[people/stevee/selinux-policy.git] / policy / modules / system / modutils.if

## <summary>Policy for kernel module utilities</summary>

######################################
## <summary>
##	Getattr the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_getattr_module_deps',`
	gen_require(`
		type modules_dep_t, modules_object_t;
	')

	getattr_files_pattern($1, modules_object_t, modules_dep_t)
')

########################################
## <summary>
##	Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_read_module_deps',`
	gen_require(`
		type modules_dep_t;
	')

	files_list_kernel_modules($1)
	allow $1 modules_dep_t:file read_file_perms;
')

########################################
## <summary>
##	list the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_list_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Read the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_read_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	# This file type can be in /etc or
	# /lib(64)?/modules
	files_search_etc($1)
	files_search_boot($1)

	read_files_pattern($1, modules_conf_t, modules_conf_t)
	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Rename a file with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_rename_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	rename_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Unlink a file with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_delete_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	delete_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Manage files with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_manage_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	manage_files_pattern($1, modules_conf_t, modules_conf_t)
')

########################################
## <summary>
##	Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
interface(`modutils_domtrans_insmod_uncond',`
	gen_require(`
		type insmod_t, insmod_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, insmod_exec_t, insmod_t)
')

########################################
## <summary>
##	Execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_insmod',`
	gen_require(`
		bool secure_mode_insmod;
	')

	if (!secure_mode_insmod) {
		modutils_domtrans_insmod_uncond($1)
	}
')

########################################
## <summary>
##	Execute insmod in the insmod domain, and
##	allow the specified role the insmod domain,
##	and use the caller's terminal.  Has a sigchld
##	backchannel.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_insmod',`
	gen_require(`
		type insmod_t;
	')

	modutils_domtrans_insmod($1)
	role $2 types insmod_t;
')

########################################
## <summary>
##	Execute insmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_insmod',`
	gen_require(`
		type insmod_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, insmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_depmod',`
	gen_require(`
		type depmod_t, depmod_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, depmod_exec_t, depmod_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_depmod',`
	gen_require(`
		type depmod_t, insmod_t;
	')

	modutils_domtrans_depmod($1)
	role $2 types depmod_t;
')

########################################
## <summary>
##	Execute depmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_depmod',`
	gen_require(`
		type depmod_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, depmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`modutils_domtrans_update_mods',`
	gen_require(`
		type update_modules_t, update_modules_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, update_modules_exec_t, update_modules_t)
')

########################################
## <summary>
##	Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_update_mods',`
	gen_require(`
		type update_modules_t;
	')

	modutils_domtrans_update_mods($1)
	role $2 types update_modules_t;

	modutils_run_insmod(update_modules_t, $2)
')

