policy/modules/services/hal.if

   1 ## <summary>Hardware abstraction layer</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Execute hal in the hal domain.
   6 ## </summary>
   7 ## <param name="domain">
   8 ##      <summary>
   9 ##      Domain allowed to transition.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 interface(`hal_domtrans',`
  14         gen_require(`
  15                 type hald_t, hald_exec_t;
  16         ')
  17
  18         domtrans_pattern($1, hald_exec_t, hald_t)
  19 ')
  20
  21 ########################################
  22 ## <summary>
  23 ##      Get the attributes of a hal process.
  24 ## </summary>
  25 ## <param name="domain">
  26 ##      <summary>
  27 ##      Domain allowed access.
  28 ##      </summary>
  29 ## </param>
  30 #
  31 interface(`hal_getattr',`
  32         gen_require(`
  33                 type hald_t;
  34         ')
  35
  36         allow $1 hald_t:process getattr;
  37 ')
  38
  39 ########################################
  40 ## <summary>
  41 ##      Read hal system state
  42 ## </summary>
  43 ## <param name="domain">
  44 ##      <summary>
  45 ##      Domain allowed access.
  46 ##      </summary>
  47 ## </param>
  48 #
  49 interface(`hal_read_state',`
  50         gen_require(`
  51                 type hald_t;
  52         ')
  53
  54         ps_process_pattern($1, hald_t)
  55 ')
  56
  57 ########################################
  58 ## <summary>
  59 ##      Allow ptrace of hal domain
  60 ## </summary>
  61 ## <param name="domain">
  62 ##      <summary>
  63 ##      Domain allowed access.
  64 ##      </summary>
  65 ## </param>
  66 #
  67 interface(`hal_ptrace',`
  68         gen_require(`
  69                 type hald_t;
  70         ')
  71
  72         allow $1 hald_t:process ptrace;
  73 ')
  74
  75 ########################################
  76 ## <summary>
  77 ##      Allow domain to use file descriptors from hal.
  78 ## </summary>
  79 ## <param name="domain">
  80 ##      <summary>
  81 ##      Domain allowed access.
  82 ##      </summary>
  83 ## </param>
  84 #
  85 interface(`hal_use_fds',`
  86         gen_require(`
  87                 type hald_t;
  88         ')
  89
  90         allow $1 hald_t:fd use;
  91 ')
  92
  93 ########################################
  94 ## <summary>
  95 ##      Do not audit attempts to use file descriptors from hal.
  96 ## </summary>
  97 ## <param name="domain">
  98 ##      <summary>
  99 ##      Domain to not audit.
 100 ##      </summary>
 101 ## </param>
 102 #
 103 interface(`hal_dontaudit_use_fds',`
 104         gen_require(`
 105                 type hald_t;
 106         ')
 107
 108         dontaudit $1 hald_t:fd use;
 109 ')
 110
 111 ########################################
 112 ## <summary>
 113 ##      Allow attempts to read and write to
 114 ##      hald unnamed pipes.
 115 ## </summary>
 116 ## <param name="domain">
 117 ##      <summary>
 118 ##      Domain allowed access.
 119 ##      </summary>
 120 ## </param>
 121 #
 122 interface(`hal_rw_pipes',`
 123         gen_require(`
 124                 type hald_t;
 125         ')
 126
 127         allow $1 hald_t:fifo_file rw_fifo_file_perms;
 128 ')
 129
 130 ########################################
 131 ## <summary>
 132 ##      Do not audit attempts to read and write to
 133 ##      hald unnamed pipes.
 134 ## </summary>
 135 ## <param name="domain">
 136 ##      <summary>
 137 ##      Domain to not audit.
 138 ##      </summary>
 139 ## </param>
 140 #
 141 interface(`hal_dontaudit_rw_pipes',`
 142         gen_require(`
 143                 type hald_t;
 144         ')
 145
 146         dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
 147 ')
 148
 149 ########################################
 150 ## <summary>
 151 ##      Send to hal over a unix domain
 152 ##      datagram socket.
