[people/stevee/selinux-policy.git] / policy / modules / system / modutils.if

## <summary>Policy for kernel module utilities</summary>

######################################
## <summary>
##	Getattr the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_getattr_module_deps',`
	gen_require(`
		type modules_dep_t, modules_object_t;
	')

	getattr_files_pattern($1, modules_object_t, modules_dep_t)
')

########################################
## <summary>
##	Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_read_module_deps',`
	gen_require(`
		type modules_dep_t;
	')

	files_list_kernel_modules($1)
	allow $1 modules_dep_t:file read_file_perms;
')

########################################
## <summary>
##	Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_delete_module_deps',`
	gen_require(`
		type modules_dep_t;
	')

	delete_files_pattern($1, modules_dep_t, modules_dep_t)
')

########################################
## <summary>
##	list the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_list_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Read the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_read_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	# This file type can be in /etc or
	# /lib(64)?/modules
	files_search_etc($1)
	files_search_boot($1)

	read_files_pattern($1, modules_conf_t, modules_conf_t)
	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Rename a file with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_rename_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	rename_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Unlink a file with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_delete_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	delete_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Manage files with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_manage_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	manage_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
interface(`modutils_domtrans_insmod_uncond',`
	gen_require(`
		type insmod_t, insmod_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, insmod_exec_t, insmod_t)
')

########################################
## <summary>
##	Execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_insmod',`
	modutils_domtrans_insmod_uncond($1)
')

########################################
## <summary>
##	Execute insmod in the insmod domain, and
##	allow the specified role the insmod domain,
##	and use the caller's terminal.  Has a sigchld
##	backchannel.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_insmod',`
	gen_require(`
		type insmod_t;
	')

	modutils_domtrans_insmod($1)
	role $2 types insmod_t;
')

########################################
## <summary>
##	Execute insmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_insmod',`
	gen_require(`
		type insmod_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, insmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_depmod',`
	gen_require(`
		type depmod_t, depmod_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, depmod_exec_t, depmod_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_depmod',`
	gen_require(`
		type depmod_t, insmod_t;
	')

	modutils_domtrans_depmod($1)
	role $2 types depmod_t;
')

########################################
## <summary>
##	Execute depmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_depmod',`
	gen_require(`
		type depmod_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, depmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_update_mods',`
	gen_require(`
		type update_modules_t, update_modules_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, update_modules_exec_t, update_modules_t)
')

########################################
## <summary>
##	Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_update_mods',`
	gen_require(`
		type update_modules_t;
	')

	modutils_domtrans_update_mods($1)
	role $2 types update_modules_t;

	modutils_run_insmod(update_modules_t, $2)
')

########################################
## <summary>
##	Execute update_modules in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_update_mods',`
	gen_require(`
		type update_modules_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, update_modules_exec_t)
')

########################################
## <summary>
##	Transition to modutils named content
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`modules_filetrans_named_content',`
	gen_require(`
		type modules_dep_t;
		type modules_conf_t;
	')

