[people/stevee/selinux-policy.git] / policy / modules / services / plymouthd.te

policy_module(plymouthd, 1.0.1)

########################################
#
# Declarations
#

type plymouth_t;
type plymouth_exec_t;
application_domain(plymouth_t, plymouth_exec_t)
role system_r types plymouth_t;

type plymouthd_t;
type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)

type plymouthd_spool_t;
files_spool_file(plymouthd_spool_t)

type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)

type plymouthd_var_log_t;
logging_log_file(plymouthd_var_log_t)

type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)

########################################
#
# Plymouthd private policy
#

allow plymouthd_t self:capability { sys_admin sys_tty_config };
dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })

manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })

manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })

manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })

kernel_read_system_state(plymouthd_t)
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)

dev_rw_dri(plymouthd_t)
dev_read_sysfs(plymouthd_t)
dev_read_framebuffer(plymouthd_t)
dev_write_framebuffer(plymouthd_t)

domain_use_interactive_fds(plymouthd_t)

files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)

term_use_unallocated_ttys(plymouthd_t)

init_signal(plymouthd_t)

logging_link_generic_logs(plymouthd_t)
logging_delete_generic_logs(plymouthd_t)

auth_read_passwd(plymouthd_t)

miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)

userdom_read_admin_home_files(plymouthd_t)

optional_policy(`
	sssd_stream_connect(plymouthd_t)
')

optional_policy(`
	xserver_xdm_manage_spool(plymouthd_t)
	xserver_read_state_xdm(plymouthd_t)
')

term_use_unallocated_ttys(plymouthd_t)

########################################
#
# Plymouth private policy
#

allow plymouth_t self:process signal;
allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;

kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)

domain_use_interactive_fds(plymouth_t)

files_read_etc_files(plymouth_t)

term_use_ptmx(plymouth_t)

miscfiles_read_localization(plymouth_t)

sysnet_read_config(plymouth_t)

plymouthd_stream_connect(plymouth_t)

ifdef(`hide_broken_symptoms',`
	optional_policy(`
		hal_dontaudit_write_log(plymouth_t)
		hal_dontaudit_rw_pipes(plymouth_t)
	')
')

optional_policy(`
	lvm_domtrans(plymouth_t)
')
Commit	Line	Data
eaf051cb	1	policy_module(plymouthd, 1.0.1)
e9e43f04 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type plymouth_t;
	9	type plymouth_exec_t;
	10	application_domain(plymouth_t, plymouth_exec_t)
34fb7f99	11	role system_r types plymouth_t;
e9e43f04 CP	12
	13	type plymouthd_t;
	14	type plymouthd_exec_t;
	15	init_daemon_domain(plymouthd_t, plymouthd_exec_t)
	16
	17	type plymouthd_spool_t;
0059652b	18	files_spool_file(plymouthd_spool_t)
e9e43f04 CP	19
	20	type plymouthd_var_lib_t;
	21	files_type(plymouthd_var_lib_t)
	22
49a4c0bf DW	23	type plymouthd_var_log_t;
	24	logging_log_file(plymouthd_var_log_t)
	25
e9e43f04 CP	26	type plymouthd_var_run_t;
	27	files_pid_file(plymouthd_var_run_t)
	28
	29	########################################
	30	#
	31	# Plymouthd private policy
	32	#
	33
	34	allow plymouthd_t self:capability { sys_admin sys_tty_config };
	35	dontaudit plymouthd_t self:capability dac_override;
b083ce80	36	allow plymouthd_t self:process { signal getsched };
e9e43f04 CP	37	allow plymouthd_t self:fifo_file rw_fifo_file_perms;
	38	allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
	39
	40	manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
	41	manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
	42	manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
	43	files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
	44
	45	manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
	46	manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
	47	files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
	48
49a4c0bf DW	49	manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
	50	manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
	51	logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
	52
e9e43f04 CP	53	manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
	54	manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
	55	files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
	56
	57	kernel_read_system_state(plymouthd_t)
	58	kernel_request_load_module(plymouthd_t)
	59	kernel_change_ring_buffer_level(plymouthd_t)
	60
	61	dev_rw_dri(plymouthd_t)
	62	dev_read_sysfs(plymouthd_t)
	63	dev_read_framebuffer(plymouthd_t)
	64	dev_write_framebuffer(plymouthd_t)
	65
	66	domain_use_interactive_fds(plymouthd_t)
	67
	68	files_read_etc_files(plymouthd_t)
	69	files_read_usr_files(plymouthd_t)
	70
3eaa9939 DW	71	term_use_unallocated_ttys(plymouthd_t)
3eaa9939 DW	72
d98b86a3 DW	73	init_signal(plymouthd_t)
d98b86a3 DW	74
fb5c4713	75	logging_link_generic_logs(plymouthd_t)
1c8f1ec0 DW	76	logging_delete_generic_logs(plymouthd_t)
1c8f1ec0 DW	77
9cb77bf5	78	auth_read_passwd(plymouthd_t)
9cb77bf5	79
e9e43f04 CP	80	miscfiles_read_localization(plymouthd_t)
	81	miscfiles_read_fonts(plymouthd_t)
	82	miscfiles_manage_fonts_cache(plymouthd_t)
	83
3eaa9939 DW	84	userdom_read_admin_home_files(plymouthd_t)
3eaa9939 DW	85
7ede9652 DW	86	optional_policy(`
	87	sssd_stream_connect(plymouthd_t)
	88	')
	89
6920ca91 MG	90	optional_policy(`
6920ca91 MG	91	xserver_xdm_manage_spool(plymouthd_t)
3c4ce924	92	xserver_read_state_xdm(plymouthd_t)
6920ca91 MG	93	')
6920ca91 MG	94
5bdf2458 DW	95	term_use_unallocated_ttys(plymouthd_t)
5bdf2458 DW	96
e9e43f04 CP	97	########################################
	98	#
	99	# Plymouth private policy
	100	#
	101
	102	allow plymouth_t self:process signal;
	103	allow plymouth_t self:fifo_file rw_file_perms;
	104	allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
	105
	106	kernel_read_system_state(plymouth_t)
3eaa9939	107	kernel_stream_connect(plymouth_t)
e9e43f04 CP	108
	109	domain_use_interactive_fds(plymouth_t)
	110
	111	files_read_etc_files(plymouth_t)
	112
	113	term_use_ptmx(plymouth_t)
	114
	115	miscfiles_read_localization(plymouth_t)
	116
	117	sysnet_read_config(plymouth_t)
	118
	119	plymouthd_stream_connect(plymouth_t)
	120
18f2a72d	121	ifdef(`hide_broken_symptoms',`
e9e43f04 CP	122	optional_policy(`
	123	hal_dontaudit_write_log(plymouth_t)
	124	hal_dontaudit_rw_pipes(plymouth_t)
	125	')
	126	')
	127
	128	optional_policy(`
	129	lvm_domtrans(plymouth_t)
	130	')