[people/stevee/selinux-policy.git] / policy / modules / services / gpm.te


policy_module(gpm, 1.5.0)

########################################
#
# Declarations
#

type gpm_t;
type gpm_exec_t;
init_daemon_domain(gpm_t, gpm_exec_t)

type gpm_conf_t;
files_type(gpm_conf_t)

type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)

type gpm_var_run_t;
files_pid_file(gpm_var_run_t)

type gpmctl_t;
files_type(gpmctl_t)

########################################
#
# Local policy
#

allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
allow gpm_t self:unix_stream_socket create_stream_socket_perms;

allow gpm_t gpm_conf_t:dir list_dir_perms;
read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)

manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })

allow gpm_t gpm_var_run_t:file manage_file_perms;
files_pid_filetrans(gpm_t,gpm_var_run_t,file)

allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })

kernel_read_kernel_sysctls(gpm_t)
kernel_list_proc(gpm_t)
kernel_read_proc_symlinks(gpm_t)

dev_read_sysfs(gpm_t)
# Access the mouse.
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)

fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t)

term_use_unallocated_ttys(gpm_t)

domain_use_interactive_fds(gpm_t)

logging_send_syslog_msg(gpm_t)

miscfiles_read_localization(gpm_t)

userdom_dontaudit_use_unpriv_user_fds(gpm_t)

sysadm_dontaudit_search_home_dirs(gpm_t)

optional_policy(`
	seutil_sigchld_newrole(gpm_t)
')

optional_policy(`
	udev_read_db(gpm_t)
')
Commit	Line	Data
f862c35c	1
cfcf5004	2	policy_module(gpm, 1.5.0)
f862c35c CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type gpm_t;
	10	type gpm_exec_t;
0bfccda4	11	init_daemon_domain(gpm_t, gpm_exec_t)
f862c35c CP	12
	13	type gpm_conf_t;
	14	files_type(gpm_conf_t)
	15
	16	type gpm_tmp_t;
	17	files_tmp_file(gpm_tmp_t)
	18
	19	type gpm_var_run_t;
	20	files_pid_file(gpm_var_run_t)
	21
	22	type gpmctl_t;
	23	files_type(gpmctl_t)
	24
	25	########################################
	26	#
	27	# Local policy
	28	#
	29
	30	allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
9cca1cd5	31	allow gpm_t self:unix_stream_socket create_stream_socket_perms;
f862c35c	32
c0868a7a	33	allow gpm_t gpm_conf_t:dir list_dir_perms;
0bfccda4 CP	34	read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
0bfccda4 CP	35	read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
f862c35c	36
0bfccda4 CP	37	manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
0bfccda4 CP	38	manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
103fe280	39	files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
f862c35c	40
c0868a7a	41	allow gpm_t gpm_var_run_t:file manage_file_perms;
1c1ac67f	42	files_pid_filetrans(gpm_t,gpm_var_run_t,file)
f862c35c	43
cbe82b17 CP	44	allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
cbe82b17 CP	45	allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
0bfccda4	46	dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })
f862c35c	47
445522dc	48	kernel_read_kernel_sysctls(gpm_t)
f862c35c CP	49	kernel_list_proc(gpm_t)
	50	kernel_read_proc_symlinks(gpm_t)
	51
	52	dev_read_sysfs(gpm_t)
	53	# Access the mouse.
8cfa5a00	54	dev_rw_input_dev(gpm_t)
4ac451f1	55	dev_rw_mouse(gpm_t)
f862c35c CP	56
	57	fs_getattr_all_fs(gpm_t)
	58	fs_search_auto_mountpoints(gpm_t)
	59
1815bad1	60	term_use_unallocated_ttys(gpm_t)
f862c35c	61
15722ec9	62	domain_use_interactive_fds(gpm_t)
f862c35c	63
f862c35c CP	64	logging_send_syslog_msg(gpm_t)
	65
	66	miscfiles_read_localization(gpm_t)
	67
15722ec9	68	userdom_dontaudit_use_unpriv_user_fds(gpm_t)
e9c6cda7 CP	69
e9c6cda7 CP	70	sysadm_dontaudit_search_home_dirs(gpm_t)
f862c35c	71
bb7170f6	72	optional_policy(`
f862c35c CP	73	seutil_sigchld_newrole(gpm_t)
	74	')
	75
bb7170f6	76	optional_policy(`
f862c35c CP	77	udev_read_db(gpm_t)
f862c35c CP	78	')