	files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
	files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
')
Commit	Line	Data
162a57e5	1	## <summary>Policy for kernel module utilities</summary>
e181fe05	2
7491a9ed CP	3	######################################
	4	## <summary>
	5	## Getattr the dependencies of kernel modules.
	6	## </summary>
	7	## <param name="domain">
	8	## <summary>
	9	## Domain allowed access.
	10	## </summary>
	11	## </param>
	12	#
	13	interface(`modutils_getattr_module_deps',`
	14	gen_require(`
5c339835	15	type modules_dep_t, modules_object_t;
7491a9ed CP	16	')
	17
	18	getattr_files_pattern($1, modules_object_t, modules_dep_t)
	19	')
	20
b4cd1533	21	########################################
f7ebea06	22	## <summary>
414e4151	23	## Read the dependencies of kernel modules.
f7ebea06	24	## </summary>
414e4151	25	## <param name="domain">
885b83ec	26	## <summary>
ac9db9b5	27	## Domain allowed access.
885b83ec	28	## </summary>
414e4151	29	## </param>
b4cd1533	30	#
1815bad1	31	interface(`modutils_read_module_deps',`
139520a2 CP	32	gen_require(`
139520a2 CP	33	type modules_dep_t;
139520a2	34	')
0c73cd25	35
1c1ac67f	36	files_list_kernel_modules($1)
c0868a7a	37	allow $1 modules_dep_t:file read_file_perms;
b4cd1533 CP	38	')
b4cd1533 CP	39
3eaa9939	40	########################################
ab14a8f6 DW	41	## <summary>
	42	## Read the dependencies of kernel modules.
	43	## </summary>
	44	## <param name="domain">
	45	## <summary>
	46	## Domain allowed access.
	47	## </summary>
	48	## </param>
	49	#
	50	interface(`modutils_delete_module_deps',`
	51	gen_require(`
	52	type modules_dep_t;
	53	')
	54
	55	delete_files_pattern($1, modules_dep_t, modules_dep_t)
	56	')
	57
	58	########################################
3eaa9939 DW	59	## <summary>
	60	## list the configuration options used when
	61	## loading modules.
	62	## </summary>
	63	## <param name="domain">
	64	## <summary>
	65	## Domain allowed access.
	66	## </summary>
	67	## </param>
	68	## <rolecap/>
	69	#
	70	interface(`modutils_list_module_config',`
	71	gen_require(`
	72	type modules_conf_t;
	73	')
	74
	75	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
	76	')
	77
b4cd1533	78	########################################
f7ebea06	79	## <summary>
414e4151 CP	80	## Read the configuration options used when
414e4151 CP	81	## loading modules.
f7ebea06	82	## </summary>
414e4151	83	## <param name="domain">
885b83ec	84	## <summary>
ac9db9b5	85	## Domain allowed access.
885b83ec	86	## </summary>
414e4151	87	## </param>
bbcd3c97	88	## <rolecap/>
b4cd1533	89	#
1815bad1	90	interface(`modutils_read_module_config',`
139520a2 CP	91	gen_require(`
139520a2 CP	92	type modules_conf_t;
139520a2	93	')
b4cd1533	94
139520a2 CP	95	# This file type can be in /etc or
	96	# /lib(64)?/modules
	97	files_search_etc($1)
1c1ac67f	98	files_search_boot($1)
0c73cd25	99
7491a9ed CP	100	read_files_pattern($1, modules_conf_t, modules_conf_t)
7491a9ed CP	101	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
b4cd1533 CP	102	')
b4cd1533 CP	103
fe9d17fe CP	104	########################################
	105	## <summary>
	106	## Rename a file with the configuration options used when
	107	## loading modules.
	108	## </summary>
	109	## <param name="domain">
885b83ec	110	## <summary>
ac9db9b5	111	## Domain allowed access.
885b83ec	112	## </summary>
fe9d17fe CP	113	## </param>
fe9d17fe CP	114	#
1815bad1	115	interface(`modutils_rename_module_config',`
fe9d17fe CP	116	gen_require(`
	117	type modules_conf_t;
	118	')
	119
7491a9ed	120	rename_files_pattern($1, modules_conf_t, modules_conf_t)
fe9d17fe CP	121	')
fe9d17fe CP	122
36095d11 CP	123	########################################
	124	## <summary>
	125	## Unlink a file with the configuration options used when
	126	## loading modules.
	127	## </summary>
	128	## <param name="domain">
	129	## <summary>
	130	## Domain allowed access.
	131	## </summary>
	132	## </param>
	133	#
	134	interface(`modutils_delete_module_config',`
