projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 4bf4ed9e | 1 | ## <summary> |
| 414e4151 CP |
2 | ## Policy for hotplug system, for supporting the |
| 3 | ## connection and disconnection of devices at runtime. | |
| 4bf4ed9e | 4 | ## </summary> |
| 6b93833b | 5 | |
| ac9db9b5 CP |
6 | ######################################## |
| 7 | ## <summary> | |
| 8 | ## Execute hotplug with a domain transition. | |
| 9 | ## </summary> | |
| 10 | ## <param name="domain"> | |
| 11 | ## <summary> | |
| a0546c9d | 12 | ## Domain allowed to transition. |
| ac9db9b5 CP |
13 | ## </summary> |
| 14 | ## </param> | |
| 6b93833b | 15 | # |
| 199895e2 | 16 | interface(`hotplug_domtrans',` |
| 139520a2 CP |
17 | gen_require(` |
| 18 | type hotplug_t, hotplug_exec_t; | |
| 139520a2 | 19 | ') |
| 0c73cd25 | 20 | |
| 8021cb4f | 21 | corecmd_search_bin($1) |
| 3f67f722 | 22 | domtrans_pattern($1, hotplug_exec_t, hotplug_t) |
| 6b93833b CP |
23 | ') |
| 24 | ||
| ac9db9b5 CP |
25 | ######################################## |
| 26 | ## <summary> | |
| 27 | ## Execute hotplug in the caller domain. | |
| 28 | ## </summary> | |
| 29 | ## <param name="domain"> | |
| 30 | ## <summary> | |
| 31 | ## Domain allowed access. | |
| 32 | ## </summary> | |
| 33 | ## </param> | |
| 6b93833b | 34 | # |
| 199895e2 | 35 | interface(`hotplug_exec',` |
| 139520a2 | 36 | gen_require(` |
| 5c339835 | 37 | type hotplug_exec_t; |
| 139520a2 | 38 | ') |
| 0c73cd25 | 39 | |
| 8021cb4f | 40 | corecmd_search_bin($1) |
| 3f67f722 | 41 | can_exec($1, hotplug_exec_t) |
| 6b93833b CP |
42 | ') |
| 43 | ||
| ac9db9b5 CP |
44 | ######################################## |
| 45 | ## <summary> | |
| 46 | ## Inherit and use hotplug file descriptors. | |
| 47 | ## </summary> | |
| 48 | ## <param name="domain"> | |
| 49 | ## <summary> | |
| 50 | ## Domain allowed access. | |
| 51 | ## </summary> | |
| 52 | ## </param> | |
| 6b93833b | 53 | # |
| 1c1ac67f | 54 | interface(`hotplug_use_fds',` |
| 139520a2 CP |
55 | gen_require(` |
| 56 | type hotplug_t; | |
| 139520a2 | 57 | ') |
| 0c73cd25 CP |
58 | |
| 59 | allow $1 hotplug_t:fd use; | |
| 6b93833b CP |
60 | ') |
| 61 | ||
| ac9db9b5 CP |
62 | ######################################## |
| 63 | ## <summary> | |
| 64 | ## Do not audit attempts to inherit | |
| 65 | ## hotplug file descriptors. | |
| 66 | ## </summary> | |
| 67 | ## <param name="domain"> | |
| 68 | ## <summary> | |
| 69 | ## Domain to not audit. | |
| 70 | ## </summary> | |
| 71 | ## </param> | |
| 13e94c09 | 72 | # |
| 1c1ac67f | 73 | interface(`hotplug_dontaudit_use_fds',` |
| 139520a2 CP |
74 | gen_require(` |
| 75 | type hotplug_t; | |
| 139520a2 | 76 | ') |
| 0c73cd25 CP |
77 | |
| 78 | dontaudit $1 hotplug_t:fd use; | |
| 13e94c09 CP |
79 | ') |
| 80 | ||
| 1e5c2a41 | 81 | ######################################## |
| ac9db9b5 CP |
82 | ## <summary> |
| 83 | ## Do not audit attempts to search the | |
| 84 | ## hotplug configuration directories. | |
| 85 | ## </summary> | |
| 86 | ## <param name="domain"> | |
| 87 | ## <summary> | |
| 88 | ## Domain to not audit. | |
