]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(hal, 1.13.0) |
fdae8e75 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type hald_t; | |
9 | type hald_exec_t; | |
0bfccda4 | 10 | init_daemon_domain(hald_t, hald_exec_t) |
fdae8e75 | 11 | |
12217cc2 CP |
12 | type hald_acl_t; |
13 | type hald_acl_exec_t; | |
14 | domain_type(hald_acl_t) | |
0bfccda4 | 15 | domain_entry_file(hald_acl_t, hald_acl_exec_t) |
12217cc2 CP |
16 | role system_r types hald_acl_t; |
17 | ||
18 | type hald_cache_t; | |
19 | files_pid_file(hald_cache_t) | |
20 | ||
9de7c170 CP |
21 | type hald_dccm_t; |
22 | type hald_dccm_exec_t; | |
23 | domain_type(hald_dccm_t) | |
24 | domain_entry_file(hald_dccm_t, hald_dccm_exec_t) | |
25 | role system_r types hald_dccm_t; | |
26 | ||
016e5c5c CP |
27 | type hald_keymap_t; |
28 | type hald_keymap_exec_t; | |
29 | domain_type(hald_keymap_t) | |
0bfccda4 | 30 | domain_entry_file(hald_keymap_t, hald_keymap_exec_t) |
016e5c5c CP |
31 | role system_r types hald_keymap_t; |
32 | ||
12217cc2 | 33 | type hald_log_t; |
7e11b740 | 34 | logging_log_file(hald_log_t) |
12217cc2 CP |
35 | |
36 | type hald_mac_t; | |
37 | type hald_mac_exec_t; | |
38 | domain_type(hald_mac_t) | |
0bfccda4 | 39 | domain_entry_file(hald_mac_t, hald_mac_exec_t) |
12217cc2 CP |
40 | role system_r types hald_mac_t; |
41 | ||
42 | type hald_sonypic_t; | |
43 | type hald_sonypic_exec_t; | |
44 | domain_type(hald_sonypic_t) | |
0bfccda4 | 45 | domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) |
12217cc2 CP |
46 | role system_r types hald_sonypic_t; |
47 | ||
fdae8e75 CP |
48 | type hald_tmp_t; |
49 | files_tmp_file(hald_tmp_t) | |
50 | ||
51 | type hald_var_run_t; | |
52 | files_pid_file(hald_var_run_t) | |
53 | ||
d6d16b97 CP |
54 | type hald_var_lib_t; |
55 | files_type(hald_var_lib_t) | |
56 | ||
3eaa9939 DW |
57 | typealias hald_log_t alias pmtools_log_t; |
58 | typealias hald_var_run_t alias pmtools_var_run_t; | |
59 | ||
a1fcff33 CP |
60 | ######################################## |
61 | # | |
62 | # Local policy | |
63 | # | |
64 | ||
9cca1cd5 | 65 | # execute openvt which needs setuid |
c0868a7a | 66 | allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; |
995bdbb1 | 67 | dontaudit hald_t self:capability sys_tty_config; |
b0c2cae1 | 68 | allow hald_t self:process { getsched getattr signal_perms }; |
c0868a7a | 69 | allow hald_t self:fifo_file rw_fifo_file_perms; |
0907bda1 | 70 | allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
fdae8e75 | 71 | allow hald_t self:unix_dgram_socket create_socket_perms; |
0907bda1 | 72 | allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; |
fdae8e75 | 73 | allow hald_t self:tcp_socket create_stream_socket_perms; |
162dfc33 | 74 | allow hald_t self:udp_socket create_socket_perms; |
0907bda1 CP |
75 | # For backwards compatibility with older kernels |
76 | allow hald_t self:netlink_socket create_socket_perms; | |
fdae8e75 | 77 | |
0bfccda4 | 78 | manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) |
12217cc2 CP |
79 | |
80 | # log files for hald | |
131634a5 | 81 | manage_files_pattern(hald_t, hald_log_t, hald_log_t) |
0bfccda4 | 82 | logging_log_filetrans(hald_t, hald_log_t, file) |
12217cc2 | 83 | |
