[people/stevee/selinux-policy.git] / policy / modules / services / hal.te

policy_module(hal, 1.13.0)

########################################
#
# Declarations
#

type hald_t;
type hald_exec_t;
init_daemon_domain(hald_t, hald_exec_t)

type hald_acl_t;
type hald_acl_exec_t;
domain_type(hald_acl_t)
domain_entry_file(hald_acl_t, hald_acl_exec_t)
role system_r types hald_acl_t;

type hald_cache_t;
files_pid_file(hald_cache_t)

type hald_dccm_t;
type hald_dccm_exec_t;
domain_type(hald_dccm_t)
domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
role system_r types hald_dccm_t;

type hald_keymap_t;
type hald_keymap_exec_t;
domain_type(hald_keymap_t)
domain_entry_file(hald_keymap_t, hald_keymap_exec_t)
role system_r types hald_keymap_t;

type hald_log_t;
logging_log_file(hald_log_t)

type hald_mac_t;
type hald_mac_exec_t;
domain_type(hald_mac_t)
domain_entry_file(hald_mac_t, hald_mac_exec_t)
role system_r types hald_mac_t;

type hald_sonypic_t;
type hald_sonypic_exec_t;
domain_type(hald_sonypic_t)
domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t)
role system_r types hald_sonypic_t;

type hald_tmp_t;
files_tmp_file(hald_tmp_t)

type hald_var_run_t;
files_pid_file(hald_var_run_t)

type hald_var_lib_t;
files_type(hald_var_lib_t)

typealias hald_log_t alias pmtools_log_t;
typealias hald_var_run_t alias pmtools_var_run_t;

########################################
#
# Local policy
#

# execute openvt which needs setuid
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
allow hald_t self:udp_socket create_socket_perms;
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;

manage_files_pattern(hald_t, hald_cache_t, hald_cache_t)

# log files for hald
manage_files_pattern(hald_t, hald_log_t, hald_log_t)
logging_log_filetrans(hald_t, hald_log_t, file)

manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t)
manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t)
files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })

# var/lib files for hald
manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)

manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_t, hald_var_run_t, { dir file })

kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
kernel_read_software_raid_state(hald_t)
kernel_rw_kernel_sysctl(hald_t)
kernel_read_fs_sysctls(hald_t)
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
kernel_rw_net_sysctls(hald_t)
kernel_setsched(hald_t)
kernel_request_load_module(hald_t)

auth_read_pam_console_data(hald_t)

corecmd_exec_all_executables(hald_t)

corenet_all_recvfrom_unlabeled(hald_t)
corenet_all_recvfrom_netlabel(hald_t)
corenet_tcp_sendrecv_generic_if(hald_t)
corenet_udp_sendrecv_generic_if(hald_t)
corenet_tcp_sendrecv_generic_node(hald_t)
corenet_udp_sendrecv_generic_node(hald_t)
corenet_tcp_sendrecv_all_ports(hald_t)
corenet_udp_sendrecv_all_ports(hald_t)

dev_rw_usbfs(hald_t)
dev_read_rand(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_files(hald_t)
dev_manage_generic_blk_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
dev_rw_power_management(hald_t)
dev_read_raw_memory(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
dev_read_video_dev(hald_t)

domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
domain_dontaudit_ptrace_all_domains(hald_t)

files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
files_read_etc_runtime_files(hald_t)
files_rw_etc_runtime_files(hald_t)
files_manage_mnt_dirs(hald_t)
files_manage_mnt_files(hald_t)
files_manage_mnt_symlinks(hald_t)
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_getattr_all_files(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
files_read_generic_pids(hald_t)

fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
fs_mount_dos_fs(hald_t)
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
fs_manage_fusefs_dirs(hald_t)
fs_rw_removable_blk_files(hald_t)

files_getattr_all_mountpoints(hald_t)
files_read_kernel_modules(hald_t)

mls_file_read_all_levels(hald_t)

selinux_get_fs_mount(hald_t)
selinux_validate_context(hald_t)
selinux_compute_access_vector(hald_t)
selinux_compute_create_context(hald_t)
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)

storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)

