[people/stevee/selinux-policy.git] / policy / modules / system / modutils.if

## <summary>Policy for kernel module utilities</summary>

########################################
## <summary>
##	Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_read_module_deps',`
	gen_require(`
		type modules_dep_t;
	')

	files_list_kernel_modules($1)
	allow $1 modules_dep_t:file r_file_perms;
')

########################################
## <summary>
##	Read the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_read_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	# This file type can be in /etc or
	# /lib(64)?/modules
	files_search_etc($1)
	files_search_boot($1)

	allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
')

########################################
## <summary>
##	Rename a file with the configuration options used when
##	loading modules.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_rename_module_config',`
	gen_require(`
		type modules_conf_t;
	')

	allow $1 modules_conf_t:file rename;
')

########################################
## <summary>
##	Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
interface(`modutils_domtrans_insmod_uncond',`
	gen_require(`
		type insmod_t, insmod_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1, insmod_exec_t, insmod_t)

	allow $1 insmod_t:fd use;
	allow insmod_t $1:fd use;
	allow insmod_t $1:fifo_file rw_file_perms;
	allow insmod_t $1:process sigchld;
')

########################################
## <summary>
##	Execute insmod in the insmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_domtrans_insmod',`
	gen_require(`
		bool secure_mode_insmod;
	')

	if (!secure_mode_insmod) {
		modutils_domtrans_insmod_uncond($1)
	}
')

########################################
## <summary>
##	Execute insmod in the insmod domain, and
##	allow the specified role the insmod domain,
##	and use the caller's terminal.  Has a sigchld
##	backchannel.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the insmod domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the insmod domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_insmod',`
	gen_require(`
		type insmod_t;
	')

	modutils_domtrans_insmod($1)
	role $2 types insmod_t;
	allow insmod_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute insmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_insmod',`
	gen_require(`
		type insmod_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1, insmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_domtrans_depmod',`
	gen_require(`
		type depmod_t, depmod_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1, depmod_exec_t, depmod_t)

	allow $1 depmod_t:fd use;
	allow depmod_t $1:fd use;
	allow depmod_t $1:fifo_file rw_file_perms;
	allow depmod_t $1:process sigchld;
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the depmod domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the depmod domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_depmod',`
	gen_require(`
		type depmod_t;
	')

	modutils_domtrans_depmod($1)
	role $2 types depmod_t;
	allow insmod_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute depmod in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_depmod',`
	gen_require(`
		type depmod_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1, depmod_exec_t)
')

########################################
## <summary>
##	Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_domtrans_update_mods',`
	gen_require(`
		type update_modules_t, update_modules_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1, update_modules_exec_t, update_modules_t)

	allow $1 update_modules_t:fd use;
	allow update_modules_t $1:fd use;
	allow update_modules_t $1:fifo_file rw_file_perms;
	allow update_modules_t $1:process sigchld;
')

########################################
## <summary>
##	Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the update_modules domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the update_modules domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_update_mods',`
	gen_require(`
		type update_modules_t;
	')