########################################
## <summary>
##	Execute update_modules in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_update_mods',`
	gen_require(`
		type update_modules_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, update_modules_exec_t)
')
Commit	Line	Data
162a57e5	1	## <summary>Policy for kernel module utilities</summary>
e181fe05	2
7491a9ed CP	3	######################################
	4	## <summary>
	5	## Getattr the dependencies of kernel modules.
	6	## </summary>
	7	## <param name="domain">
	8	## <summary>
	9	## Domain allowed access.
	10	## </summary>
	11	## </param>
	12	#
	13	interface(`modutils_getattr_module_deps',`
	14	gen_require(`
5c339835	15	type modules_dep_t, modules_object_t;
7491a9ed CP	16	')
	17
	18	getattr_files_pattern($1, modules_object_t, modules_dep_t)
	19	')
	20
b4cd1533	21	########################################
f7ebea06	22	## <summary>
414e4151	23	## Read the dependencies of kernel modules.
f7ebea06	24	## </summary>
414e4151	25	## <param name="domain">
885b83ec	26	## <summary>
ac9db9b5	27	## Domain allowed access.
885b83ec	28	## </summary>
414e4151	29	## </param>
b4cd1533	30	#
1815bad1	31	interface(`modutils_read_module_deps',`
139520a2 CP	32	gen_require(`
139520a2 CP	33	type modules_dep_t;
139520a2	34	')
0c73cd25	35
1c1ac67f	36	files_list_kernel_modules($1)
c0868a7a	37	allow $1 modules_dep_t:file read_file_perms;
b4cd1533 CP	38	')
b4cd1533 CP	39
3eaa9939 DW	40	########################################
	41	## <summary>
	42	## list the configuration options used when
	43	## loading modules.
	44	## </summary>
	45	## <param name="domain">
	46	## <summary>
	47	## Domain allowed access.
	48	## </summary>
	49	## </param>
	50	## <rolecap/>
	51	#
	52	interface(`modutils_list_module_config',`
	53	gen_require(`
	54	type modules_conf_t;
	55	')
	56
	57	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
	58	')
	59
b4cd1533	60	########################################
f7ebea06	61	## <summary>
414e4151 CP	62	## Read the configuration options used when
414e4151 CP	63	## loading modules.
f7ebea06	64	## </summary>
414e4151	65	## <param name="domain">
885b83ec	66	## <summary>
ac9db9b5	67	## Domain allowed access.
885b83ec	68	## </summary>
414e4151	69	## </param>
bbcd3c97	70	## <rolecap/>
b4cd1533	71	#
1815bad1	72	interface(`modutils_read_module_config',`
139520a2 CP	73	gen_require(`
139520a2 CP	74	type modules_conf_t;
139520a2	75	')
b4cd1533	76
139520a2 CP	77	# This file type can be in /etc or
	78	# /lib(64)?/modules
	79	files_search_etc($1)
1c1ac67f	80	files_search_boot($1)
0c73cd25	81
7491a9ed CP	82	read_files_pattern($1, modules_conf_t, modules_conf_t)
7491a9ed CP	83	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
b4cd1533 CP	84	')
b4cd1533 CP	85
fe9d17fe CP	86	########################################
	87	## <summary>
	88	## Rename a file with the configuration options used when
	89	## loading modules.
	90	## </summary>
	91	## <param name="domain">
885b83ec	92	## <summary>
ac9db9b5	93	## Domain allowed access.
885b83ec	94	## </summary>
fe9d17fe CP	95	## </param>
fe9d17fe CP	96	#
1815bad1	97	interface(`modutils_rename_module_config',`
fe9d17fe CP	98	gen_require(`
	99	type modules_conf_t;
	100	')
	101
7491a9ed	102	rename_files_pattern($1, modules_conf_t, modules_conf_t)
fe9d17fe CP	103	')
fe9d17fe CP	104
36095d11 CP	105	########################################
	106	## <summary>
	107	## Unlink a file with the configuration options used when
	108	## loading modules.
	109	## </summary>
	110	## <param name="domain">
	111	## <summary>
	112	## Domain allowed access.
	113	## </summary>
	114	## </param>
	115	#
	116	interface(`modutils_delete_module_config',`
