]>
Commit | Line | Data |
---|---|---|
162a57e5 | 1 | ## <summary>Policy for kernel module utilities</summary> |
e181fe05 | 2 | |
b4cd1533 | 3 | ######################################## |
f7ebea06 | 4 | ## <summary> |
414e4151 | 5 | ## Read the dependencies of kernel modules. |
f7ebea06 | 6 | ## </summary> |
414e4151 | 7 | ## <param name="domain"> |
885b83ec | 8 | ## <summary> |
ac9db9b5 | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
414e4151 | 11 | ## </param> |
b4cd1533 | 12 | # |
1815bad1 | 13 | interface(`modutils_read_module_deps',` |
139520a2 CP |
14 | gen_require(` |
15 | type modules_dep_t; | |
139520a2 | 16 | ') |
0c73cd25 | 17 | |
1c1ac67f | 18 | files_list_kernel_modules($1) |
80048ca5 | 19 | allow $1 modules_dep_t:file r_file_perms; |
b4cd1533 CP |
20 | ') |
21 | ||
b4cd1533 | 22 | ######################################## |
f7ebea06 | 23 | ## <summary> |
414e4151 CP |
24 | ## Read the configuration options used when |
25 | ## loading modules. | |
f7ebea06 | 26 | ## </summary> |
414e4151 | 27 | ## <param name="domain"> |
885b83ec | 28 | ## <summary> |
ac9db9b5 | 29 | ## Domain allowed access. |
885b83ec | 30 | ## </summary> |
414e4151 | 31 | ## </param> |
bbcd3c97 | 32 | ## <rolecap/> |
b4cd1533 | 33 | # |
1815bad1 | 34 | interface(`modutils_read_module_config',` |
139520a2 CP |
35 | gen_require(` |
36 | type modules_conf_t; | |
139520a2 | 37 | ') |
b4cd1533 | 38 | |
139520a2 CP |
39 | # This file type can be in /etc or |
40 | # /lib(64)?/modules | |
41 | files_search_etc($1) | |
1c1ac67f | 42 | files_search_boot($1) |
0c73cd25 | 43 | |
725926c5 | 44 | allow $1 modules_conf_t:{ file lnk_file } r_file_perms; |
b4cd1533 CP |
45 | ') |
46 | ||
fe9d17fe CP |
47 | ######################################## |
48 | ## <summary> | |
49 | ## Rename a file with the configuration options used when | |
50 | ## loading modules. | |
51 | ## </summary> | |
52 | ## <param name="domain"> | |
885b83ec | 53 | ## <summary> |
ac9db9b5 | 54 | ## Domain allowed access. |
885b83ec | 55 | ## </summary> |
fe9d17fe CP |
56 | ## </param> |
57 | # | |
1815bad1 | 58 | interface(`modutils_rename_module_config',` |
fe9d17fe CP |
59 | gen_require(` |
60 | type modules_conf_t; | |
61 | ') | |
62 | ||
63 | allow $1 modules_conf_t:file rename; | |
64 | ') | |
65 | ||
b4cd1533 | 66 | ######################################## |
f7ebea06 | 67 | ## <summary> |
8967bf8b | 68 | ## Unconditionally execute insmod in the insmod domain. |
f7ebea06 | 69 | ## </summary> |
414e4151 | 70 | ## <param name="domain"> |
885b83ec | 71 | ## <summary> |
ac9db9b5 | 72 | ## Domain allowed access. |
885b83ec | 73 | ## </summary> |
414e4151 | 74 | ## </param> |
b4cd1533 | 75 | # |
8967bf8b CP |
76 | # cjp: this is added for pppd, due to nested |
77 | # conditionals not working. | |
78 | interface(`modutils_domtrans_insmod_uncond',` | |
139520a2 CP |
79 | gen_require(` |
80 | type insmod_t, insmod_exec_t; | |
139520a2 CP |
81 | ') |
82 | ||
83 | corecmd_search_sbin($1) | |
80048ca5 | 84 | domain_auto_trans($1, insmod_exec_t, insmod_t) |
0c73cd25 CP |
85 | |
86 | allow $1 insmod_t:fd use; | |
87 | allow insmod_t $1:fd use; | |
88 | allow insmod_t $1:fifo_file rw_file_perms; | |
89 | allow insmod_t $1:process sigchld; | |
b4cd1533 CP |
90 | ') |
91 | ||
8967bf8b CP |
92 | ######################################## |
93 | ## <summary> | |
94 | ## Execute insmod in the insmod domain. | |
95 | ## </summary> | |
96 | ## <param name="domain"> | |
885b83ec | 97 | ## <summary> |
ac9db9b5 | 98 | ## Domain allowed access. |
885b83ec | 99 | ## </summary> |
8967bf8b CP |
100 | ## </param> |
101 | # | |
102 | interface(`modutils_domtrans_insmod',` | |
103 | gen_require(` | |
104 | bool secure_mode_insmod; | |
105 | ') | |
106 | ||
107 | if (!secure_mode_insmod) { | |