0bfccda4 CP |
84 | manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) |
85 | manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) | |
103fe280 | 86 | files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) |
fdae8e75 | 87 | |
d6d16b97 | 88 | # var/lib files for hald |
0bfccda4 CP |
89 | manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) |
90 | manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) | |
91 | manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) | |
d6d16b97 | 92 | |
131634a5 | 93 | manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) |
0bfccda4 | 94 | manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) |
131634a5 | 95 | files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) |
fdae8e75 CP |
96 | |
97 | kernel_read_system_state(hald_t) | |
98 | kernel_read_network_state(hald_t) | |
016e5c5c | 99 | kernel_read_software_raid_state(hald_t) |
12217cc2 | 100 | kernel_rw_kernel_sysctl(hald_t) |
445522dc | 101 | kernel_read_fs_sysctls(hald_t) |
12217cc2 | 102 | kernel_rw_irq_sysctls(hald_t) |
a3cf80d8 | 103 | kernel_rw_vm_sysctls(hald_t) |
445522dc | 104 | kernel_write_proc_files(hald_t) |
3eaa9939 | 105 | kernel_rw_net_sysctls(hald_t) |
131634a5 | 106 | kernel_setsched(hald_t) |
21673b23 | 107 | kernel_request_load_module(hald_t) |
fdae8e75 | 108 | |
8cfa5a00 | 109 | auth_read_pam_console_data(hald_t) |
93727e3f | 110 | |
fb63d0b5 | 111 | corecmd_exec_all_executables(hald_t) |
049e11af | 112 | |
19006686 CP |
113 | corenet_all_recvfrom_unlabeled(hald_t) |
114 | corenet_all_recvfrom_netlabel(hald_t) | |
668b3093 CP |
115 | corenet_tcp_sendrecv_generic_if(hald_t) |
116 | corenet_udp_sendrecv_generic_if(hald_t) | |
c1262146 CP |
117 | corenet_tcp_sendrecv_generic_node(hald_t) |
118 | corenet_udp_sendrecv_generic_node(hald_t) | |
fdae8e75 | 119 | corenet_tcp_sendrecv_all_ports(hald_t) |
162dfc33 | 120 | corenet_udp_sendrecv_all_ports(hald_t) |
fdae8e75 | 121 | |
a1fcff33 | 122 | dev_rw_usbfs(hald_t) |
b0c2cae1 | 123 | dev_read_rand(hald_t) |
fdae8e75 CP |
124 | dev_read_urand(hald_t) |
125 | dev_read_input(hald_t) | |
a0824843 | 126 | dev_read_mouse(hald_t) |
fdae8e75 | 127 | dev_rw_printer(hald_t) |
a1fcff33 | 128 | dev_read_lvm_control(hald_t) |
a0824843 | 129 | dev_getattr_all_chr_files(hald_t) |
207c4763 | 130 | dev_manage_generic_chr_files(hald_t) |
3eaa9939 | 131 | dev_manage_generic_blk_files(hald_t) |
a3cf80d8 | 132 | dev_rw_generic_usb_dev(hald_t) |
c655ec47 CP |
133 | dev_setattr_generic_usb_dev(hald_t) |
134 | dev_setattr_usbfs_files(hald_t) | |
d9845ae9 | 135 | dev_rw_power_management(hald_t) |
131634a5 | 136 | dev_read_raw_memory(hald_t) |
049e11af CP |
137 | # hal is now execing pm-suspend |
138 | dev_rw_sysfs(hald_t) | |
131634a5 | 139 | dev_read_video_dev(hald_t) |
049e11af | 140 | |
15722ec9 | 141 | domain_use_interactive_fds(hald_t) |
5dbda555 | 142 | domain_read_all_domains_state(hald_t) |
12217cc2 | 143 | domain_dontaudit_ptrace_all_domains(hald_t) |
049e11af CP |
144 | |
145 | files_exec_etc_files(hald_t) | |
146 | files_read_etc_files(hald_t) | |
5b0ba2e1 | 147 | files_read_etc_runtime_files(hald_t) |
049e11af | 148 | files_rw_etc_runtime_files(hald_t) |