# hal_probe_serial causes these
term_setattr_unallocated_ttys(hald_t)
term_use_unallocated_ttys(hald_t)

auth_use_nsswitch(hald_t)

init_domtrans_script(hald_t)
init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
init_rw_utmp(hald_t)
init_telinit(hald_t)

libs_exec_ld_so(hald_t)
libs_exec_lib_files(hald_t)

logging_send_audit_msgs(hald_t)
logging_send_syslog_msg(hald_t)
logging_search_logs(hald_t)

miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t)

seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)

sysnet_delete_dhcpc_pid(hald_t)
sysnet_domtrans_dhcpc(hald_t)
sysnet_domtrans_ifconfig(hald_t)
sysnet_read_config(hald_t)
sysnet_read_dhcp_config(hald_t)
sysnet_read_dhcpc_pid(hald_t)
sysnet_signal_dhcpc(hald_t)

userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
userdom_stream_connect(hald_t)

optional_policy(`
	netutils_domtrans(hald_t)
')

optional_policy(`
	alsa_domtrans(hald_t)
	alsa_read_rw_config(hald_t)
')

optional_policy(`
	bootloader_domtrans(hald_t)
')

optional_policy(`
	# For /usr/libexec/hald-addon-acpi
	# writes to /var/run/acpid.socket
	apm_stream_connect(hald_t)
')

optional_policy(`
	bind_search_cache(hald_t)
')

optional_policy(`
	bluetooth_domtrans(hald_t)
')

optional_policy(`
	clock_domtrans(hald_t)
')

optional_policy(`
	cups_domtrans_config(hald_t)
	cups_signal_config(hald_t)
')

optional_policy(`
	dbus_system_domain(hald_t, hald_exec_t)

	init_dbus_chat_script(hald_t)

	optional_policy(`
		networkmanager_dbus_chat(hald_t)
	')
')

optional_policy(`
	# for pm-suspend.lock in /var/run/pm-utils/
	devicekit_manage_pid_files(hald_t)
')

optional_policy(`
	# For /usr/libexec/hald-probe-smbios
	dmidecode_domtrans(hald_t)
')

optional_policy(`
	gnome_read_config(hald_t)
')

optional_policy(`
	gpm_dontaudit_getattr_gpmctl(hald_t)
')

optional_policy(`
	fstools_getattr_swap_files(hald_t)
')

optional_policy(`
	hotplug_read_config(hald_t)
')

optional_policy(`
	lvm_domtrans(hald_t)
')

optional_policy(`
	modutils_domtrans_insmod(hald_t)
	modutils_read_module_deps(hald_t)
')

optional_policy(`
	mount_domtrans(hald_t)
')

optional_policy(`
	ntp_domtrans(hald_t)
')

optional_policy(`
	pcmcia_manage_pid(hald_t)
	pcmcia_manage_pid_chr_files(hald_t)
')

optional_policy(`
	podsleuth_domtrans(hald_t)
')

optional_policy(`
	ppp_domtrans(hald_t)
	ppp_read_rw_config(hald_t)
')

optional_policy(`
	policykit_dbus_chat(hald_t)
	policykit_domtrans_auth(hald_t)
	policykit_domtrans_resolve(hald_t)
	policykit_read_lib(hald_t)
	policykit_read_reload(hald_t)
')

optional_policy(`
	rpc_search_nfs_state_data(hald_t)
')

optional_policy(`
	seutil_sigchld_newrole(hald_t)
')

optional_policy(`
	shutdown_domtrans(hald_t)
')

optional_policy(`
	udev_domtrans(hald_t)
	udev_read_db(hald_t)
')

optional_policy(`
	usbmuxd_stream_connect(hald_t)
')

optional_policy(`
	updfstab_domtrans(hald_t)
')

optional_policy(`
	vbetool_domtrans(hald_t)
')

optional_policy(`
	virt_manage_images(hald_t)
')

optional_policy(`
	xserver_read_pid(hald_t)
')

########################################
#
# Hal acl local policy
#

allow hald_acl_t self:capability { dac_override fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;

domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
allow hald_acl_t hald_t:unix_stream_socket connectto;

manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_acl_t)

manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
allow hald_t hald_var_run_t:dir mounton;

corecmd_exec_bin(hald_acl_t)

dev_getattr_all_chr_files(hald_acl_t)
dev_setattr_all_chr_files(hald_acl_t)
dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t)
dev_getattr_sound_dev(hald_acl_t)
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)

files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)

fs_getattr_all_fs(hald_acl_t)

storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
storage_setattr_fixed_disk_dev(hald_acl_t)

auth_use_nsswitch(hald_acl_t)

logging_send_syslog_msg(hald_acl_t)

miscfiles_read_localization(hald_acl_t)

optional_policy(`
	policykit_dbus_chat(hald_acl_t)
	policykit_domtrans_auth(hald_acl_t)
	policykit_read_lib(hald_acl_t)
	policykit_read_reload(hald_acl_t)
')

########################################
#
# Local hald mac policy
#

allow hald_mac_t self:capability { setgid setuid sys_admin };

domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;

manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_mac_t)

write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)

kernel_read_system_state(hald_mac_t)

dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
dev_read_sysfs(hald_mac_t)

files_read_usr_files(hald_mac_t)
files_read_etc_files(hald_mac_t)

auth_use_nsswitch(hald_mac_t)

logging_send_syslog_msg(hald_mac_t)

miscfiles_read_localization(hald_mac_t)