108 | modutils_domtrans_insmod_uncond($1) | |
109 | } | |
110 | ') | |
111 | ||
daa0e0b0 | 112 | ######################################## |
f7ebea06 | 113 | ## <summary> |
414e4151 CP |
114 | ## Execute insmod in the insmod domain, and |
115 | ## allow the specified role the insmod domain, | |
116 | ## and use the caller's terminal. Has a sigchld | |
117 | ## backchannel. | |
f7ebea06 | 118 | ## </summary> |
414e4151 | 119 | ## <param name="domain"> |
885b83ec | 120 | ## <summary> |
ac9db9b5 | 121 | ## Domain allowed access. |
885b83ec | 122 | ## </summary> |
414e4151 CP |
123 | ## </param> |
124 | ## <param name="role"> | |
885b83ec | 125 | ## <summary> |
414e4151 | 126 | ## The role to be allowed the insmod domain. |
885b83ec | 127 | ## </summary> |
414e4151 CP |
128 | ## </param> |
129 | ## <param name="terminal"> | |
885b83ec | 130 | ## <summary> |
414e4151 | 131 | ## The type of the terminal allow the insmod domain to use. |
885b83ec | 132 | ## </summary> |
414e4151 | 133 | ## </param> |
bbcd3c97 | 134 | ## <rolecap/> |
daa0e0b0 | 135 | # |
199895e2 | 136 | interface(`modutils_run_insmod',` |
139520a2 CP |
137 | gen_require(` |
138 | type insmod_t; | |
139520a2 | 139 | ') |
0c73cd25 | 140 | |
c9428d33 | 141 | modutils_domtrans_insmod($1) |
0c73cd25 | 142 | role $2 types insmod_t; |
139520a2 | 143 | allow insmod_t $3:chr_file rw_term_perms; |
daa0e0b0 CP |
144 | ') |
145 | ||
b4cd1533 | 146 | ######################################## |
ac9db9b5 CP |
147 | ## <summary> |
148 | ## Execute insmod in the caller domain. | |
149 | ## </summary> | |
150 | ## <param name="domain"> | |
151 | ## <summary> | |
152 | ## Domain allowed access. | |
153 | ## </summary> | |
154 | ## </param> | |
b4cd1533 | 155 | # |
199895e2 | 156 | interface(`modutils_exec_insmod',` |
139520a2 | 157 | gen_require(` |
71fe0fa4 | 158 | type insmod_exec_t; |
139520a2 | 159 | ') |
0c73cd25 | 160 | |
139520a2 | 161 | corecmd_search_sbin($1) |
80048ca5 | 162 | can_exec($1, insmod_exec_t) |
b4cd1533 CP |
163 | ') |
164 | ||
9eb5e812 | 165 | ######################################## |
f7ebea06 | 166 | ## <summary> |
414e4151 | 167 | ## Execute depmod in the depmod domain. |
f7ebea06 | 168 | ## </summary> |
414e4151 | 169 | ## <param name="domain"> |
885b83ec | 170 | ## <summary> |
ac9db9b5 | 171 | ## Domain allowed access. |
885b83ec | 172 | ## </summary> |
414e4151 | 173 | ## </param> |
9eb5e812 | 174 | # |
199895e2 | 175 | interface(`modutils_domtrans_depmod',` |
139520a2 CP |
176 | gen_require(` |
177 | type depmod_t, depmod_exec_t; | |
139520a2 CP |
178 | ') |
179 | ||
180 | corecmd_search_sbin($1) | |
80048ca5 | 181 | domain_auto_trans($1, depmod_exec_t, depmod_t) |
0c73cd25 CP |
182 | |
183 | allow $1 depmod_t:fd use; | |
184 | allow depmod_t $1:fd use; | |
185 | allow depmod_t $1:fifo_file rw_file_perms; | |
186 | allow depmod_t $1:process sigchld; | |
9eb5e812 CP |
187 | ') |
188 | ||
daa0e0b0 | 189 | ######################################## |
f7ebea06 | 190 | ## <summary> |
414e4151 | 191 | ## Execute depmod in the depmod domain. |
f7ebea06 | 192 | ## </summary> |
414e4151 | 193 | ## <param name="domain"> |
885b83ec | 194 | ## <summary> |
ac9db9b5 | 195 | ## Domain allowed access. |
885b83ec | 196 | ## </summary> |
414e4151 CP |
197 | ## </param> |
198 | ## <param name="role"> | |
885b83ec | 199 | ## <summary> |
414e4151 | 200 | ## The role to be allowed the depmod domain. |
885b83ec | 201 | ## </summary> |
414e4151 CP |
202 | ## </param> |
203 | ## <param name="terminal"> | |
885b83ec | 204 | ## <summary> |
414e4151 | 205 | ## The type of the terminal allow the depmod domain to use. |
885b83ec | 206 | ## </summary> |
414e4151 | 207 | ## </param> |
bbcd3c97 | 208 | ## <rolecap/> |
daa0e0b0 | 209 | # |
