]>
Commit | Line | Data |
---|---|---|
162a57e5 | 1 | ## <summary>Policy for kernel module utilities</summary> |
e181fe05 | 2 | |
7491a9ed CP |
3 | ###################################### |
4 | ## <summary> | |
5 | ## Getattr the dependencies of kernel modules. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
8 | ## <summary> | |
9 | ## Domain allowed access. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | interface(`modutils_getattr_module_deps',` | |
14 | gen_require(` | |
5c339835 | 15 | type modules_dep_t, modules_object_t; |
7491a9ed CP |
16 | ') |
17 | ||
18 | getattr_files_pattern($1, modules_object_t, modules_dep_t) | |
19 | ') | |
20 | ||
b4cd1533 | 21 | ######################################## |
f7ebea06 | 22 | ## <summary> |
414e4151 | 23 | ## Read the dependencies of kernel modules. |
f7ebea06 | 24 | ## </summary> |
414e4151 | 25 | ## <param name="domain"> |
885b83ec | 26 | ## <summary> |
ac9db9b5 | 27 | ## Domain allowed access. |
885b83ec | 28 | ## </summary> |
414e4151 | 29 | ## </param> |
b4cd1533 | 30 | # |
1815bad1 | 31 | interface(`modutils_read_module_deps',` |
139520a2 CP |
32 | gen_require(` |
33 | type modules_dep_t; | |
139520a2 | 34 | ') |
0c73cd25 | 35 | |
1c1ac67f | 36 | files_list_kernel_modules($1) |
c0868a7a | 37 | allow $1 modules_dep_t:file read_file_perms; |
b4cd1533 CP |
38 | ') |
39 | ||
3eaa9939 | 40 | ######################################## |
ab14a8f6 DW |
41 | ## <summary> |
42 | ## Read the dependencies of kernel modules. | |
43 | ## </summary> | |
44 | ## <param name="domain"> | |
45 | ## <summary> | |
46 | ## Domain allowed access. | |
47 | ## </summary> | |
48 | ## </param> | |
49 | # | |
50 | interface(`modutils_delete_module_deps',` | |
51 | gen_require(` | |
52 | type modules_dep_t; | |
53 | ') | |
54 | ||
55 | delete_files_pattern($1, modules_dep_t, modules_dep_t) | |
56 | ') | |
57 | ||
58 | ######################################## | |
3eaa9939 DW |
59 | ## <summary> |
60 | ## list the configuration options used when | |
61 | ## loading modules. | |
62 | ## </summary> | |
63 | ## <param name="domain"> | |
64 | ## <summary> | |
65 | ## Domain allowed access. | |
66 | ## </summary> | |
67 | ## </param> | |
68 | ## <rolecap/> | |
69 | # | |
70 | interface(`modutils_list_module_config',` | |
71 | gen_require(` | |
72 | type modules_conf_t; | |
73 | ') | |
74 | ||
75 | list_dirs_pattern($1, modules_conf_t, modules_conf_t) | |
76 | ') | |
77 | ||
b4cd1533 | 78 | ######################################## |
f7ebea06 | 79 | ## <summary> |
414e4151 CP |
80 | ## Read the configuration options used when |
81 | ## loading modules. | |
f7ebea06 | 82 | ## </summary> |
414e4151 | 83 | ## <param name="domain"> |
885b83ec | 84 | ## <summary> |
ac9db9b5 | 85 | ## Domain allowed access. |
885b83ec | 86 | ## </summary> |
414e4151 | 87 | ## </param> |
bbcd3c97 | 88 | ## <rolecap/> |
b4cd1533 | 89 | # |
1815bad1 | 90 | interface(`modutils_read_module_config',` |
139520a2 CP |
91 | gen_require(` |
92 | type modules_conf_t; | |
139520a2 | 93 | ') |
b4cd1533 | 94 | |
139520a2 CP |
95 | # This file type can be in /etc or |
96 | # /lib(64)?/modules | |
97 | files_search_etc($1) | |
1c1ac67f | 98 | files_search_boot($1) |
0c73cd25 | 99 | |
7491a9ed CP |
100 | read_files_pattern($1, modules_conf_t, modules_conf_t) |
101 | read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) | |
b4cd1533 CP |
102 | ') |
103 | ||