	135	gen_require(`
	136	type modules_conf_t;
	137	')
	138
7491a9ed CP	139	delete_files_pattern($1, modules_conf_t, modules_conf_t)
	140	')
	141
	142	########################################
	143	## <summary>
	144	## Manage files with the configuration options used when
	145	## loading modules.
	146	## </summary>
	147	## <param name="domain">
	148	## <summary>
	149	## Domain allowed access.
	150	## </summary>
	151	## </param>
	152	#
	153	interface(`modutils_manage_module_config',`
	154	gen_require(`
	155	type modules_conf_t;
	156	')
	157
	158	manage_files_pattern($1, modules_conf_t, modules_conf_t)
36095d11 CP	159	')
36095d11 CP	160
b4cd1533	161	########################################
f7ebea06	162	## <summary>
8967bf8b	163	## Unconditionally execute insmod in the insmod domain.
f7ebea06	164	## </summary>
414e4151	165	## <param name="domain">
885b83ec	166	## <summary>
a0546c9d	167	## Domain allowed to transition.
885b83ec	168	## </summary>
414e4151	169	## </param>
b4cd1533	170	#
8967bf8b CP	171	# cjp: this is added for pppd, due to nested
	172	# conditionals not working.
	173	interface(`modutils_domtrans_insmod_uncond',`
139520a2 CP	174	gen_require(`
139520a2 CP	175	type insmod_t, insmod_exec_t;
139520a2 CP	176	')
139520a2 CP	177
8021cb4f	178	corecmd_search_bin($1)
c0868a7a	179	domtrans_pattern($1, insmod_exec_t, insmod_t)
b4cd1533 CP	180	')
b4cd1533 CP	181
8967bf8b CP	182	########################################
	183	## <summary>
	184	## Execute insmod in the insmod domain.
	185	## </summary>
	186	## <param name="domain">
885b83ec	187	## <summary>
a0546c9d	188	## Domain allowed to transition.
885b83ec	189	## </summary>
8967bf8b CP	190	## </param>
	191	#
	192	interface(`modutils_domtrans_insmod',`
995d6fea	193	modutils_domtrans_insmod_uncond($1)
8967bf8b CP	194	')
8967bf8b CP	195
daa0e0b0	196	########################################
f7ebea06	197	## <summary>
414e4151 CP	198	## Execute insmod in the insmod domain, and
	199	## allow the specified role the insmod domain,
	200	## and use the caller's terminal. Has a sigchld
	201	## backchannel.
f7ebea06	202	## </summary>
414e4151	203	## <param name="domain">
885b83ec	204	## <summary>
a0546c9d	205	## Domain allowed to transition.
885b83ec	206	## </summary>
414e4151 CP	207	## </param>
414e4151 CP	208	## <param name="role">
885b83ec	209	## <summary>
a7ee7f81	210	## Role allowed access.
885b83ec	211	## </summary>
414e4151	212	## </param>
bbcd3c97	213	## <rolecap/>
daa0e0b0	214	#
199895e2	215	interface(`modutils_run_insmod',`
139520a2 CP	216	gen_require(`
139520a2 CP	217	type insmod_t;
139520a2	218	')
0c73cd25	219
c9428d33	220	modutils_domtrans_insmod($1)
0c73cd25	221	role $2 types insmod_t;
daa0e0b0 CP	222	')
daa0e0b0 CP	223
b4cd1533	224	########################################
ac9db9b5 CP	225	## <summary>
	226	## Execute insmod in the caller domain.
	227	## </summary>
	228	## <param name="domain">
	229	## <summary>
	230	## Domain allowed access.
	231	## </summary>
	232	## </param>
b4cd1533	233	#
199895e2	234	interface(`modutils_exec_insmod',`
139520a2	235	gen_require(`
71fe0fa4	236	type insmod_exec_t;
139520a2	237	')
0c73cd25	238
8021cb4f	239	corecmd_search_bin($1)
80048ca5	240	can_exec($1, insmod_exec_t)
b4cd1533 CP	241	')
b4cd1533 CP	242
9eb5e812	243	########################################
f7ebea06	244	## <summary>
414e4151	245	## Execute depmod in the depmod domain.
f7ebea06	246	## </summary>
414e4151	247	## <param name="domain">
885b83ec	248	## <summary>
a0546c9d	249	## Domain allowed to transition.
885b83ec	250	## </summary>
414e4151	251	## </param>
9eb5e812	252	#
199895e2	253	interface(`modutils_domtrans_depmod',`
139520a2 CP	254	gen_require(`
139520a2 CP	255	type depmod_t, depmod_exec_t;
139520a2 CP	256	')
139520a2 CP	257
8021cb4f	258	corecmd_search_bin($1)
c0868a7a	259	domtrans_pattern($1, depmod_exec_t, depmod_t)
9eb5e812 CP	260	')
9eb5e812 CP	261
daa0e0b0	262	########################################
f7ebea06	263	## <summary>