199895e2 | 210 | interface(`modutils_run_depmod',` |
139520a2 CP |
211 | gen_require(` |
212 | type depmod_t; | |
139520a2 | 213 | ') |
0c73cd25 | 214 | |
c9428d33 | 215 | modutils_domtrans_depmod($1) |
46c69cb2 | 216 | role $2 types depmod_t; |
139520a2 | 217 | allow insmod_t $3:chr_file rw_term_perms; |
daa0e0b0 CP |
218 | ') |
219 | ||
9eb5e812 | 220 | ######################################## |
ac9db9b5 CP |
221 | ## <summary> |
222 | ## Execute depmod in the caller domain. | |
223 | ## </summary> | |
224 | ## <param name="domain"> | |
225 | ## <summary> | |
226 | ## Domain allowed access. | |
227 | ## </summary> | |
228 | ## </param> | |
9eb5e812 | 229 | # |
199895e2 | 230 | interface(`modutils_exec_depmod',` |
139520a2 | 231 | gen_require(` |
12ae7557 | 232 | type depmod_exec_t; |
139520a2 | 233 | ') |
0c73cd25 | 234 | |
139520a2 | 235 | corecmd_search_sbin($1) |
80048ca5 | 236 | can_exec($1, depmod_exec_t) |
9eb5e812 CP |
237 | ') |
238 | ||
9eb5e812 | 239 | ######################################## |
f7ebea06 | 240 | ## <summary> |
414e4151 | 241 | ## Execute depmod in the depmod domain. |
f7ebea06 | 242 | ## </summary> |
414e4151 | 243 | ## <param name="domain"> |
885b83ec | 244 | ## <summary> |
ac9db9b5 | 245 | ## Domain allowed access. |
885b83ec | 246 | ## </summary> |
414e4151 | 247 | ## </param> |
9eb5e812 | 248 | # |
199895e2 | 249 | interface(`modutils_domtrans_update_mods',` |
139520a2 CP |
250 | gen_require(` |
251 | type update_modules_t, update_modules_exec_t; | |
139520a2 CP |
252 | ') |
253 | ||
254 | corecmd_search_sbin($1) | |
80048ca5 | 255 | domain_auto_trans($1, update_modules_exec_t, update_modules_t) |
0c73cd25 CP |
256 | |
257 | allow $1 update_modules_t:fd use; | |
258 | allow update_modules_t $1:fd use; | |
259 | allow update_modules_t $1:fifo_file rw_file_perms; | |
260 | allow update_modules_t $1:process sigchld; | |
9eb5e812 CP |
261 | ') |
262 | ||
daa0e0b0 | 263 | ######################################## |
f7ebea06 | 264 | ## <summary> |
414e4151 | 265 | ## Execute update_modules in the update_modules domain. |
f7ebea06 | 266 | ## </summary> |
414e4151 | 267 | ## <param name="domain"> |
885b83ec | 268 | ## <summary> |
ac9db9b5 | 269 | ## Domain allowed access. |
885b83ec | 270 | ## </summary> |
414e4151 CP |
271 | ## </param> |
272 | ## <param name="role"> | |
885b83ec | 273 | ## <summary> |
414e4151 | 274 | ## The role to be allowed the update_modules domain. |
885b83ec | 275 | ## </summary> |
414e4151 CP |
276 | ## </param> |
277 | ## <param name="terminal"> | |
885b83ec | 278 | ## <summary> |
414e4151 | 279 | ## The type of the terminal allow the update_modules domain to use. |
885b83ec | 280 | ## </summary> |
414e4151 | 281 | ## </param> |
bbcd3c97 | 282 | ## <rolecap/> |
daa0e0b0 | 283 | # |
199895e2 | 284 | interface(`modutils_run_update_mods',` |
139520a2 CP |
285 | gen_require(` |
286 | type update_modules_t; | |
139520a2 | 287 | ') |
0c73cd25 | 288 | |
c9428d33 | 289 | modutils_domtrans_update_mods($1) |
0c73cd25 | 290 | role $2 types update_modules_t; |
139520a2 | 291 | allow update_modules_t $3:chr_file rw_term_perms; |
daa0e0b0 CP |
292 | ') |
293 | ||
9eb5e812 | 294 | ######################################## |
ac9db9b5 CP |
295 | ## <summary> |
296 | ## Execute update_modules in the caller domain. | |
297 | ## </summary> | |
298 | ## <param name="domain"> | |
299 | ## <summary> | |
300 | ## Domain allowed access. | |
301 | ## </summary> | |
302 | ## </param> | |
9eb5e812 | 303 | # |
199895e2 | 304 | interface(`modutils_exec_update_mods',` |
139520a2 | 305 | gen_require(` |
12ae7557 | 306 | type update_modules_exec_t; |
139520a2 | 307 | ') |
0c73cd25 | 308 | |
139520a2 | 309 | corecmd_search_sbin($1) |
80048ca5 | 310 | can_exec($1, update_modules_exec_t) |
9eb5e812 | 311 | ') |