	modutils_domtrans_update_mods($1)
	role $2 types update_modules_t;
	allow update_modules_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute update_modules in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`modutils_exec_update_mods',`
	gen_require(`
		type update_modules_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1, update_modules_exec_t)
')
Commit	Line	Data
162a57e5	1	## <summary>Policy for kernel module utilities</summary>
e181fe05	2
b4cd1533	3	########################################
f7ebea06	4	## <summary>
414e4151	5	## Read the dependencies of kernel modules.
f7ebea06	6	## </summary>
414e4151	7	## <param name="domain">
885b83ec	8	## <summary>
ac9db9b5	9	## Domain allowed access.
885b83ec	10	## </summary>
414e4151	11	## </param>
b4cd1533	12	#
1815bad1	13	interface(`modutils_read_module_deps',`
139520a2 CP	14	gen_require(`
139520a2 CP	15	type modules_dep_t;
139520a2	16	')
0c73cd25	17
1c1ac67f	18	files_list_kernel_modules($1)
80048ca5	19	allow $1 modules_dep_t:file r_file_perms;
b4cd1533 CP	20	')
b4cd1533 CP	21
b4cd1533	22	########################################
f7ebea06	23	## <summary>
414e4151 CP	24	## Read the configuration options used when
414e4151 CP	25	## loading modules.
f7ebea06	26	## </summary>
414e4151	27	## <param name="domain">
885b83ec	28	## <summary>
ac9db9b5	29	## Domain allowed access.
885b83ec	30	## </summary>
414e4151	31	## </param>
bbcd3c97	32	## <rolecap/>
b4cd1533	33	#
1815bad1	34	interface(`modutils_read_module_config',`
139520a2 CP	35	gen_require(`
139520a2 CP	36	type modules_conf_t;
139520a2	37	')
b4cd1533	38
139520a2 CP	39	# This file type can be in /etc or
	40	# /lib(64)?/modules
	41	files_search_etc($1)
1c1ac67f	42	files_search_boot($1)
0c73cd25	43
725926c5	44	allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
b4cd1533 CP	45	')
b4cd1533 CP	46
fe9d17fe CP	47	########################################
	48	## <summary>
	49	## Rename a file with the configuration options used when
	50	## loading modules.
	51	## </summary>
	52	## <param name="domain">
885b83ec	53	## <summary>
ac9db9b5	54	## Domain allowed access.
885b83ec	55	## </summary>
fe9d17fe CP	56	## </param>
fe9d17fe CP	57	#
1815bad1	58	interface(`modutils_rename_module_config',`
fe9d17fe CP	59	gen_require(`
	60	type modules_conf_t;
	61	')
	62
	63	allow $1 modules_conf_t:file rename;
	64	')
	65
b4cd1533	66	########################################
f7ebea06	67	## <summary>
8967bf8b	68	## Unconditionally execute insmod in the insmod domain.
f7ebea06	69	## </summary>
414e4151	70	## <param name="domain">
885b83ec	71	## <summary>
ac9db9b5	72	## Domain allowed access.
885b83ec	73	## </summary>
414e4151	74	## </param>
b4cd1533	75	#
8967bf8b CP	76	# cjp: this is added for pppd, due to nested
	77	# conditionals not working.
	78	interface(`modutils_domtrans_insmod_uncond',`
139520a2 CP	79	gen_require(`
139520a2 CP	80	type insmod_t, insmod_exec_t;
139520a2 CP	81	')
	82
	83	corecmd_search_sbin($1)
80048ca5	84	domain_auto_trans($1, insmod_exec_t, insmod_t)
0c73cd25 CP	85
	86	allow $1 insmod_t:fd use;
	87	allow insmod_t $1:fd use;
	88	allow insmod_t $1:fifo_file rw_file_perms;
	89	allow insmod_t $1:process sigchld;
b4cd1533 CP	90	')
b4cd1533 CP	91
8967bf8b CP	92	########################################
	93	## <summary>
	94	## Execute insmod in the insmod domain.
	95	## </summary>
	96	## <param name="domain">
885b83ec	97	## <summary>