a77e6524 | 149 | files_manage_mnt_dirs(hald_t) |
93727e3f | 150 | files_manage_mnt_files(hald_t) |
d9845ae9 | 151 | files_manage_mnt_symlinks(hald_t) |
049e11af CP |
152 | files_search_var_lib(hald_t) |
153 | files_read_usr_files(hald_t) | |
154 | # hal is now execing pm-suspend | |
155 | files_create_boot_flag(hald_t) | |
165b42d2 | 156 | files_getattr_all_dirs(hald_t) |
9de7c170 | 157 | files_getattr_all_files(hald_t) |
87eb5c84 | 158 | files_read_kernel_img(hald_t) |
016e5c5c | 159 | files_rw_lock_dirs(hald_t) |
9de7c170 | 160 | files_read_generic_pids(hald_t) |
fdae8e75 CP |
161 | |
162 | fs_getattr_all_fs(hald_t) | |
a1fcff33 | 163 | fs_search_all(hald_t) |
12217cc2 | 164 | fs_list_inotifyfs(hald_t) |
0f27d98d | 165 | fs_list_auto_mountpoints(hald_t) |
21673b23 CP |
166 | fs_mount_dos_fs(hald_t) |
167 | fs_unmount_dos_fs(hald_t) | |
168 | fs_manage_dos_files(hald_t) | |
169 | fs_manage_fusefs_dirs(hald_t) | |
b0c2cae1 | 170 | fs_rw_removable_blk_files(hald_t) |
21673b23 | 171 | |
cdc86ee5 | 172 | files_getattr_all_mountpoints(hald_t) |
f44f7566 | 173 | files_read_kernel_modules(hald_t) |
fdae8e75 | 174 | |
f8233ab7 | 175 | mls_file_read_all_levels(hald_t) |
a77e6524 | 176 | |
a0824843 CP |
177 | selinux_get_fs_mount(hald_t) |
178 | selinux_validate_context(hald_t) | |
179 | selinux_compute_access_vector(hald_t) | |
180 | selinux_compute_create_context(hald_t) | |
181 | selinux_compute_relabel_context(hald_t) | |
182 | selinux_compute_user_contexts(hald_t) | |
183 | ||
fdae8e75 | 184 | storage_raw_read_removable_device(hald_t) |
af23450c | 185 | storage_raw_write_removable_device(hald_t) |
fdae8e75 CP |
186 | storage_raw_read_fixed_disk(hald_t) |
187 | storage_raw_write_fixed_disk(hald_t) | |
188 | ||
693d4aed CP |
189 | # hal_probe_serial causes these |
190 | term_setattr_unallocated_ttys(hald_t) | |
b0c2cae1 | 191 | term_use_unallocated_ttys(hald_t) |
693d4aed | 192 | |
2dbd3824 CP |
193 | auth_use_nsswitch(hald_t) |
194 | ||
9cca1cd5 | 195 | init_domtrans_script(hald_t) |
51a89cc5 | 196 | init_read_utmp(hald_t) |
b0d2243c CP |
197 | #hal runs shutdown, probably need a shutdown domain |
198 | init_rw_utmp(hald_t) | |
12217cc2 | 199 | init_telinit(hald_t) |
fdae8e75 | 200 | |
fdae8e75 CP |
201 | libs_exec_ld_so(hald_t) |
202 | libs_exec_lib_files(hald_t) | |
203 | ||
d5b81a81 | 204 | logging_send_audit_msgs(hald_t) |
fdae8e75 | 205 | logging_send_syslog_msg(hald_t) |
8cf67141 | 206 | logging_search_logs(hald_t) |
fdae8e75 CP |
207 | |
208 | miscfiles_read_localization(hald_t) | |
77f6e2cd | 209 | miscfiles_read_hwdata(hald_t) |
fdae8e75 CP |
210 | |
211 | seutil_read_config(hald_t) | |
212 | seutil_read_default_contexts(hald_t) | |
016e5c5c | 213 | seutil_read_file_contexts(hald_t) |
fdae8e75 | 214 | |
3eaa9939 | 215 | sysnet_delete_dhcpc_pid(hald_t) |
9de7c170 | 216 | sysnet_domtrans_dhcpc(hald_t) |
21673b23 | 217 | sysnet_domtrans_ifconfig(hald_t) |
3eaa9939 | 218 | sysnet_read_config(hald_t) |
21673b23 | 219 | sysnet_read_dhcp_config(hald_t) |
3eaa9939 DW |
220 | sysnet_read_dhcpc_pid(hald_t) |
221 | sysnet_signal_dhcpc(hald_t) | |
fdae8e75 | 222 | |
15722ec9 | 223 | userdom_dontaudit_use_unpriv_user_fds(hald_t) |
296273a7 | 224 | userdom_dontaudit_search_user_home_dirs(hald_t) |