########################################
#
# Local hald sonypic policy
#

domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
allow hald_t hald_sonypic_t:process signal;
allow hald_sonypic_t hald_t:unix_stream_socket connectto;

dev_read_video_dev(hald_sonypic_t)
dev_write_video_dev(hald_sonypic_t)

manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_sonypic_t)

write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)

files_read_usr_files(hald_sonypic_t)

miscfiles_read_localization(hald_sonypic_t)

########################################
#
# Hal keymap local policy
#

domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
allow hald_t hald_keymap_t:process signal;
allow hald_keymap_t hald_t:unix_stream_socket connectto;

manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_keymap_t)

write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)

dev_rw_input_dev(hald_keymap_t)

files_read_etc_files(hald_keymap_t)
files_read_usr_files(hald_keymap_t)

miscfiles_read_localization(hald_keymap_t)

optional_policy(`
	# This is caused by a bug in hald and PolicyKit.
	# Should be removed when this is fixed
	cron_read_system_job_lib_files(hald_t)
')

########################################
#
# Local hald dccm policy
#

allow hald_dccm_t self:capability { chown net_bind_service };
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;

domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
allow hald_t hald_dccm_t:process signal;
allow hald_dccm_t hald_t:unix_stream_socket connectto;

manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)

manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })

manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)

write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)

kernel_search_network_sysctl(hald_dccm_t)

dev_read_urand(hald_dccm_t)

corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
corenet_udp_sendrecv_generic_if(hald_dccm_t)
corenet_tcp_sendrecv_generic_node(hald_dccm_t)
corenet_udp_sendrecv_generic_node(hald_dccm_t)
corenet_tcp_sendrecv_all_ports(hald_dccm_t)
corenet_udp_sendrecv_all_ports(hald_dccm_t)
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
corenet_tcp_bind_ftp_port(hald_dccm_t)
corenet_tcp_bind_dccm_port(hald_dccm_t)

logging_send_syslog_msg(hald_dccm_t)

files_read_usr_files(hald_dccm_t)

miscfiles_read_localization(hald_dccm_t)

optional_policy(`
	hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
')