| 89 | ## </summary> | |
| 90 | ## </param> | |
| 1e5c2a41 | 91 | # |
| 199895e2 | 92 | interface(`hotplug_dontaudit_search_config',` |
| 139520a2 CP |
93 | gen_require(` |
| 94 | type hotplug_etc_t; | |
| 139520a2 | 95 | ') |
| 0c73cd25 CP |
96 | |
| 97 | dontaudit $1 hotplug_etc_t:dir search; | |
| 1e5c2a41 CP |
98 | ') |
| 99 | ||
| 1e5c2a41 | 100 | ######################################## |
| ae9e2716 CP |
101 | ## <summary> |
| 102 | ## Get the attributes of the hotplug configuration directory. | |
| 103 | ## </summary> | |
| 104 | ## <param name="domain"> | |
| 885b83ec | 105 | ## <summary> |
| ae9e2716 | 106 | ## Domain allowed access. |
| 885b83ec | 107 | ## </summary> |
| ae9e2716 CP |
108 | ## </param> |
| 109 | # | |
| 1815bad1 | 110 | interface(`hotplug_getattr_config_dirs',` |
| ae9e2716 CP |
111 | gen_require(` |
| 112 | type hotplug_etc_t; | |
| ae9e2716 CP |
113 | ') |
| 114 | ||
| 115 | allow $1 hotplug_etc_t:dir getattr; | |
| 116 | ') | |
| 117 | ||
| 118 | ######################################## | |
| 119 | ## <summary> | |
| 120 | ## Search the hotplug configuration directory. | |
| 121 | ## </summary> | |
| 122 | ## <param name="domain"> | |
| 885b83ec | 123 | ## <summary> |
| ae9e2716 | 124 | ## Domain allowed access. |
| 885b83ec | 125 | ## </summary> |
| ae9e2716 CP |
126 | ## </param> |
| 127 | # | |
| 128 | interface(`hotplug_search_config',` | |
| 129 | gen_require(` | |
| 130 | type hotplug_etc_t; | |
| ae9e2716 CP |
131 | ') |
| 132 | ||
| c0868a7a | 133 | allow $1 hotplug_etc_t:dir search_dir_perms; |
| ae9e2716 CP |
134 | ') |
| 135 | ||
| 136 | ######################################## | |
| 137 | ## <summary> | |
| 414e4151 | 138 | ## Read the configuration files for hotplug. |
| ae9e2716 | 139 | ## </summary> |
| 414e4151 | 140 | ## <param name="domain"> |
| 885b83ec | 141 | ## <summary> |
| a0546c9d | 142 | ## Domain allowed access. |
| 885b83ec | 143 | ## </summary> |
| 414e4151 | 144 | ## </param> |
| bbcd3c97 | 145 | ## <rolecap/> |
| 1e5c2a41 | 146 | # |
| 199895e2 | 147 | interface(`hotplug_read_config',` |
| 139520a2 CP |
148 | gen_require(` |
| 149 | type hotplug_etc_t; | |
| 139520a2 | 150 | ') |
| 0c73cd25 | 151 | |
| c9428d33 | 152 | files_search_etc($1) |
| c0868a7a | 153 | allow $1 hotplug_etc_t:dir list_dir_perms; |
| 3f67f722 CP |
154 | read_files_pattern($1, hotplug_etc_t, hotplug_etc_t) |
| 155 | read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t) | |
| 1e5c2a41 CP |
156 | ') |
| 157 | ||
| ed38ca9f CP |
158 | ######################################## |
| 159 | ## <summary> | |
| 160 | ## Search the hotplug PIDs. | |
| 161 | ## </summary> | |
| 162 | ## <param name="domain"> | |
| 163 | ## <summary> | |
| 164 | ## Domain allowed access. | |
| 165 | ## </summary> | |
| 166 | ## </param> | |
| 167 | # | |
| 168 | interface(`hotplug_search_pids',` | |
| 169 | gen_require(` | |
| 170 | type hotplug_var_run_t; | |
| 171 | ') | |
| 172 | ||
| 173 | allow $1 hotplug_var_run_t:dir search_dir_perms; | |
| 174 | files_search_pids($1) | |
| 175 | ') |