03527520 | 225 | userdom_stream_connect(hald_t) |
fdae8e75 | 226 | |
2371d8d8 MG |
227 | optional_policy(` |
228 | netutils_domtrans(hald_t) | |
229 | ') | |
079779a6 | 230 | |
12217cc2 | 231 | optional_policy(` |
016e5c5c | 232 | alsa_domtrans(hald_t) |
12217cc2 CP |
233 | alsa_read_rw_config(hald_t) |
234 | ') | |
235 | ||
46551033 CP |
236 | optional_policy(` |
237 | bootloader_domtrans(hald_t) | |
238 | ') | |
239 | ||
bb7170f6 | 240 | optional_policy(` |
725926c5 CP |
241 | # For /usr/libexec/hald-addon-acpi |
242 | # writes to /var/run/acpid.socket | |
243 | apm_stream_connect(hald_t) | |
244 | ') | |
245 | ||
bb7170f6 | 246 | optional_policy(` |
93727e3f CP |
247 | bind_search_cache(hald_t) |
248 | ') | |
249 | ||
46551033 CP |
250 | optional_policy(` |
251 | bluetooth_domtrans(hald_t) | |
252 | ') | |
253 | ||
bb7170f6 | 254 | optional_policy(` |
9cca1cd5 CP |
255 | clock_domtrans(hald_t) |
256 | ') | |
257 | ||
bb7170f6 | 258 | optional_policy(` |
725926c5 | 259 | cups_domtrans_config(hald_t) |
9fd4b818 | 260 | cups_signal_config(hald_t) |
725926c5 CP |
261 | ') |
262 | ||
bb7170f6 | 263 | optional_policy(` |
f4dc1988 | 264 | dbus_system_domain(hald_t, hald_exec_t) |
d828b5ca | 265 | |
f525b49e CP |
266 | init_dbus_chat_script(hald_t) |
267 | ||
bb7170f6 | 268 | optional_policy(` |
d828b5ca CP |
269 | networkmanager_dbus_chat(hald_t) |
270 | ') | |
fdae8e75 CP |
271 | ') |
272 | ||
e160b2c6 MG |
273 | optional_policy(` |
274 | # for pm-suspend.lock in /var/run/pm-utils/ | |
275 | devicekit_manage_pid_files(hald_t) | |
276 | ') | |
277 | ||
bb7170f6 | 278 | optional_policy(` |
20e306e2 CP |
279 | # For /usr/libexec/hald-probe-smbios |
280 | dmidecode_domtrans(hald_t) | |
281 | ') | |
282 | ||
3eaa9939 DW |
283 | optional_policy(` |
284 | gnome_read_config(hald_t) | |
285 | ') | |
286 | ||
131634a5 CP |
287 | optional_policy(` |
288 | gpm_dontaudit_getattr_gpmctl(hald_t) | |
289 | ') | |
290 | ||
e689c53a MG |
291 | optional_policy(` |
292 | fstools_getattr_swap_files(hald_t) | |
293 | ') | |
294 | ||
bb7170f6 | 295 | optional_policy(` |
fdae8e75 CP |
296 | hotplug_read_config(hald_t) |
297 | ') | |
298 | ||
bb7170f6 | 299 | optional_policy(` |
a3cf80d8 CP |
300 | lvm_domtrans(hald_t) |
301 | ') | |
302 | ||
2371d8d8 MG |
303 | optional_policy(` |
304 | modutils_domtrans_insmod(hald_t) | |
305 | modutils_read_module_deps(hald_t) | |
306 | ') | |
307 | ||
bb7170f6 | 308 | optional_policy(` |
a1fcff33 CP |
309 | mount_domtrans(hald_t) |
310 | ') | |
311 | ||
72492557 | 312 | optional_policy(` |
6073ea1e | 313 | ntp_domtrans(hald_t) |
72492557 CP |
314 | ') |
315 | ||
bb7170f6 | 316 | optional_policy(` |
603f90ab | 317 | pcmcia_manage_pid(hald_t) |
1815bad1 | 318 | pcmcia_manage_pid_chr_files(hald_t) |
603f90ab CP |
319 | ') |
320 | ||
131634a5 CP |
321 | optional_policy(` |
322 | podsleuth_domtrans(hald_t) | |
323 | ') | |
324 | ||
9de7c170 | 325 | optional_policy(` |
b0c2cae1 | 326 | ppp_domtrans(hald_t) |
9de7c170 CP |
327 | ppp_read_rw_config(hald_t) |
328 | ') | |
329 | ||
330 | optional_policy(` | |
68ac47d8 | 331 | policykit_dbus_chat(hald_t) |
9de7c170 CP |
332 | policykit_domtrans_auth(hald_t) |