optional_policy(`
	dbus_system_bus_client(hald_dccm_t)
')
Commit	Line	Data
29af4c13	1	policy_module(hal, 1.13.0)
fdae8e75 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type hald_t;
	9	type hald_exec_t;
0bfccda4	10	init_daemon_domain(hald_t, hald_exec_t)
fdae8e75	11
12217cc2 CP	12	type hald_acl_t;
	13	type hald_acl_exec_t;
	14	domain_type(hald_acl_t)
0bfccda4	15	domain_entry_file(hald_acl_t, hald_acl_exec_t)
12217cc2 CP	16	role system_r types hald_acl_t;
	17
	18	type hald_cache_t;
	19	files_pid_file(hald_cache_t)
	20
9de7c170 CP	21	type hald_dccm_t;
	22	type hald_dccm_exec_t;
	23	domain_type(hald_dccm_t)
	24	domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
	25	role system_r types hald_dccm_t;
	26
016e5c5c CP	27	type hald_keymap_t;
	28	type hald_keymap_exec_t;
	29	domain_type(hald_keymap_t)
0bfccda4	30	domain_entry_file(hald_keymap_t, hald_keymap_exec_t)
016e5c5c CP	31	role system_r types hald_keymap_t;
016e5c5c CP	32
12217cc2	33	type hald_log_t;
7e11b740	34	logging_log_file(hald_log_t)
12217cc2 CP	35
	36	type hald_mac_t;
	37	type hald_mac_exec_t;
	38	domain_type(hald_mac_t)
0bfccda4	39	domain_entry_file(hald_mac_t, hald_mac_exec_t)
12217cc2 CP	40	role system_r types hald_mac_t;
	41
	42	type hald_sonypic_t;
	43	type hald_sonypic_exec_t;
	44	domain_type(hald_sonypic_t)
0bfccda4	45	domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t)
12217cc2 CP	46	role system_r types hald_sonypic_t;
12217cc2 CP	47
fdae8e75 CP	48	type hald_tmp_t;
	49	files_tmp_file(hald_tmp_t)
	50
	51	type hald_var_run_t;
	52	files_pid_file(hald_var_run_t)
	53
d6d16b97 CP	54	type hald_var_lib_t;
	55	files_type(hald_var_lib_t)
	56
3eaa9939 DW	57	typealias hald_log_t alias pmtools_log_t;
	58	typealias hald_var_run_t alias pmtools_var_run_t;
	59
a1fcff33 CP	60	########################################
	61	#
	62	# Local policy
	63	#
	64
9cca1cd5	65	# execute openvt which needs setuid
c0868a7a	66	allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
995bdbb1	67	dontaudit hald_t self:capability sys_tty_config;
b0c2cae1	68	allow hald_t self:process { getsched getattr signal_perms };
c0868a7a	69	allow hald_t self:fifo_file rw_fifo_file_perms;
0907bda1	70	allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
fdae8e75	71	allow hald_t self:unix_dgram_socket create_socket_perms;
0907bda1	72	allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
fdae8e75	73	allow hald_t self:tcp_socket create_stream_socket_perms;
162dfc33	74	allow hald_t self:udp_socket create_socket_perms;
0907bda1 CP	75	# For backwards compatibility with older kernels
0907bda1 CP	76	allow hald_t self:netlink_socket create_socket_perms;
fdae8e75	77
0bfccda4	78	manage_files_pattern(hald_t, hald_cache_t, hald_cache_t)
12217cc2 CP	79
12217cc2 CP	80	# log files for hald
131634a5	81	manage_files_pattern(hald_t, hald_log_t, hald_log_t)
0bfccda4	82	logging_log_filetrans(hald_t, hald_log_t, file)
12217cc2	83
0bfccda4 CP	84	manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t)
0bfccda4 CP	85	manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t)
103fe280	86	files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
fdae8e75	87
d6d16b97	88	# var/lib files for hald
0bfccda4 CP	89	manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
	90	manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
	91	manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
d6d16b97	92
131634a5	93	manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
0bfccda4	94	manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
131634a5	95	files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
fdae8e75 CP	96
	97	kernel_read_system_state(hald_t)
	98	kernel_read_network_state(hald_t)
016e5c5c	99	kernel_read_software_raid_state(hald_t)
12217cc2	100	kernel_rw_kernel_sysctl(hald_t)
445522dc	101	kernel_read_fs_sysctls(hald_t)
12217cc2	102	kernel_rw_irq_sysctls(hald_t)
a3cf80d8	103	kernel_rw_vm_sysctls(hald_t)
445522dc	104	kernel_write_proc_files(hald_t)
3eaa9939	105	kernel_rw_net_sysctls(hald_t)