414e4151	264	## Execute depmod in the depmod domain.
f7ebea06	265	## </summary>
414e4151	266	## <param name="domain">
885b83ec	267	## <summary>
a0546c9d	268	## Domain allowed to transition.
885b83ec	269	## </summary>
414e4151 CP	270	## </param>
414e4151 CP	271	## <param name="role">
885b83ec	272	## <summary>
a7ee7f81	273	## Role allowed access.
885b83ec	274	## </summary>
414e4151	275	## </param>
bbcd3c97	276	## <rolecap/>
daa0e0b0	277	#
199895e2	278	interface(`modutils_run_depmod',`
139520a2	279	gen_require(`
8f3a0a95	280	type depmod_t, insmod_t;
139520a2	281	')
0c73cd25	282
c9428d33	283	modutils_domtrans_depmod($1)
46c69cb2	284	role $2 types depmod_t;
daa0e0b0 CP	285	')
daa0e0b0 CP	286
9eb5e812	287	########################################
ac9db9b5 CP	288	## <summary>
	289	## Execute depmod in the caller domain.
	290	## </summary>
	291	## <param name="domain">
	292	## <summary>
	293	## Domain allowed access.
	294	## </summary>
	295	## </param>
9eb5e812	296	#
199895e2	297	interface(`modutils_exec_depmod',`
139520a2	298	gen_require(`
12ae7557	299	type depmod_exec_t;
139520a2	300	')
0c73cd25	301
8021cb4f	302	corecmd_search_bin($1)
80048ca5	303	can_exec($1, depmod_exec_t)
9eb5e812 CP	304	')
9eb5e812 CP	305
9eb5e812	306	########################################
f7ebea06	307	## <summary>
414e4151	308	## Execute depmod in the depmod domain.
f7ebea06	309	## </summary>
414e4151	310	## <param name="domain">
885b83ec	311	## <summary>
a0546c9d	312	## Domain allowed to transition.
885b83ec	313	## </summary>
414e4151	314	## </param>
9eb5e812	315	#
199895e2	316	interface(`modutils_domtrans_update_mods',`
139520a2 CP	317	gen_require(`
139520a2 CP	318	type update_modules_t, update_modules_exec_t;
139520a2 CP	319	')
139520a2 CP	320
8021cb4f	321	corecmd_search_bin($1)
c0868a7a	322	domtrans_pattern($1, update_modules_exec_t, update_modules_t)
9eb5e812 CP	323	')
9eb5e812 CP	324
daa0e0b0	325	########################################
f7ebea06	326	## <summary>
414e4151	327	## Execute update_modules in the update_modules domain.
f7ebea06	328	## </summary>
414e4151	329	## <param name="domain">
885b83ec	330	## <summary>
a0546c9d	331	## Domain allowed to transition.
885b83ec	332	## </summary>
414e4151 CP	333	## </param>
414e4151 CP	334	## <param name="role">
885b83ec	335	## <summary>
a7ee7f81	336	## Role allowed access.
885b83ec	337	## </summary>
414e4151	338	## </param>
bbcd3c97	339	## <rolecap/>
daa0e0b0	340	#
199895e2	341	interface(`modutils_run_update_mods',`
139520a2 CP	342	gen_require(`
139520a2 CP	343	type update_modules_t;
139520a2	344	')
0c73cd25	345
c9428d33	346	modutils_domtrans_update_mods($1)
0c73cd25	347	role $2 types update_modules_t;
36095d11	348
296273a7	349	modutils_run_insmod(update_modules_t, $2)
daa0e0b0 CP	350	')
daa0e0b0 CP	351
9eb5e812	352	########################################
ac9db9b5 CP	353	## <summary>
	354	## Execute update_modules in the caller domain.
	355	## </summary>
	356	## <param name="domain">
	357	## <summary>
	358	## Domain allowed access.
	359	## </summary>
	360	## </param>
9eb5e812	361	#
199895e2	362	interface(`modutils_exec_update_mods',`
139520a2	363	gen_require(`
12ae7557	364	type update_modules_exec_t;
139520a2	365	')
0c73cd25	366
8021cb4f	367	corecmd_search_bin($1)
80048ca5	368	can_exec($1, update_modules_exec_t)
9eb5e812	369	')
c66c51f7 DW	370
	371	########################################
	372	## <summary>
	373	## Transition to modutils named content
	374	## </summary>
	375	## <param name="domain">
	376	## <summary>
	377	## Domain allowed access.
	378	## </summary>
	379	## </param>
	380	#
	381	interface(`modules_filetrans_named_content',`
	382	gen_require(`
	383	type modules_dep_t;
	384	type modules_conf_t;
	385	')
	386
	387	files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
	388	files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
	389	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
	390	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
	391	')