 153 ## </summary>
 154 ## <param name="domain">
 155 ##      <summary>
 156 ##      Domain allowed access.
 157 ##      </summary>
 158 ## </param>
 159 #
 160 interface(`hal_dgram_send',`
 161         gen_require(`
 162                 type hald_t;
 163         ')
 164
 165         allow $1 hald_t:unix_dgram_socket sendto;
 166 ')
 167
 168 ########################################
 169 ## <summary>
 170 ##      Send to hal over a unix domain
 171 ##      stream socket.
 172 ## </summary>
 173 ## <param name="domain">
 174 ##      <summary>
 175 ##      Domain allowed access.
 176 ##      </summary>
 177 ## </param>
 178 #
 179 interface(`hal_stream_connect',`
 180         gen_require(`
 181                 type hald_t;
 182         ')
 183
 184         allow $1 hald_t:unix_stream_socket connectto;
 185 ')
 186
 187 ########################################
 188 ## <summary>
 189 ##      Dontaudit read/write to a hal unix datagram socket.
 190 ## </summary>
 191 ## <param name="domain">
 192 ##      <summary>
 193 ##      Domain to not audit.
 194 ##      </summary>
 195 ## </param>
 196 #
 197 interface(`hal_dontaudit_rw_dgram_sockets',`
 198         gen_require(`
 199                 type hald_t;
 200         ')
 201
 202         dontaudit $1 hald_t:unix_dgram_socket { read write };
 203 ')
 204
 205 ########################################
 206 ## <summary>
 207 ##      Send a dbus message to hal.
 208 ## </summary>
 209 ## <param name="domain">
 210 ##      <summary>
 211 ##      Domain allowed access.
 212 ##      </summary>
 213 ## </param>
 214 #
 215 interface(`hal_dbus_send',`
 216         gen_require(`
 217                 type hald_t;
 218                 class dbus send_msg;
 219         ')
 220
 221         allow $1 hald_t:dbus send_msg;
 222 ')
 223
 224 ########################################
 225 ## <summary>
 226 ##      Send and receive messages from
 227 ##      hal over dbus.
 228 ## </summary>
 229 ## <param name="domain">
 230 ##      <summary>
 231 ##      Domain allowed access.
 232 ##      </summary>
 233 ## </param>
 234 #
 235 interface(`hal_dbus_chat',`
 236         gen_require(`
 237                 type hald_t;
 238                 class dbus send_msg;
 239         ')
 240
 241         allow $1 hald_t:dbus send_msg;
 242         allow hald_t $1:dbus send_msg;
 243 ')
 244
 245 ########################################
 246 ## <summary>
 247 ##      Execute hal mac in the hal mac domain.
 248 ## </summary>
 249 ## <param name="domain">
 250 ##      <summary>
 251 ##      Domain allowed to transition.
 252 ##      </summary>
 253 ## </param>
 254 #
 255 interface(`hal_domtrans_mac',`
 256         gen_require(`
 257                 type hald_mac_t, hald_mac_exec_t;
 258         ')
 259
 260         domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
 261 ')
 262
 263 ########################################
 264 ## <summary>
 265 ##      Allow attempts to write the hal
 266 ##      log files.
 267 ## </summary>
 268 ## <param name="domain">
 269 ##      <summary>
 270 ##      Domain allowed access.
 271 ##      </summary>
 272 ## </param>
 273 #
 274 interface(`hal_write_log',`
 275         gen_require(`
 276                 type hald_log_t;
 277         ')
 278
 279         logging_search_logs($1)
 280         allow $1 hald_log_t:file write_file_perms;
 281 ')
 282
 283 ########################################
 284 ## <summary>
 285 ##      Do not audit attempts to write the hal
 286 ##      log files.
 287 ## </summary>
 288 ## <param name="domain">
 289 ##      <summary>
 290 ##      Domain to not audit.
