]>
Commit | Line | Data |
---|---|---|
eaf051cb | 1 | policy_module(plymouthd, 1.0.1) |
e9e43f04 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type plymouth_t; | |
9 | type plymouth_exec_t; | |
10 | application_domain(plymouth_t, plymouth_exec_t) | |
34fb7f99 | 11 | role system_r types plymouth_t; |
e9e43f04 CP |
12 | |
13 | type plymouthd_t; | |
14 | type plymouthd_exec_t; | |
15 | init_daemon_domain(plymouthd_t, plymouthd_exec_t) | |
16 | ||
17 | type plymouthd_spool_t; | |
0059652b | 18 | files_spool_file(plymouthd_spool_t) |
e9e43f04 CP |
19 | |
20 | type plymouthd_var_lib_t; | |
21 | files_type(plymouthd_var_lib_t) | |
22 | ||
49a4c0bf DW |
23 | type plymouthd_var_log_t; |
24 | logging_log_file(plymouthd_var_log_t) | |
25 | ||
e9e43f04 CP |
26 | type plymouthd_var_run_t; |
27 | files_pid_file(plymouthd_var_run_t) | |
28 | ||
29 | ######################################## | |
30 | # | |
31 | # Plymouthd private policy | |
32 | # | |
33 | ||
34 | allow plymouthd_t self:capability { sys_admin sys_tty_config }; | |
35 | dontaudit plymouthd_t self:capability dac_override; | |
b083ce80 | 36 | allow plymouthd_t self:process { signal getsched }; |
e9e43f04 CP |
37 | allow plymouthd_t self:fifo_file rw_fifo_file_perms; |
38 | allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; | |
39 | ||
40 | manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) | |
41 | manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) | |
42 | manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) | |
43 | files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) | |
44 | ||
45 | manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) | |
46 | manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) | |
47 | files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) | |
48 | ||
49a4c0bf DW |
49 | manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) |
50 | manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) | |
51 | logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) | |
52 | ||
e9e43f04 CP |
53 | manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) |
54 | manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) | |
55 | files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) | |
56 | ||
57 | kernel_read_system_state(plymouthd_t) | |
58 | kernel_request_load_module(plymouthd_t) | |
59 | kernel_change_ring_buffer_level(plymouthd_t) | |
60 | ||
61 | dev_rw_dri(plymouthd_t) | |
62 | dev_read_sysfs(plymouthd_t) | |
63 | dev_read_framebuffer(plymouthd_t) | |
64 | dev_write_framebuffer(plymouthd_t) | |
65 | ||
66 | domain_use_interactive_fds(plymouthd_t) | |
67 | ||
68 | files_read_etc_files(plymouthd_t) | |
69 | files_read_usr_files(plymouthd_t) | |
70 | ||
3eaa9939 DW |
71 | term_use_unallocated_ttys(plymouthd_t) |
72 | ||
d98b86a3 DW |
73 | init_signal(plymouthd_t) |
74 | ||
fb5c4713 | 75 | logging_link_generic_logs(plymouthd_t) |
1c8f1ec0 DW |
76 | logging_delete_generic_logs(plymouthd_t) |
77 | ||
9cb77bf5 | 78 | auth_read_passwd(plymouthd_t) |
79 | ||
e9e43f04 CP |
80 | miscfiles_read_localization(plymouthd_t) |
81 | miscfiles_read_fonts(plymouthd_t) | |
82 | miscfiles_manage_fonts_cache(plymouthd_t) | |
83 | ||
3eaa9939 DW |
84 | userdom_read_admin_home_files(plymouthd_t) |
85 | ||
7ede9652 DW |
86 | optional_policy(` |
87 | sssd_stream_connect(plymouthd_t) | |
88 | ') | |
89 | ||
6920ca91 MG |
90 | optional_policy(` |
91 | xserver_xdm_manage_spool(plymouthd_t) | |
3c4ce924 | 92 | xserver_read_state_xdm(plymouthd_t) |
6920ca91 MG |
93 | ') |
94 | ||
5bdf2458 DW |
95 | term_use_unallocated_ttys(plymouthd_t) |
96 | ||
e9e43f04 CP |
97 | ######################################## |
98 | # | |
99 | # Plymouth private policy | |
100 | # | |
101 | ||
102 | allow plymouth_t self:process signal; | |
103 | allow plymouth_t self:fifo_file rw_file_perms; | |
104 | allow plymouth_t self:unix_stream_socket create_stream_socket_perms; | |
105 | ||
106 | kernel_read_system_state(plymouth_t) | |
3eaa9939 | 107 | kernel_stream_connect(plymouth_t) |
e9e43f04 CP |
108 | |
109 | domain_use_interactive_fds(plymouth_t) | |
110 | ||
111 | files_read_etc_files(plymouth_t) | |
112 | ||
113 | term_use_ptmx(plymouth_t) | |
114 | ||
115 | miscfiles_read_localization(plymouth_t) | |
116 | ||
117 | sysnet_read_config(plymouth_t) | |
118 | ||
119 | plymouthd_stream_connect(plymouth_t) | |
120 | ||
18f2a72d | 121 | ifdef(`hide_broken_symptoms',` |
e9e43f04 CP |
122 | optional_policy(` |
123 | hal_dontaudit_write_log(plymouth_t) | |
124 | hal_dontaudit_rw_pipes(plymouth_t) | |
125 | ') | |
126 | ') | |
127 | ||
128 | optional_policy(` | |
129 | lvm_domtrans(plymouth_t) | |
130 | ') |