333 | policykit_domtrans_resolve(hald_t) | |
334 | policykit_read_lib(hald_t) | |
335 | policykit_read_reload(hald_t) | |
336 | ') | |
337 | ||
bb7170f6 | 338 | optional_policy(` |
a77e6524 CP |
339 | rpc_search_nfs_state_data(hald_t) |
340 | ') | |
341 | ||
bb7170f6 | 342 | optional_policy(` |
fdae8e75 CP |
343 | seutil_sigchld_newrole(hald_t) |
344 | ') | |
345 | ||
3eaa9939 DW |
346 | optional_policy(` |
347 | shutdown_domtrans(hald_t) | |
68ac47d8 | 348 | ') |
3eaa9939 | 349 | |
bb7170f6 | 350 | optional_policy(` |
fdae8e75 CP |
351 | udev_domtrans(hald_t) |
352 | udev_read_db(hald_t) | |
353 | ') | |
354 | ||
b0c2cae1 CP |
355 | optional_policy(` |
356 | usbmuxd_stream_connect(hald_t) | |
357 | ') | |
358 | ||
bb7170f6 | 359 | optional_policy(` |
fdae8e75 CP |
360 | updfstab_domtrans(hald_t) |
361 | ') | |
362 | ||
bb7170f6 | 363 | optional_policy(` |
9cca1cd5 CP |
364 | vbetool_domtrans(hald_t) |
365 | ') | |
12217cc2 | 366 | |
fcee22ad CP |
367 | optional_policy(` |
368 | virt_manage_images(hald_t) | |
369 | ') | |
370 | ||
3eaa9939 DW |
371 | optional_policy(` |
372 | xserver_read_pid(hald_t) | |
373 | ') | |
374 | ||
12217cc2 CP |
375 | ######################################## |
376 | # | |
377 | # Hal acl local policy | |
378 | # | |
379 | ||
9de7c170 | 380 | allow hald_acl_t self:capability { dac_override fowner sys_resource }; |
131634a5 CP |
381 | allow hald_acl_t self:process { getattr signal }; |
382 | allow hald_acl_t self:fifo_file rw_fifo_file_perms; | |
12217cc2 CP |
383 | |
384 | domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) | |
385 | allow hald_t hald_acl_t:process signal; | |
386 | allow hald_acl_t hald_t:unix_stream_socket connectto; | |
387 | ||
0bfccda4 CP |
388 | manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) |
389 | manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) | |
12217cc2 CP |
390 | files_search_var_lib(hald_acl_t) |
391 | ||
131634a5 CP |
392 | manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) |
393 | manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) | |
394 | files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) | |
3eaa9939 | 395 | allow hald_t hald_var_run_t:dir mounton; |
131634a5 | 396 | |
12217cc2 CP |
397 | corecmd_exec_bin(hald_acl_t) |
398 | ||
399 | dev_getattr_all_chr_files(hald_acl_t) | |
131634a5 | 400 | dev_setattr_all_chr_files(hald_acl_t) |
016e5c5c CP |
401 | dev_getattr_generic_usb_dev(hald_acl_t) |
402 | dev_getattr_video_dev(hald_acl_t) | |
12217cc2 | 403 | dev_setattr_video_dev(hald_acl_t) |
016e5c5c | 404 | dev_getattr_sound_dev(hald_acl_t) |
12217cc2 CP |
405 | dev_setattr_sound_dev(hald_acl_t) |
406 | dev_setattr_generic_usb_dev(hald_acl_t) | |
407 | dev_setattr_usbfs_files(hald_acl_t) | |
408 | ||
409 | files_read_usr_files(hald_acl_t) | |
410 | files_read_etc_files(hald_acl_t) | |
411 | ||
21673b23 CP |
412 | fs_getattr_all_fs(hald_acl_t) |
413 | ||
12217cc2 CP |
414 | storage_getattr_removable_dev(hald_acl_t) |
415 | storage_setattr_removable_dev(hald_acl_t) | |
9de7c170 CP |
416 | storage_getattr_fixed_disk_dev(hald_acl_t) |
417 | storage_setattr_fixed_disk_dev(hald_acl_t) | |
12217cc2 CP |
418 | |
419 | auth_use_nsswitch(hald_acl_t) | |