131634a5	106	kernel_setsched(hald_t)
21673b23	107	kernel_request_load_module(hald_t)
fdae8e75	108
8cfa5a00	109	auth_read_pam_console_data(hald_t)
93727e3f	110
fb63d0b5	111	corecmd_exec_all_executables(hald_t)
049e11af	112
19006686 CP	113	corenet_all_recvfrom_unlabeled(hald_t)
19006686 CP	114	corenet_all_recvfrom_netlabel(hald_t)
668b3093 CP	115	corenet_tcp_sendrecv_generic_if(hald_t)
668b3093 CP	116	corenet_udp_sendrecv_generic_if(hald_t)
c1262146 CP	117	corenet_tcp_sendrecv_generic_node(hald_t)
c1262146 CP	118	corenet_udp_sendrecv_generic_node(hald_t)
fdae8e75	119	corenet_tcp_sendrecv_all_ports(hald_t)
162dfc33	120	corenet_udp_sendrecv_all_ports(hald_t)
fdae8e75	121
a1fcff33	122	dev_rw_usbfs(hald_t)
b0c2cae1	123	dev_read_rand(hald_t)
fdae8e75 CP	124	dev_read_urand(hald_t)
fdae8e75 CP	125	dev_read_input(hald_t)
a0824843	126	dev_read_mouse(hald_t)
fdae8e75	127	dev_rw_printer(hald_t)
a1fcff33	128	dev_read_lvm_control(hald_t)
a0824843	129	dev_getattr_all_chr_files(hald_t)
207c4763	130	dev_manage_generic_chr_files(hald_t)
3eaa9939	131	dev_manage_generic_blk_files(hald_t)
a3cf80d8	132	dev_rw_generic_usb_dev(hald_t)
c655ec47 CP	133	dev_setattr_generic_usb_dev(hald_t)
c655ec47 CP	134	dev_setattr_usbfs_files(hald_t)
d9845ae9	135	dev_rw_power_management(hald_t)
131634a5	136	dev_read_raw_memory(hald_t)
049e11af CP	137	# hal is now execing pm-suspend
049e11af CP	138	dev_rw_sysfs(hald_t)
131634a5	139	dev_read_video_dev(hald_t)
049e11af	140
15722ec9	141	domain_use_interactive_fds(hald_t)
5dbda555	142	domain_read_all_domains_state(hald_t)
12217cc2	143	domain_dontaudit_ptrace_all_domains(hald_t)
049e11af CP	144
	145	files_exec_etc_files(hald_t)
	146	files_read_etc_files(hald_t)
5b0ba2e1	147	files_read_etc_runtime_files(hald_t)
049e11af	148	files_rw_etc_runtime_files(hald_t)
a77e6524	149	files_manage_mnt_dirs(hald_t)
93727e3f	150	files_manage_mnt_files(hald_t)
d9845ae9	151	files_manage_mnt_symlinks(hald_t)
049e11af CP	152	files_search_var_lib(hald_t)
	153	files_read_usr_files(hald_t)
	154	# hal is now execing pm-suspend
	155	files_create_boot_flag(hald_t)
165b42d2	156	files_getattr_all_dirs(hald_t)
9de7c170	157	files_getattr_all_files(hald_t)
87eb5c84	158	files_read_kernel_img(hald_t)
016e5c5c	159	files_rw_lock_dirs(hald_t)
9de7c170	160	files_read_generic_pids(hald_t)
fdae8e75 CP	161
fdae8e75 CP	162	fs_getattr_all_fs(hald_t)
a1fcff33	163	fs_search_all(hald_t)
12217cc2	164	fs_list_inotifyfs(hald_t)
0f27d98d	165	fs_list_auto_mountpoints(hald_t)
21673b23 CP	166	fs_mount_dos_fs(hald_t)
	167	fs_unmount_dos_fs(hald_t)
	168	fs_manage_dos_files(hald_t)
	169	fs_manage_fusefs_dirs(hald_t)
b0c2cae1	170	fs_rw_removable_blk_files(hald_t)
21673b23	171
cdc86ee5	172	files_getattr_all_mountpoints(hald_t)
f44f7566	173	files_read_kernel_modules(hald_t)
fdae8e75	174
f8233ab7	175	mls_file_read_all_levels(hald_t)
a77e6524	176
a0824843 CP	177	selinux_get_fs_mount(hald_t)
	178	selinux_validate_context(hald_t)
	179	selinux_compute_access_vector(hald_t)
	180	selinux_compute_create_context(hald_t)
	181	selinux_compute_relabel_context(hald_t)
	182	selinux_compute_user_contexts(hald_t)
	183
fdae8e75	184	storage_raw_read_removable_device(hald_t)
af23450c	185	storage_raw_write_removable_device(hald_t)
fdae8e75 CP	186	storage_raw_read_fixed_disk(hald_t)
	187	storage_raw_write_fixed_disk(hald_t)
	188
693d4aed CP	189	# hal_probe_serial causes these
693d4aed CP	190	term_setattr_unallocated_ttys(hald_t)
b0c2cae1	191	term_use_unallocated_ttys(hald_t)
693d4aed	192
2dbd3824 CP	193	auth_use_nsswitch(hald_t)
2dbd3824 CP	194
9cca1cd5	195	init_domtrans_script(hald_t)
51a89cc5	196	init_read_utmp(hald_t)
b0d2243c CP	197	#hal runs shutdown, probably need a shutdown domain
b0d2243c CP	198	init_rw_utmp(hald_t)
12217cc2	199	init_telinit(hald_t)
fdae8e75	200
fdae8e75 CP	201	libs_exec_ld_so(hald_t)
	202	libs_exec_lib_files(hald_t)
	203
d5b81a81	204	logging_send_audit_msgs(hald_t)
fdae8e75	205	logging_send_syslog_msg(hald_t)
8cf67141	206	logging_search_logs(hald_t)
fdae8e75 CP	207