fe9d17fe CP |
104 | ######################################## |
105 | ## <summary> | |
106 | ## Rename a file with the configuration options used when | |
107 | ## loading modules. | |
108 | ## </summary> | |
109 | ## <param name="domain"> | |
885b83ec | 110 | ## <summary> |
ac9db9b5 | 111 | ## Domain allowed access. |
885b83ec | 112 | ## </summary> |
fe9d17fe CP |
113 | ## </param> |
114 | # | |
1815bad1 | 115 | interface(`modutils_rename_module_config',` |
fe9d17fe CP |
116 | gen_require(` |
117 | type modules_conf_t; | |
118 | ') | |
119 | ||
7491a9ed | 120 | rename_files_pattern($1, modules_conf_t, modules_conf_t) |
fe9d17fe CP |
121 | ') |
122 | ||
36095d11 CP |
123 | ######################################## |
124 | ## <summary> | |
125 | ## Unlink a file with the configuration options used when | |
126 | ## loading modules. | |
127 | ## </summary> | |
128 | ## <param name="domain"> | |
129 | ## <summary> | |
130 | ## Domain allowed access. | |
131 | ## </summary> | |
132 | ## </param> | |
133 | # | |
134 | interface(`modutils_delete_module_config',` | |
135 | gen_require(` | |
136 | type modules_conf_t; | |
137 | ') | |
138 | ||
7491a9ed CP |
139 | delete_files_pattern($1, modules_conf_t, modules_conf_t) |
140 | ') | |
141 | ||
142 | ######################################## | |
143 | ## <summary> | |
144 | ## Manage files with the configuration options used when | |
145 | ## loading modules. | |
146 | ## </summary> | |
147 | ## <param name="domain"> | |
148 | ## <summary> | |
149 | ## Domain allowed access. | |
150 | ## </summary> | |
151 | ## </param> | |
152 | # | |
153 | interface(`modutils_manage_module_config',` | |
154 | gen_require(` | |
155 | type modules_conf_t; | |
156 | ') | |
157 | ||
158 | manage_files_pattern($1, modules_conf_t, modules_conf_t) | |
36095d11 CP |
159 | ') |
160 | ||
b4cd1533 | 161 | ######################################## |
f7ebea06 | 162 | ## <summary> |
8967bf8b | 163 | ## Unconditionally execute insmod in the insmod domain. |
f7ebea06 | 164 | ## </summary> |
414e4151 | 165 | ## <param name="domain"> |
885b83ec | 166 | ## <summary> |
a0546c9d | 167 | ## Domain allowed to transition. |
885b83ec | 168 | ## </summary> |
414e4151 | 169 | ## </param> |
b4cd1533 | 170 | # |
8967bf8b CP |
171 | # cjp: this is added for pppd, due to nested |
172 | # conditionals not working. | |
173 | interface(`modutils_domtrans_insmod_uncond',` | |
139520a2 CP |
174 | gen_require(` |
175 | type insmod_t, insmod_exec_t; | |
139520a2 CP |
176 | ') |
177 | ||
8021cb4f | 178 | corecmd_search_bin($1) |
c0868a7a | 179 | domtrans_pattern($1, insmod_exec_t, insmod_t) |
b4cd1533 CP |
180 | ') |
181 | ||
8967bf8b CP |
182 | ######################################## |
183 | ## <summary> | |
184 | ## Execute insmod in the insmod domain. | |
185 | ## </summary> | |
186 | ## <param name="domain"> | |
885b83ec | 187 | ## <summary> |
a0546c9d | 188 | ## Domain allowed to transition. |
885b83ec | 189 | ## </summary> |
8967bf8b CP |
190 | ## </param> |
191 | # | |
192 | interface(`modutils_domtrans_insmod',` | |
995d6fea | 193 | modutils_domtrans_insmod_uncond($1) |
8967bf8b CP |
194 | ') |
195 | ||
daa0e0b0 | 196 | ######################################## |
f7ebea06 | 197 | ## <summary> |
414e4151 CP |
198 | ## Execute insmod in the insmod domain, and |
199 | ## allow the specified role the insmod domain, | |
200 | ## and use the caller's terminal. Has a sigchld | |