420 | ||
fcee22ad CP |
421 | logging_send_syslog_msg(hald_acl_t) |
422 | ||
12217cc2 CP |
423 | miscfiles_read_localization(hald_acl_t) |
424 | ||
9de7c170 | 425 | optional_policy(` |
68ac47d8 | 426 | policykit_dbus_chat(hald_acl_t) |
9de7c170 CP |
427 | policykit_domtrans_auth(hald_acl_t) |
428 | policykit_read_lib(hald_acl_t) | |
429 | policykit_read_reload(hald_acl_t) | |
430 | ') | |
431 | ||
12217cc2 CP |
432 | ######################################## |
433 | # | |
434 | # Local hald mac policy | |
435 | # | |
436 | ||
9de7c170 | 437 | allow hald_mac_t self:capability { setgid setuid sys_admin }; |
fcee22ad | 438 | |
12217cc2 CP |
439 | domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) |
440 | allow hald_t hald_mac_t:process signal; | |
441 | allow hald_mac_t hald_t:unix_stream_socket connectto; | |
442 | ||
0bfccda4 CP |
443 | manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) |
444 | manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) | |
12217cc2 CP |
445 | files_search_var_lib(hald_mac_t) |
446 | ||
fcee22ad CP |
447 | write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) |
448 | ||
131634a5 CP |
449 | kernel_read_system_state(hald_mac_t) |
450 | ||
451 | dev_read_raw_memory(hald_mac_t) | |
12217cc2 | 452 | dev_write_raw_memory(hald_mac_t) |
131634a5 | 453 | dev_read_sysfs(hald_mac_t) |
12217cc2 CP |
454 | |
455 | files_read_usr_files(hald_mac_t) | |
fcee22ad CP |
456 | files_read_etc_files(hald_mac_t) |
457 | ||
458 | auth_use_nsswitch(hald_mac_t) | |
12217cc2 | 459 | |
9de7c170 CP |
460 | logging_send_syslog_msg(hald_mac_t) |
461 | ||
12217cc2 CP |
462 | miscfiles_read_localization(hald_mac_t) |
463 | ||
12217cc2 CP |
464 | ######################################## |
465 | # | |
466 | # Local hald sonypic policy | |
467 | # | |
468 | ||
469 | domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) | |
470 | allow hald_t hald_sonypic_t:process signal; | |
471 | allow hald_sonypic_t hald_t:unix_stream_socket connectto; | |
472 | ||
473 | dev_read_video_dev(hald_sonypic_t) | |
474 | dev_write_video_dev(hald_sonypic_t) | |
475 | ||
0bfccda4 CP |
476 | manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) |
477 | manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) | |
12217cc2 CP |
478 | files_search_var_lib(hald_sonypic_t) |
479 | ||
fcee22ad CP |
480 | write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) |
481 | ||
12217cc2 CP |
482 | files_read_usr_files(hald_sonypic_t) |
483 | ||
12217cc2 CP |
484 | miscfiles_read_localization(hald_sonypic_t) |
485 | ||
016e5c5c CP |
486 | ######################################## |
487 | # | |
488 | # Hal keymap local policy | |
489 | # | |
490 | ||
491 | domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) | |
492 | allow hald_t hald_keymap_t:process signal; | |
493 | allow hald_keymap_t hald_t:unix_stream_socket connectto; | |
494 | ||
0bfccda4 CP |
495 | manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) |
496 | manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) | |
016e5c5c CP |
497 | files_search_var_lib(hald_keymap_t) |
498 | ||
fcee22ad CP |
499 | write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) |
500 | ||
016e5c5c CP |