	117	gen_require(`
	118	type modules_conf_t;
	119	')
	120
7491a9ed CP	121	delete_files_pattern($1, modules_conf_t, modules_conf_t)
	122	')
	123
	124	########################################
	125	## <summary>
	126	## Manage files with the configuration options used when
	127	## loading modules.
	128	## </summary>
	129	## <param name="domain">
	130	## <summary>
	131	## Domain allowed access.
	132	## </summary>
	133	## </param>
	134	#
	135	interface(`modutils_manage_module_config',`
	136	gen_require(`
	137	type modules_conf_t;
	138	')
	139
	140	manage_files_pattern($1, modules_conf_t, modules_conf_t)
36095d11 CP	141	')
36095d11 CP	142
b4cd1533	143	########################################
f7ebea06	144	## <summary>
8967bf8b	145	## Unconditionally execute insmod in the insmod domain.
f7ebea06	146	## </summary>
414e4151	147	## <param name="domain">
885b83ec	148	## <summary>
a0546c9d	149	## Domain allowed to transition.
885b83ec	150	## </summary>
414e4151	151	## </param>
b4cd1533	152	#
8967bf8b CP	153	# cjp: this is added for pppd, due to nested
	154	# conditionals not working.
	155	interface(`modutils_domtrans_insmod_uncond',`
139520a2 CP	156	gen_require(`
139520a2 CP	157	type insmod_t, insmod_exec_t;
139520a2 CP	158	')
139520a2 CP	159
8021cb4f	160	corecmd_search_bin($1)
c0868a7a	161	domtrans_pattern($1, insmod_exec_t, insmod_t)
b4cd1533 CP	162	')
b4cd1533 CP	163
8967bf8b CP	164	########################################
	165	## <summary>
	166	## Execute insmod in the insmod domain.
	167	## </summary>
	168	## <param name="domain">
885b83ec	169	## <summary>
a0546c9d	170	## Domain allowed to transition.
885b83ec	171	## </summary>
8967bf8b CP	172	## </param>
	173	#
	174	interface(`modutils_domtrans_insmod',`
	175	gen_require(`
	176	bool secure_mode_insmod;
	177	')
	178
	179	if (!secure_mode_insmod) {
	180	modutils_domtrans_insmod_uncond($1)
	181	}
	182	')
	183
daa0e0b0	184	########################################
f7ebea06	185	## <summary>
414e4151 CP	186	## Execute insmod in the insmod domain, and
	187	## allow the specified role the insmod domain,
	188	## and use the caller's terminal. Has a sigchld
	189	## backchannel.
f7ebea06	190	## </summary>
414e4151	191	## <param name="domain">
885b83ec	192	## <summary>
a0546c9d	193	## Domain allowed to transition.
885b83ec	194	## </summary>
414e4151 CP	195	## </param>
414e4151 CP	196	## <param name="role">
885b83ec	197	## <summary>
a7ee7f81	198	## Role allowed access.
885b83ec	199	## </summary>
414e4151	200	## </param>
bbcd3c97	201	## <rolecap/>
daa0e0b0	202	#
199895e2	203	interface(`modutils_run_insmod',`
139520a2 CP	204	gen_require(`
139520a2 CP	205	type insmod_t;
139520a2	206	')
0c73cd25	207
c9428d33	208	modutils_domtrans_insmod($1)
0c73cd25	209	role $2 types insmod_t;
daa0e0b0 CP	210	')
daa0e0b0 CP	211
b4cd1533	212	########################################
ac9db9b5 CP	213	## <summary>
	214	## Execute insmod in the caller domain.
	215	## </summary>
	216	## <param name="domain">
	217	## <summary>
	218	## Domain allowed access.
	219	## </summary>
	220	## </param>
b4cd1533	221	#
199895e2	222	interface(`modutils_exec_insmod',`
139520a2	223	gen_require(`
71fe0fa4	224	type insmod_exec_t;
139520a2	225	')
0c73cd25	226
8021cb4f	227	corecmd_search_bin($1)
80048ca5	228	can_exec($1, insmod_exec_t)
b4cd1533 CP	229	')
b4cd1533 CP	230
9eb5e812	231	########################################
f7ebea06	232	## <summary>
414e4151	233	## Execute depmod in the depmod domain.
f7ebea06	234	## </summary>
414e4151	235	## <param name="domain">
885b83ec	236	## <summary>
a0546c9d	237	## Domain allowed to transition.
885b83ec	238	## </summary>
414e4151	239	## </param>
9eb5e812	240	#