ac9db9b5	98	## Domain allowed access.
885b83ec	99	## </summary>
8967bf8b CP	100	## </param>
	101	#
	102	interface(`modutils_domtrans_insmod',`
	103	gen_require(`
	104	bool secure_mode_insmod;
	105	')
	106
	107	if (!secure_mode_insmod) {
	108	modutils_domtrans_insmod_uncond($1)
	109	}
	110	')
	111
daa0e0b0	112	########################################
f7ebea06	113	## <summary>
414e4151 CP	114	## Execute insmod in the insmod domain, and
	115	## allow the specified role the insmod domain,
	116	## and use the caller's terminal. Has a sigchld
	117	## backchannel.
f7ebea06	118	## </summary>
414e4151	119	## <param name="domain">
885b83ec	120	## <summary>
ac9db9b5	121	## Domain allowed access.
885b83ec	122	## </summary>
414e4151 CP	123	## </param>
414e4151 CP	124	## <param name="role">
885b83ec	125	## <summary>
414e4151	126	## The role to be allowed the insmod domain.
885b83ec	127	## </summary>
414e4151 CP	128	## </param>
414e4151 CP	129	## <param name="terminal">
885b83ec	130	## <summary>
414e4151	131	## The type of the terminal allow the insmod domain to use.
885b83ec	132	## </summary>
414e4151	133	## </param>
bbcd3c97	134	## <rolecap/>
daa0e0b0	135	#
199895e2	136	interface(`modutils_run_insmod',`
139520a2 CP	137	gen_require(`
139520a2 CP	138	type insmod_t;
139520a2	139	')
0c73cd25	140
c9428d33	141	modutils_domtrans_insmod($1)
0c73cd25	142	role $2 types insmod_t;
139520a2	143	allow insmod_t $3:chr_file rw_term_perms;
daa0e0b0 CP	144	')
daa0e0b0 CP	145
b4cd1533	146	########################################
ac9db9b5 CP	147	## <summary>
	148	## Execute insmod in the caller domain.
	149	## </summary>
	150	## <param name="domain">
	151	## <summary>
	152	## Domain allowed access.
	153	## </summary>
	154	## </param>
b4cd1533	155	#
199895e2	156	interface(`modutils_exec_insmod',`
139520a2	157	gen_require(`
71fe0fa4	158	type insmod_exec_t;
139520a2	159	')
0c73cd25	160
139520a2	161	corecmd_search_sbin($1)
80048ca5	162	can_exec($1, insmod_exec_t)
b4cd1533 CP	163	')
b4cd1533 CP	164
9eb5e812	165	########################################
f7ebea06	166	## <summary>
414e4151	167	## Execute depmod in the depmod domain.
f7ebea06	168	## </summary>
414e4151	169	## <param name="domain">
885b83ec	170	## <summary>
ac9db9b5	171	## Domain allowed access.
885b83ec	172	## </summary>
414e4151	173	## </param>
9eb5e812	174	#
199895e2	175	interface(`modutils_domtrans_depmod',`
139520a2 CP	176	gen_require(`
139520a2 CP	177	type depmod_t, depmod_exec_t;
139520a2 CP	178	')
	179
	180	corecmd_search_sbin($1)
80048ca5	181	domain_auto_trans($1, depmod_exec_t, depmod_t)
0c73cd25 CP	182
	183	allow $1 depmod_t:fd use;
	184	allow depmod_t $1:fd use;
	185	allow depmod_t $1:fifo_file rw_file_perms;
	186	allow depmod_t $1:process sigchld;
9eb5e812 CP	187	')
9eb5e812 CP	188
daa0e0b0	189	########################################
f7ebea06	190	## <summary>
414e4151	191	## Execute depmod in the depmod domain.
f7ebea06	192	## </summary>
414e4151	193	## <param name="domain">
885b83ec	194	## <summary>
ac9db9b5	195	## Domain allowed access.
885b83ec	196	## </summary>
414e4151 CP	197	## </param>
414e4151 CP	198	## <param name="role">
885b83ec	199	## <summary>
414e4151	200	## The role to be allowed the depmod domain.
885b83ec	201	## </summary>
414e4151 CP	202	## </param>
414e4151 CP	203	## <param name="terminal">
885b83ec	204	## <summary>
414e4151	205	## The type of the terminal allow the depmod domain to use.