501 | dev_rw_input_dev(hald_keymap_t) |
502 | ||
9de7c170 | 503 | files_read_etc_files(hald_keymap_t) |
016e5c5c CP |
504 | files_read_usr_files(hald_keymap_t) |
505 | ||
016e5c5c | 506 | miscfiles_read_localization(hald_keymap_t) |
3eaa9939 | 507 | |
e689c53a MG |
508 | optional_policy(` |
509 | # This is caused by a bug in hald and PolicyKit. | |
510 | # Should be removed when this is fixed | |
511 | cron_read_system_job_lib_files(hald_t) | |
512 | ') | |
9de7c170 CP |
513 | |
514 | ######################################## | |
515 | # | |
516 | # Local hald dccm policy | |
517 | # | |
518 | ||
21673b23 | 519 | allow hald_dccm_t self:capability { chown net_bind_service }; |
9de7c170 | 520 | allow hald_dccm_t self:process getsched; |
21673b23 | 521 | allow hald_dccm_t self:fifo_file rw_fifo_file_perms; |
9de7c170 CP |
522 | allow hald_dccm_t self:tcp_socket create_stream_socket_perms; |
523 | allow hald_dccm_t self:udp_socket create_socket_perms; | |
524 | allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; | |
525 | ||
526 | domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) | |
527 | allow hald_t hald_dccm_t:process signal; | |
528 | allow hald_dccm_t hald_t:unix_stream_socket connectto; | |
529 | ||
530 | manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) | |
531 | manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) | |
532 | files_search_var_lib(hald_dccm_t) | |
533 | ||
21673b23 CP |
534 | manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) |
535 | manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) | |
536 | manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) | |
537 | files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) | |
538 | ||
539 | manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) | |
540 | files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) | |
541 | ||
9de7c170 CP |
542 | write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) |
543 | ||
544 | kernel_search_network_sysctl(hald_dccm_t) | |
545 | ||
21673b23 CP |
546 | dev_read_urand(hald_dccm_t) |
547 | ||
9de7c170 CP |
548 | corenet_all_recvfrom_unlabeled(hald_dccm_t) |
549 | corenet_all_recvfrom_netlabel(hald_dccm_t) | |
550 | corenet_tcp_sendrecv_generic_if(hald_dccm_t) | |
551 | corenet_udp_sendrecv_generic_if(hald_dccm_t) | |
552 | corenet_tcp_sendrecv_generic_node(hald_dccm_t) | |
553 | corenet_udp_sendrecv_generic_node(hald_dccm_t) | |
554 | corenet_tcp_sendrecv_all_ports(hald_dccm_t) | |
555 | corenet_udp_sendrecv_all_ports(hald_dccm_t) | |
556 | corenet_tcp_bind_generic_node(hald_dccm_t) | |
557 | corenet_udp_bind_generic_node(hald_dccm_t) | |
558 | corenet_udp_bind_dhcpc_port(hald_dccm_t) | |
21673b23 | 559 | corenet_tcp_bind_ftp_port(hald_dccm_t) |
9de7c170 CP |
560 | corenet_tcp_bind_dccm_port(hald_dccm_t) |
561 | ||
562 | logging_send_syslog_msg(hald_dccm_t) | |
563 | ||
564 | files_read_usr_files(hald_dccm_t) | |
565 | ||
566 | miscfiles_read_localization(hald_dccm_t) | |
21673b23 | 567 | |
e689c53a MG |
568 | optional_policy(` |
569 | hal_dontaudit_rw_dgram_sockets(hald_dccm_t) | |
570 | ') | |
21673b23 CP |
571 | |
572 | optional_policy(` | |
573 | dbus_system_bus_client(hald_dccm_t) | |
574 | ') |