policy/modules/admin/consoletype.te

   1 policy_module(consoletype, 1.9.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type consoletype_t;
   9 type consoletype_exec_t;
  10 application_executable_file(consoletype_exec_t)
  11 init_domain(consoletype_t, consoletype_exec_t)
  12 init_system_domain(consoletype_t, consoletype_exec_t)
  13 role system_r types consoletype_t;
  14
  15 ########################################
  16 #
  17 # Local declarations
  18 #
  19
  20 allow consoletype_t self:capability { sys_admin sys_tty_config };
  21 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  22 allow consoletype_t self:fd use;
  23 allow consoletype_t self:fifo_file rw_fifo_file_perms;
  24 allow consoletype_t self:sock_file read_sock_file_perms;
  25 allow consoletype_t self:unix_dgram_socket create_socket_perms;
  26 allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
  27 allow consoletype_t self:unix_dgram_socket sendto;
  28 allow consoletype_t self:unix_stream_socket connectto;
  29 allow consoletype_t self:shm create_shm_perms;
  30 allow consoletype_t self:sem create_sem_perms;
  31 allow consoletype_t self:msgq create_msgq_perms;
  32 allow consoletype_t self:msg { send receive };
  33
  34 kernel_use_fds(consoletype_t)
  35 kernel_dontaudit_read_system_state(consoletype_t)
  36
  37 fs_getattr_all_fs(consoletype_t)
  38 fs_search_auto_mountpoints(consoletype_t)
  39 fs_write_nfs_files(consoletype_t)
  40 fs_list_inotifyfs(consoletype_t)
  41
  42 mls_file_read_all_levels(consoletype_t)
  43 mls_file_write_all_levels(consoletype_t)
  44
  45 term_use_all_terms(consoletype_t)
  46
  47 init_use_fds(consoletype_t)
  48 init_use_script_ptys(consoletype_t)
  49 init_use_script_fds(consoletype_t)
  50 init_rw_script_pipes(consoletype_t)
  51
  52 domain_use_interactive_fds(consoletype_t)
  53
  54 files_dontaudit_read_root_files(consoletype_t)
  55 files_list_usr(consoletype_t)
  56
  57 userdom_use_user_terminals(consoletype_t)
  58
  59 ifdef(`distro_redhat',`
  60         fs_rw_tmpfs_chr_files(consoletype_t)
  61 ')
  62
  63 optional_policy(`
  64         apm_use_fds(consoletype_t)
  65         apm_write_pipes(consoletype_t)
  66 ')
  67
  68 optional_policy(`
  69         auth_read_pam_pid(consoletype_t)
  70 ')
  71
  72 optional_policy(`
  73         cron_read_pipes(consoletype_t)
  74         cron_use_system_job_fds(consoletype_t)
  75 ')
  76
  77 optional_policy(`
  78         files_read_etc_files(consoletype_t)
  79         firstboot_use_fds(consoletype_t)
  80         firstboot_rw_pipes(consoletype_t)
  81 ')
  82
  83 optional_policy(`
  84         hal_dontaudit_use_fds(consoletype_t)
  85         hal_dontaudit_rw_pipes(consoletype_t)
  86         hal_dontaudit_rw_dgram_sockets(consoletype_t)
  87         hal_dontaudit_write_log(consoletype_t)
  88 ')
  89
  90 optional_policy(`
  91         hotplug_dontaudit_use_fds(consoletype_t)
  92 ')
  93
  94 optional_policy(`
  95         logrotate_dontaudit_use_fds(consoletype_t)
  96 ')
  97
  98 optional_policy(`
  99         lpd_read_config(consoletype_t)
 100 ')
 101
 102 optional_policy(`
 103         nis_use_ypbind(consoletype_t)
 104 ')
 105
 106 optional_policy(`
 107         # Commonly used from postinst scripts
 108         rpm_read_pipes(consoletype_t)
 109 ')
 110
 111 optional_policy(`
 112         userdom_use_unpriv_users_fds(consoletype_t)
 113 ')
 114
 115 optional_policy(`
 116         kernel_read_xen_state(consoletype_t)
 117         kernel_write_xen_state(consoletype_t)
 118         xen_append_log(consoletype_t)
 119         xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
 120         xen_dontaudit_use_fds(consoletype_t)
 121 ')