fdae8e75 CP	208	miscfiles_read_localization(hald_t)
77f6e2cd	209	miscfiles_read_hwdata(hald_t)
fdae8e75 CP	210
	211	seutil_read_config(hald_t)
	212	seutil_read_default_contexts(hald_t)
016e5c5c	213	seutil_read_file_contexts(hald_t)
fdae8e75	214
3eaa9939	215	sysnet_delete_dhcpc_pid(hald_t)
9de7c170	216	sysnet_domtrans_dhcpc(hald_t)
21673b23	217	sysnet_domtrans_ifconfig(hald_t)
3eaa9939	218	sysnet_read_config(hald_t)
21673b23	219	sysnet_read_dhcp_config(hald_t)
3eaa9939 DW	220	sysnet_read_dhcpc_pid(hald_t)
3eaa9939 DW	221	sysnet_signal_dhcpc(hald_t)
fdae8e75	222
15722ec9	223	userdom_dontaudit_use_unpriv_user_fds(hald_t)
296273a7	224	userdom_dontaudit_search_user_home_dirs(hald_t)
03527520	225	userdom_stream_connect(hald_t)
fdae8e75	226
2371d8d8 MG	227	optional_policy(`
	228	netutils_domtrans(hald_t)
	229	')
079779a6	230
12217cc2	231	optional_policy(`
016e5c5c	232	alsa_domtrans(hald_t)
12217cc2 CP	233	alsa_read_rw_config(hald_t)
	234	')
	235
46551033 CP	236	optional_policy(`
	237	bootloader_domtrans(hald_t)
	238	')
	239
bb7170f6	240	optional_policy(`
725926c5 CP	241	# For /usr/libexec/hald-addon-acpi
	242	# writes to /var/run/acpid.socket
	243	apm_stream_connect(hald_t)
	244	')
	245
bb7170f6	246	optional_policy(`
93727e3f CP	247	bind_search_cache(hald_t)
	248	')
	249
46551033 CP	250	optional_policy(`
	251	bluetooth_domtrans(hald_t)
	252	')
	253
bb7170f6	254	optional_policy(`
9cca1cd5 CP	255	clock_domtrans(hald_t)
	256	')
	257
bb7170f6	258	optional_policy(`
725926c5	259	cups_domtrans_config(hald_t)
9fd4b818	260	cups_signal_config(hald_t)
725926c5 CP	261	')
725926c5 CP	262
bb7170f6	263	optional_policy(`
f4dc1988	264	dbus_system_domain(hald_t, hald_exec_t)
d828b5ca	265
f525b49e CP	266	init_dbus_chat_script(hald_t)
f525b49e CP	267
bb7170f6	268	optional_policy(`
d828b5ca CP	269	networkmanager_dbus_chat(hald_t)
d828b5ca CP	270	')
fdae8e75 CP	271	')
fdae8e75 CP	272
e160b2c6 MG	273	optional_policy(`
	274	# for pm-suspend.lock in /var/run/pm-utils/
	275	devicekit_manage_pid_files(hald_t)
	276	')
	277
bb7170f6	278	optional_policy(`
20e306e2 CP	279	# For /usr/libexec/hald-probe-smbios
	280	dmidecode_domtrans(hald_t)
	281	')
	282
3eaa9939 DW	283	optional_policy(`
	284	gnome_read_config(hald_t)
	285	')
	286
131634a5 CP	287	optional_policy(`
	288	gpm_dontaudit_getattr_gpmctl(hald_t)
	289	')
	290
e689c53a MG	291	optional_policy(`
	292	fstools_getattr_swap_files(hald_t)
	293	')
	294
bb7170f6	295	optional_policy(`
fdae8e75 CP	296	hotplug_read_config(hald_t)
	297	')
	298
bb7170f6	299	optional_policy(`
a3cf80d8 CP	300	lvm_domtrans(hald_t)
	301	')
	302
2371d8d8 MG	303	optional_policy(`
	304	modutils_domtrans_insmod(hald_t)
	305	modutils_read_module_deps(hald_t)
	306	')
	307
bb7170f6	308	optional_policy(`
a1fcff33 CP	309	mount_domtrans(hald_t)
	310	')
	311
72492557	312	optional_policy(`
6073ea1e	313	ntp_domtrans(hald_t)
72492557 CP	314	')
72492557 CP	315
bb7170f6	316	optional_policy(`
603f90ab	317	pcmcia_manage_pid(hald_t)
1815bad1	318	pcmcia_manage_pid_chr_files(hald_t)
603f90ab CP	319	')
603f90ab CP	320
131634a5 CP	321	optional_policy(`
	322	podsleuth_domtrans(hald_t)
	323	')
	324
9de7c170	325	optional_policy(`
b0c2cae1	326	ppp_domtrans(hald_t)
9de7c170 CP	327	ppp_read_rw_config(hald_t)
	328	')
	329
	330	optional_policy(`
68ac47d8	331	policykit_dbus_chat(hald_t)
9de7c170 CP	332	policykit_domtrans_auth(hald_t)
	333	policykit_domtrans_resolve(hald_t)
	334	policykit_read_lib(hald_t)
	335	policykit_read_reload(hald_t)
	336	')
	337
bb7170f6	338	optional_policy(`
a77e6524 CP	339	rpc_search_nfs_state_data(hald_t)
	340	')
	341
bb7170f6	342	optional_policy(`
fdae8e75 CP	343	seutil_sigchld_newrole(hald_t)
	344	')
	345
3eaa9939 DW	346	optional_policy(`
3eaa9939 DW	347	shutdown_domtrans(hald_t)
68ac47d8	348	')
3eaa9939	349
bb7170f6	350	optional_policy(`
fdae8e75 CP	351	udev_domtrans(hald_t)
	352	udev_read_db(hald_t)
	353	')
	354
b0c2cae1 CP	355	optional_policy(`
	356	usbmuxd_stream_connect(hald_t)
	357	')
	358
bb7170f6	359	optional_policy(`
fdae8e75 CP	360	updfstab_domtrans(hald_t)