 291 ##      </summary>
 292 ## </param>
 293 #
 294 interface(`hal_dontaudit_write_log',`
 295         gen_require(`
 296                 type hald_log_t;
 297         ')
 298
 299         dontaudit $1 hald_log_t:file { append write };
 300 ')
 301
 302 ########################################
 303 ## <summary>
 304 ##      Manage hald log files.
 305 ## </summary>
 306 ## <param name="domain">
 307 ##      <summary>
 308 ##      Domain allowed access.
 309 ##      </summary>
 310 ## </param>
 311 #
 312 interface(`hal_manage_log',`
 313         gen_require(`
 314                 type hald_log_t;
 315         ')
 316
 317         # log files for hald
 318         manage_files_pattern($1, hald_log_t, hald_log_t)
 319         logging_log_filetrans($1, hald_log_t, file)
 320 ')
 321
 322 ########################################
 323 ## <summary>
 324 ##      Read hald tmp files.
 325 ## </summary>
 326 ## <param name="domain">
 327 ##      <summary>
 328 ##      Domain allowed access.
 329 ##      </summary>
 330 ## </param>
 331 #
 332 interface(`hal_read_tmp_files',`
 333         gen_require(`
 334                 type hald_tmp_t;
 335         ')
 336
 337         allow $1 hald_tmp_t:file read_file_perms;
 338 ')
 339
 340 ########################################
 341 ## <summary>
 342 ##      Do not audit attempts to read or write
 343 ##      HAL libraries files
 344 ## </summary>
 345 ## <param name="domain">
 346 ##      <summary>
 347 ##      Domain to not audit.
 348 ##      </summary>
 349 ## </param>
 350 #
 351 interface(`hal_dontaudit_append_lib_files',`
 352         gen_require(`
 353                 type hald_var_lib_t;
 354         ')
 355
 356         dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
 357 ')
 358
 359 ########################################
 360 ## <summary>
 361 ##      Read hald PID files.
 362 ## </summary>
 363 ## <param name="domain">
 364 ##      <summary>
 365 ##      Domain allowed access.
 366 ##      </summary>
 367 ## </param>
 368 #
 369 interface(`hal_read_pid_files',`
 370         gen_require(`
 371                 type hald_var_run_t;
 372         ')
 373
 374         files_search_pids($1)
 375         allow $1 hald_var_run_t:file read_file_perms;
 376 ')
 377
 378 ########################################
 379 ## <summary>
 380 ##      Read/Write hald PID files.
 381 ## </summary>
 382 ## <param name="domain">
 383 ##      <summary>
 384 ##      Domain allowed access.
 385 ##      </summary>
 386 ## </param>
 387 #
 388 interface(`hal_rw_pid_files',`
 389         gen_require(`
 390                 type hald_var_run_t;
 391         ')
 392
 393         files_search_pids($1)
 394         allow $1 hald_var_run_t:file rw_file_perms;
 395 ')
 396
 397 ########################################
 398 ## <summary>
 399 ##      Manage hald PID dirs.
 400 ## </summary>
 401 ## <param name="domain">
 402 ##      <summary>
 403 ##      Domain allowed access.
 404 ##      </summary>
 405 ## </param>
 406 #
 407 interface(`hal_manage_pid_dirs',`
 408         gen_require(`
 409                 type hald_var_run_t;
 410         ')
 411
 412         files_search_pids($1)
 413         manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
 414 ')
 415
 416 ########################################
 417 ## <summary>
 418 ##      Manage hald PID files.
 419 ## </summary>
 420 ## <param name="domain">
 421 ##      <summary>
 422 ##      Domain allowed access.
 423 ##      </summary>
 424 ## </param>
 425 #
 426 interface(`hal_manage_pid_files',`
 427         gen_require(`
 428                 type hald_var_run_t;
 429         ')
 430
 431         files_search_pids($1)
 432         manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
 433 ')