |
224 | ## Domain to not audit. | |
225 | ## </summary> | |
226 | ## </param> | |
227 | # | |
228 | interface(`devicekit_dontaudit_read_pid_files',` | |
229 | gen_require(` | |
230 | type devicekit_var_run_t; | |
231 | ') | |
232 | ||
233 | dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; | |
234 | ') | |
235 | ||
e160b2c6 MG |
236 | |
237 | ######################################## | |
238 | ## <summary> | |
239 | ## Manage devicekit PID files. | |
240 | ## </summary> | |
241 | ## <param name="domain"> | |
242 | ## <summary> | |
243 | ## Domain allowed access. | |
244 | ## </summary> | |
245 | ## </param> | |
246 | # | |
247 | interface(`devicekit_manage_pid_files',` | |
248 | gen_require(` | |
249 | type devicekit_var_run_t; | |
250 | ') | |
251 | ||
252 | files_search_pids($1) | |
253 | rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) | |
254 | manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) | |
255 | ') | |
256 | ||
677c4c2f CP |
257 | ######################################## |
258 | ## <summary> | |
61738f11 | 259 | ## All of the rules required to administrate |
677c4c2f CP |
260 | ## an devicekit environment |
261 | ## </summary> | |
262 | ## <param name="domain"> | |
263 | ## <summary> | |
264 | ## Domain allowed access. | |
265 | ## </summary> | |
266 | ## </param> | |
677c4c2f CP |
267 | ## <rolecap/> |
268 | # | |
269 | interface(`devicekit_admin',` | |
270 | gen_require(` | |
271 | type devicekit_t, devicekit_disk_t, devicekit_power_t; | |
61738f11 | 272 | type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; |
677c4c2f CP |
273 | ') |
274 | ||
47cf98dd | 275 | allow $1 devicekit_t:process { ptrace signal_perms }; |
677c4c2f CP |
276 | ps_process_pattern($1, devicekit_t) |
277 | ||
47cf98dd | 278 | allow $1 devicekit_disk_t:process { ptrace signal_perms }; |
677c4c2f CP |
279 | ps_process_pattern($1, devicekit_disk_t) |
280 | ||
47cf98dd | 281 | allow $1 devicekit_power_t:process { ptrace signal_perms }; |
677c4c2f CP |
282 | ps_process_pattern($1, devicekit_power_t) |
283 | ||
284 | admin_pattern($1, devicekit_tmp_t) | |
61f40642 | 285 | files_list_tmp($1) |
677c4c2f CP |
286 | |
287 | admin_pattern($1, devicekit_var_lib_t) | |
61f40642 | 288 | files_list_var_lib($1) |
677c4c2f CP |
289 | |
290 | admin_pattern($1, devicekit_var_run_t) | |
61f40642 | 291 | files_list_pids($1) |
677c4c2f | 292 | ') |