	361	')
	362
bb7170f6	363	optional_policy(`
9cca1cd5 CP	364	vbetool_domtrans(hald_t)
9cca1cd5 CP	365	')
12217cc2	366
fcee22ad CP	367	optional_policy(`
	368	virt_manage_images(hald_t)
	369	')
	370
3eaa9939 DW	371	optional_policy(`
	372	xserver_read_pid(hald_t)
	373	')
	374
12217cc2 CP	375	########################################
	376	#
	377	# Hal acl local policy
	378	#
	379
9de7c170	380	allow hald_acl_t self:capability { dac_override fowner sys_resource };
131634a5 CP	381	allow hald_acl_t self:process { getattr signal };
131634a5 CP	382	allow hald_acl_t self:fifo_file rw_fifo_file_perms;
12217cc2 CP	383
	384	domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
	385	allow hald_t hald_acl_t:process signal;
	386	allow hald_acl_t hald_t:unix_stream_socket connectto;
	387
0bfccda4 CP	388	manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
0bfccda4 CP	389	manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
12217cc2 CP	390	files_search_var_lib(hald_acl_t)
12217cc2 CP	391
131634a5 CP	392	manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
	393	manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
	394	files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
3eaa9939	395	allow hald_t hald_var_run_t:dir mounton;
131634a5	396
12217cc2 CP	397	corecmd_exec_bin(hald_acl_t)
	398
	399	dev_getattr_all_chr_files(hald_acl_t)
131634a5	400	dev_setattr_all_chr_files(hald_acl_t)
016e5c5c CP	401	dev_getattr_generic_usb_dev(hald_acl_t)
016e5c5c CP	402	dev_getattr_video_dev(hald_acl_t)
12217cc2	403	dev_setattr_video_dev(hald_acl_t)
016e5c5c	404	dev_getattr_sound_dev(hald_acl_t)
12217cc2 CP	405	dev_setattr_sound_dev(hald_acl_t)
	406	dev_setattr_generic_usb_dev(hald_acl_t)
	407	dev_setattr_usbfs_files(hald_acl_t)
	408
	409	files_read_usr_files(hald_acl_t)
	410	files_read_etc_files(hald_acl_t)
	411
21673b23 CP	412	fs_getattr_all_fs(hald_acl_t)
21673b23 CP	413
12217cc2 CP	414	storage_getattr_removable_dev(hald_acl_t)
12217cc2 CP	415	storage_setattr_removable_dev(hald_acl_t)
9de7c170 CP	416	storage_getattr_fixed_disk_dev(hald_acl_t)
9de7c170 CP	417	storage_setattr_fixed_disk_dev(hald_acl_t)
12217cc2 CP	418
	419	auth_use_nsswitch(hald_acl_t)
	420
fcee22ad CP	421	logging_send_syslog_msg(hald_acl_t)
fcee22ad CP	422
12217cc2 CP	423	miscfiles_read_localization(hald_acl_t)
12217cc2 CP	424
9de7c170	425	optional_policy(`
68ac47d8	426	policykit_dbus_chat(hald_acl_t)
9de7c170 CP	427	policykit_domtrans_auth(hald_acl_t)
	428	policykit_read_lib(hald_acl_t)
	429	policykit_read_reload(hald_acl_t)
	430	')
	431
12217cc2 CP	432	########################################
	433	#
	434	# Local hald mac policy
	435	#
	436
9de7c170	437	allow hald_mac_t self:capability { setgid setuid sys_admin };
fcee22ad	438
12217cc2 CP	439	domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
	440	allow hald_t hald_mac_t:process signal;
	441	allow hald_mac_t hald_t:unix_stream_socket connectto;
	442
0bfccda4 CP	443	manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
0bfccda4 CP	444	manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
12217cc2 CP	445	files_search_var_lib(hald_mac_t)
12217cc2 CP	446
fcee22ad CP	447	write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
fcee22ad CP	448
131634a5 CP	449	kernel_read_system_state(hald_mac_t)
	450
	451	dev_read_raw_memory(hald_mac_t)
12217cc2	452	dev_write_raw_memory(hald_mac_t)
131634a5	453	dev_read_sysfs(hald_mac_t)
12217cc2 CP	454
12217cc2 CP	455	files_read_usr_files(hald_mac_t)
fcee22ad CP	456	files_read_etc_files(hald_mac_t)
	457
	458	auth_use_nsswitch(hald_mac_t)
12217cc2	459
9de7c170 CP	460	logging_send_syslog_msg(hald_mac_t)
9de7c170 CP	461
12217cc2 CP	462	miscfiles_read_localization(hald_mac_t)
12217cc2 CP	463
12217cc2 CP	464	########################################
	465	#
	466	# Local hald sonypic policy
	467	#
	468
	469	domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
	470	allow hald_t hald_sonypic_t:process signal;
	471	allow hald_sonypic_t hald_t:unix_stream_socket connectto;
	472