199895e2	241	interface(`modutils_domtrans_depmod',`
139520a2 CP	242	gen_require(`
139520a2 CP	243	type depmod_t, depmod_exec_t;
139520a2 CP	244	')
139520a2 CP	245
8021cb4f	246	corecmd_search_bin($1)
c0868a7a	247	domtrans_pattern($1, depmod_exec_t, depmod_t)
9eb5e812 CP	248	')
9eb5e812 CP	249
daa0e0b0	250	########################################
f7ebea06	251	## <summary>
414e4151	252	## Execute depmod in the depmod domain.
f7ebea06	253	## </summary>
414e4151	254	## <param name="domain">
885b83ec	255	## <summary>
a0546c9d	256	## Domain allowed to transition.
885b83ec	257	## </summary>
414e4151 CP	258	## </param>
414e4151 CP	259	## <param name="role">
885b83ec	260	## <summary>
a7ee7f81	261	## Role allowed access.
885b83ec	262	## </summary>
414e4151	263	## </param>
bbcd3c97	264	## <rolecap/>
daa0e0b0	265	#
199895e2	266	interface(`modutils_run_depmod',`
139520a2	267	gen_require(`
8f3a0a95	268	type depmod_t, insmod_t;
139520a2	269	')
0c73cd25	270
c9428d33	271	modutils_domtrans_depmod($1)
46c69cb2	272	role $2 types depmod_t;
daa0e0b0 CP	273	')
daa0e0b0 CP	274
9eb5e812	275	########################################
ac9db9b5 CP	276	## <summary>
	277	## Execute depmod in the caller domain.
	278	## </summary>
	279	## <param name="domain">
	280	## <summary>
	281	## Domain allowed access.
	282	## </summary>
	283	## </param>
9eb5e812	284	#
199895e2	285	interface(`modutils_exec_depmod',`
139520a2	286	gen_require(`
12ae7557	287	type depmod_exec_t;
139520a2	288	')
0c73cd25	289
8021cb4f	290	corecmd_search_bin($1)
80048ca5	291	can_exec($1, depmod_exec_t)
9eb5e812 CP	292	')
9eb5e812 CP	293
9eb5e812	294	########################################
f7ebea06	295	## <summary>
414e4151	296	## Execute depmod in the depmod domain.
f7ebea06	297	## </summary>
414e4151	298	## <param name="domain">
885b83ec	299	## <summary>
a0546c9d	300	## Domain allowed to transition.
885b83ec	301	## </summary>
414e4151	302	## </param>
9eb5e812	303	#
199895e2	304	interface(`modutils_domtrans_update_mods',`
139520a2 CP	305	gen_require(`
139520a2 CP	306	type update_modules_t, update_modules_exec_t;
139520a2 CP	307	')
139520a2 CP	308
8021cb4f	309	corecmd_search_bin($1)
c0868a7a	310	domtrans_pattern($1, update_modules_exec_t, update_modules_t)
9eb5e812 CP	311	')
9eb5e812 CP	312
daa0e0b0	313	########################################
f7ebea06	314	## <summary>
414e4151	315	## Execute update_modules in the update_modules domain.
f7ebea06	316	## </summary>
414e4151	317	## <param name="domain">
885b83ec	318	## <summary>
a0546c9d	319	## Domain allowed to transition.
885b83ec	320	## </summary>
414e4151 CP	321	## </param>
414e4151 CP	322	## <param name="role">
885b83ec	323	## <summary>
a7ee7f81	324	## Role allowed access.
885b83ec	325	## </summary>
414e4151	326	## </param>
bbcd3c97	327	## <rolecap/>
daa0e0b0	328	#
199895e2	329	interface(`modutils_run_update_mods',`
139520a2 CP	330	gen_require(`
139520a2 CP	331	type update_modules_t;
139520a2	332	')
0c73cd25	333
c9428d33	334	modutils_domtrans_update_mods($1)
0c73cd25	335	role $2 types update_modules_t;
36095d11	336
296273a7	337	modutils_run_insmod(update_modules_t, $2)
daa0e0b0 CP	338	')
daa0e0b0 CP	339
9eb5e812	340	########################################
ac9db9b5 CP	341	## <summary>
	342	## Execute update_modules in the caller domain.
	343	## </summary>
	344	## <param name="domain">
	345	## <summary>
	346	## Domain allowed access.
	347	## </summary>
	348	## </param>
9eb5e812	349	#
199895e2	350	interface(`modutils_exec_update_mods',`
139520a2	351	gen_require(`
12ae7557	352	type update_modules_exec_t;
139520a2	353	')
0c73cd25	354
8021cb4f	355	corecmd_search_bin($1)
80048ca5	356	can_exec($1, update_modules_exec_t)
9eb5e812	357	')