201 | ## backchannel. | |
f7ebea06 | 202 | ## </summary> |
414e4151 | 203 | ## <param name="domain"> |
885b83ec | 204 | ## <summary> |
a0546c9d | 205 | ## Domain allowed to transition. |
885b83ec | 206 | ## </summary> |
414e4151 CP |
207 | ## </param> |
208 | ## <param name="role"> | |
885b83ec | 209 | ## <summary> |
a7ee7f81 | 210 | ## Role allowed access. |
885b83ec | 211 | ## </summary> |
414e4151 | 212 | ## </param> |
bbcd3c97 | 213 | ## <rolecap/> |
daa0e0b0 | 214 | # |
199895e2 | 215 | interface(`modutils_run_insmod',` |
139520a2 CP |
216 | gen_require(` |
217 | type insmod_t; | |
139520a2 | 218 | ') |
0c73cd25 | 219 | |
c9428d33 | 220 | modutils_domtrans_insmod($1) |
0c73cd25 | 221 | role $2 types insmod_t; |
daa0e0b0 CP |
222 | ') |
223 | ||
b4cd1533 | 224 | ######################################## |
ac9db9b5 CP |
225 | ## <summary> |
226 | ## Execute insmod in the caller domain. | |
227 | ## </summary> | |
228 | ## <param name="domain"> | |
229 | ## <summary> | |
230 | ## Domain allowed access. | |
231 | ## </summary> | |
232 | ## </param> | |
b4cd1533 | 233 | # |
199895e2 | 234 | interface(`modutils_exec_insmod',` |
139520a2 | 235 | gen_require(` |
71fe0fa4 | 236 | type insmod_exec_t; |
139520a2 | 237 | ') |
0c73cd25 | 238 | |
8021cb4f | 239 | corecmd_search_bin($1) |
80048ca5 | 240 | can_exec($1, insmod_exec_t) |
b4cd1533 CP |
241 | ') |
242 | ||
9eb5e812 | 243 | ######################################## |
f7ebea06 | 244 | ## <summary> |
414e4151 | 245 | ## Execute depmod in the depmod domain. |
f7ebea06 | 246 | ## </summary> |
414e4151 | 247 | ## <param name="domain"> |
885b83ec | 248 | ## <summary> |
a0546c9d | 249 | ## Domain allowed to transition. |
885b83ec | 250 | ## </summary> |
414e4151 | 251 | ## </param> |
9eb5e812 | 252 | # |
199895e2 | 253 | interface(`modutils_domtrans_depmod',` |
139520a2 CP |
254 | gen_require(` |
255 | type depmod_t, depmod_exec_t; | |
139520a2 CP |
256 | ') |
257 | ||
8021cb4f | 258 | corecmd_search_bin($1) |
c0868a7a | 259 | domtrans_pattern($1, depmod_exec_t, depmod_t) |
9eb5e812 CP |
260 | ') |
261 | ||
daa0e0b0 | 262 | ######################################## |
f7ebea06 | 263 | ## <summary> |
414e4151 | 264 | ## Execute depmod in the depmod domain. |
f7ebea06 | 265 | ## </summary> |
414e4151 | 266 | ## <param name="domain"> |
885b83ec | 267 | ## <summary> |
a0546c9d | 268 | ## Domain allowed to transition. |
885b83ec | 269 | ## </summary> |
414e4151 CP |
270 | ## </param> |
271 | ## <param name="role"> | |
885b83ec | 272 | ## <summary> |
a7ee7f81 | 273 | ## Role allowed access. |
885b83ec | 274 | ## </summary> |
414e4151 | 275 | ## </param> |
bbcd3c97 | 276 | ## <rolecap/> |
daa0e0b0 | 277 | # |
199895e2 | 278 | interface(`modutils_run_depmod',` |
139520a2 | 279 | gen_require(` |
8f3a0a95 | 280 | type depmod_t, insmod_t; |
139520a2 | 281 | ') |
0c73cd25 | 282 | |
c9428d33 | 283 | modutils_domtrans_depmod($1) |
46c69cb2 | 284 | role $2 types depmod_t; |
daa0e0b0 CP |
285 | ') |
286 | ||
9eb5e812 | 287 | ######################################## |
ac9db9b5 CP |
288 | ## <summary> |
289 | ## Execute depmod in the caller domain. | |
290 | ## </summary> | |
291 | ## <param name="domain"> | |
292 | ## <summary> | |
293 | ## Domain allowed access. | |
294 | ## </summary> | |
295 | ## </param> | |
9eb5e812 | 296 | # |
199895e2 | 297 | interface(`modutils_exec_depmod',` |