	473	dev_read_video_dev(hald_sonypic_t)
	474	dev_write_video_dev(hald_sonypic_t)
	475
0bfccda4 CP	476	manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
0bfccda4 CP	477	manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
12217cc2 CP	478	files_search_var_lib(hald_sonypic_t)
12217cc2 CP	479
fcee22ad CP	480	write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
fcee22ad CP	481
12217cc2 CP	482	files_read_usr_files(hald_sonypic_t)
12217cc2 CP	483
12217cc2 CP	484	miscfiles_read_localization(hald_sonypic_t)
12217cc2 CP	485
016e5c5c CP	486	########################################
	487	#
	488	# Hal keymap local policy
	489	#
	490
	491	domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
	492	allow hald_t hald_keymap_t:process signal;
	493	allow hald_keymap_t hald_t:unix_stream_socket connectto;
	494
0bfccda4 CP	495	manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
0bfccda4 CP	496	manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
016e5c5c CP	497	files_search_var_lib(hald_keymap_t)
016e5c5c CP	498
fcee22ad CP	499	write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
fcee22ad CP	500
016e5c5c CP	501	dev_rw_input_dev(hald_keymap_t)
016e5c5c CP	502
9de7c170	503	files_read_etc_files(hald_keymap_t)
016e5c5c CP	504	files_read_usr_files(hald_keymap_t)
016e5c5c CP	505
016e5c5c	506	miscfiles_read_localization(hald_keymap_t)
3eaa9939	507
e689c53a MG	508	optional_policy(`
	509	# This is caused by a bug in hald and PolicyKit.
	510	# Should be removed when this is fixed
	511	cron_read_system_job_lib_files(hald_t)
	512	')
9de7c170 CP	513
	514	########################################
	515	#
	516	# Local hald dccm policy
	517	#
	518
21673b23	519	allow hald_dccm_t self:capability { chown net_bind_service };
9de7c170	520	allow hald_dccm_t self:process getsched;
21673b23	521	allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
9de7c170 CP	522	allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
	523	allow hald_dccm_t self:udp_socket create_socket_perms;
	524	allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
	525
	526	domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
	527	allow hald_t hald_dccm_t:process signal;
	528	allow hald_dccm_t hald_t:unix_stream_socket connectto;
	529
	530	manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
	531	manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
	532	files_search_var_lib(hald_dccm_t)
	533
21673b23 CP	534	manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
	535	manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
	536	manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
	537	files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
	538
	539	manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
	540	files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
	541
9de7c170 CP	542	write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
	543
	544	kernel_search_network_sysctl(hald_dccm_t)
	545
21673b23 CP	546	dev_read_urand(hald_dccm_t)
21673b23 CP	547
9de7c170 CP	548	corenet_all_recvfrom_unlabeled(hald_dccm_t)
	549	corenet_all_recvfrom_netlabel(hald_dccm_t)
	550	corenet_tcp_sendrecv_generic_if(hald_dccm_t)
	551	corenet_udp_sendrecv_generic_if(hald_dccm_t)
	552	corenet_tcp_sendrecv_generic_node(hald_dccm_t)
	553	corenet_udp_sendrecv_generic_node(hald_dccm_t)
	554	corenet_tcp_sendrecv_all_ports(hald_dccm_t)
	555	corenet_udp_sendrecv_all_ports(hald_dccm_t)
	556	corenet_tcp_bind_generic_node(hald_dccm_t)
	557	corenet_udp_bind_generic_node(hald_dccm_t)
	558	corenet_udp_bind_dhcpc_port(hald_dccm_t)
21673b23	559	corenet_tcp_bind_ftp_port(hald_dccm_t)
9de7c170 CP	560	corenet_tcp_bind_dccm_port(hald_dccm_t)
	561
	562	logging_send_syslog_msg(hald_dccm_t)
	563
	564	files_read_usr_files(hald_dccm_t)
	565
	566	miscfiles_read_localization(hald_dccm_t)
21673b23	567
e689c53a MG	568	optional_policy(`
	569	hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
	570	')
21673b23 CP	571
	572	optional_policy(`
	573	dbus_system_bus_client(hald_dccm_t)
	574	')