885b83ec	206	## </summary>
414e4151	207	## </param>
bbcd3c97	208	## <rolecap/>
daa0e0b0	209	#
199895e2	210	interface(`modutils_run_depmod',`
139520a2 CP	211	gen_require(`
139520a2 CP	212	type depmod_t;
139520a2	213	')
0c73cd25	214
c9428d33	215	modutils_domtrans_depmod($1)
46c69cb2	216	role $2 types depmod_t;
139520a2	217	allow insmod_t $3:chr_file rw_term_perms;
daa0e0b0 CP	218	')
daa0e0b0 CP	219
9eb5e812	220	########################################
ac9db9b5 CP	221	## <summary>
	222	## Execute depmod in the caller domain.
	223	## </summary>
	224	## <param name="domain">
	225	## <summary>
	226	## Domain allowed access.
	227	## </summary>
	228	## </param>
9eb5e812	229	#
199895e2	230	interface(`modutils_exec_depmod',`
139520a2	231	gen_require(`
12ae7557	232	type depmod_exec_t;
139520a2	233	')
0c73cd25	234
139520a2	235	corecmd_search_sbin($1)
80048ca5	236	can_exec($1, depmod_exec_t)
9eb5e812 CP	237	')
9eb5e812 CP	238
9eb5e812	239	########################################
f7ebea06	240	## <summary>
414e4151	241	## Execute depmod in the depmod domain.
f7ebea06	242	## </summary>
414e4151	243	## <param name="domain">
885b83ec	244	## <summary>
ac9db9b5	245	## Domain allowed access.
885b83ec	246	## </summary>
414e4151	247	## </param>
9eb5e812	248	#
199895e2	249	interface(`modutils_domtrans_update_mods',`
139520a2 CP	250	gen_require(`
139520a2 CP	251	type update_modules_t, update_modules_exec_t;
139520a2 CP	252	')
	253
	254	corecmd_search_sbin($1)
80048ca5	255	domain_auto_trans($1, update_modules_exec_t, update_modules_t)
0c73cd25 CP	256
	257	allow $1 update_modules_t:fd use;
	258	allow update_modules_t $1:fd use;
	259	allow update_modules_t $1:fifo_file rw_file_perms;
	260	allow update_modules_t $1:process sigchld;
9eb5e812 CP	261	')
9eb5e812 CP	262
daa0e0b0	263	########################################
f7ebea06	264	## <summary>
414e4151	265	## Execute update_modules in the update_modules domain.
f7ebea06	266	## </summary>
414e4151	267	## <param name="domain">
885b83ec	268	## <summary>
ac9db9b5	269	## Domain allowed access.
885b83ec	270	## </summary>
414e4151 CP	271	## </param>
414e4151 CP	272	## <param name="role">
885b83ec	273	## <summary>
414e4151	274	## The role to be allowed the update_modules domain.
885b83ec	275	## </summary>
414e4151 CP	276	## </param>
414e4151 CP	277	## <param name="terminal">
885b83ec	278	## <summary>
414e4151	279	## The type of the terminal allow the update_modules domain to use.
885b83ec	280	## </summary>
414e4151	281	## </param>
bbcd3c97	282	## <rolecap/>
daa0e0b0	283	#
199895e2	284	interface(`modutils_run_update_mods',`
139520a2 CP	285	gen_require(`
139520a2 CP	286	type update_modules_t;
139520a2	287	')
0c73cd25	288
c9428d33	289	modutils_domtrans_update_mods($1)
0c73cd25	290	role $2 types update_modules_t;
139520a2	291	allow update_modules_t $3:chr_file rw_term_perms;
daa0e0b0 CP	292	')
daa0e0b0 CP	293
9eb5e812	294	########################################
ac9db9b5 CP	295	## <summary>
	296	## Execute update_modules in the caller domain.
	297	## </summary>
	298	## <param name="domain">
	299	## <summary>
	300	## Domain allowed access.
	301	## </summary>
	302	## </param>
9eb5e812	303	#
199895e2	304	interface(`modutils_exec_update_mods',`
139520a2	305	gen_require(`
12ae7557	306	type update_modules_exec_t;
139520a2	307	')
0c73cd25	308
139520a2	309	corecmd_search_sbin($1)
80048ca5	310	can_exec($1, update_modules_exec_t)
9eb5e812	311	')