139520a2 | 298 | gen_require(` |
12ae7557 | 299 | type depmod_exec_t; |
139520a2 | 300 | ') |
0c73cd25 | 301 | |
8021cb4f | 302 | corecmd_search_bin($1) |
80048ca5 | 303 | can_exec($1, depmod_exec_t) |
9eb5e812 CP |
304 | ') |
305 | ||
9eb5e812 | 306 | ######################################## |
f7ebea06 | 307 | ## <summary> |
414e4151 | 308 | ## Execute depmod in the depmod domain. |
f7ebea06 | 309 | ## </summary> |
414e4151 | 310 | ## <param name="domain"> |
885b83ec | 311 | ## <summary> |
a0546c9d | 312 | ## Domain allowed to transition. |
885b83ec | 313 | ## </summary> |
414e4151 | 314 | ## </param> |
9eb5e812 | 315 | # |
199895e2 | 316 | interface(`modutils_domtrans_update_mods',` |
139520a2 CP |
317 | gen_require(` |
318 | type update_modules_t, update_modules_exec_t; | |
139520a2 CP |
319 | ') |
320 | ||
8021cb4f | 321 | corecmd_search_bin($1) |
c0868a7a | 322 | domtrans_pattern($1, update_modules_exec_t, update_modules_t) |
9eb5e812 CP |
323 | ') |
324 | ||
daa0e0b0 | 325 | ######################################## |
f7ebea06 | 326 | ## <summary> |
414e4151 | 327 | ## Execute update_modules in the update_modules domain. |
f7ebea06 | 328 | ## </summary> |
414e4151 | 329 | ## <param name="domain"> |
885b83ec | 330 | ## <summary> |
a0546c9d | 331 | ## Domain allowed to transition. |
885b83ec | 332 | ## </summary> |
414e4151 CP |
333 | ## </param> |
334 | ## <param name="role"> | |
885b83ec | 335 | ## <summary> |
a7ee7f81 | 336 | ## Role allowed access. |
885b83ec | 337 | ## </summary> |
414e4151 | 338 | ## </param> |
bbcd3c97 | 339 | ## <rolecap/> |
daa0e0b0 | 340 | # |
199895e2 | 341 | interface(`modutils_run_update_mods',` |
139520a2 CP |
342 | gen_require(` |
343 | type update_modules_t; | |
139520a2 | 344 | ') |
0c73cd25 | 345 | |
c9428d33 | 346 | modutils_domtrans_update_mods($1) |
0c73cd25 | 347 | role $2 types update_modules_t; |
36095d11 | 348 | |
296273a7 | 349 | modutils_run_insmod(update_modules_t, $2) |
daa0e0b0 CP |
350 | ') |
351 | ||
9eb5e812 | 352 | ######################################## |
ac9db9b5 CP |
353 | ## <summary> |
354 | ## Execute update_modules in the caller domain. | |
355 | ## </summary> | |
356 | ## <param name="domain"> | |
357 | ## <summary> | |
358 | ## Domain allowed access. | |
359 | ## </summary> | |
360 | ## </param> | |
9eb5e812 | 361 | # |
199895e2 | 362 | interface(`modutils_exec_update_mods',` |
139520a2 | 363 | gen_require(` |
12ae7557 | 364 | type update_modules_exec_t; |
139520a2 | 365 | ') |
0c73cd25 | 366 | |
8021cb4f | 367 | corecmd_search_bin($1) |
80048ca5 | 368 | can_exec($1, update_modules_exec_t) |
9eb5e812 | 369 | ') |
c66c51f7 DW |
370 | |
371 | ######################################## | |
372 | ## <summary> | |
373 | ## Transition to modutils named content | |
374 | ## </summary> | |
375 | ## <param name="domain"> | |
376 | ## <summary> | |
377 | ## Domain allowed access. | |
378 | ## </summary> | |
379 | ## </param> | |
380 | # | |
381 | interface(`modules_filetrans_named_content',` | |
382 | gen_require(` | |
383 | type modules_dep_t; | |
384 | type modules_conf_t; | |
385 | ') | |
386 | ||
387 | files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") | |
388 | files_etc_filetrans($1, modules_conf_t, file, "modules.conf") | |
389 | files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") | |
390 | files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") | |
391 | ') |