1 ## <summary>Hardware abstraction layer</summary>
3 ########################################
5 ## Execute hal in the hal domain.
7 ## <param name="domain">
9 ## Domain allowed to transition.
13 interface(`hal_domtrans',`
15 type hald_t, hald_exec_t;
18 domtrans_pattern($1, hald_exec_t, hald_t)
21 ########################################
23 ## Get the attributes of a hal process.
25 ## <param name="domain">
27 ## Domain allowed access.
31 interface(`hal_getattr',`
36 allow $1 hald_t:process getattr;
39 ########################################
41 ## Read hal system state
43 ## <param name="domain">
45 ## Domain allowed access.
49 interface(`hal_read_state',`
54 ps_process_pattern($1, hald_t)
57 ########################################
59 ## Allow ptrace of hal domain
61 ## <param name="domain">
63 ## Domain allowed access.
67 interface(`hal_ptrace',`
72 allow $1 hald_t:process ptrace;
75 ########################################
77 ## Allow domain to use file descriptors from hal.
79 ## <param name="domain">
81 ## Domain allowed access.
85 interface(`hal_use_fds',`
90 allow $1 hald_t:fd use;
93 ########################################
95 ## Do not audit attempts to use file descriptors from hal.
97 ## <param name="domain">
99 ## Domain to not audit.
103 interface(`hal_dontaudit_use_fds',`
108 dontaudit $1 hald_t:fd use;
111 ########################################
113 ## Allow attempts to read and write to
114 ## hald unnamed pipes.
116 ## <param name="domain">
118 ## Domain allowed access.
122 interface(`hal_rw_pipes',`
127 allow $1 hald_t:fifo_file rw_fifo_file_perms;
130 ########################################
132 ## Do not audit attempts to read and write to
133 ## hald unnamed pipes.
135 ## <param name="domain">
137 ## Domain to not audit.
141 interface(`hal_dontaudit_rw_pipes',`
146 dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
149 ########################################
151 ## Send to hal over a unix domain
154 ## <param name="domain">
156 ## Domain allowed access.
160 interface(`hal_dgram_send',`
165 allow $1 hald_t:unix_dgram_socket sendto;
168 ########################################
170 ## Send to hal over a unix domain
173 ## <param name="domain">
175 ## Domain allowed access.
179 interface(`hal_stream_connect',`
184 allow $1 hald_t:unix_stream_socket connectto;
187 ########################################
189 ## Dontaudit read/write to a hal unix datagram socket.
191 ## <param name="domain">
193 ## Domain to not audit.
197 interface(`hal_dontaudit_rw_dgram_sockets',`
202 dontaudit $1 hald_t:unix_dgram_socket { read write };
205 ########################################
207 ## Send a dbus message to hal.
209 ## <param name="domain">
211 ## Domain allowed access.
215 interface(`hal_dbus_send',`
221 allow $1 hald_t:dbus send_msg;
224 ########################################
226 ## Send and receive messages from
229 ## <param name="domain">
231 ## Domain allowed access.
235 interface(`hal_dbus_chat',`
241 allow $1 hald_t:dbus send_msg;
242 allow hald_t $1:dbus send_msg;
245 ########################################
247 ## Execute hal mac in the hal mac domain.
249 ## <param name="domain">
251 ## Domain allowed to transition.
255 interface(`hal_domtrans_mac',`
257 type hald_mac_t, hald_mac_exec_t;
260 domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
263 ########################################
265 ## Allow attempts to write the hal
268 ## <param name="domain">
270 ## Domain allowed access.
274 interface(`hal_write_log',`
279 logging_search_logs($1)
280 allow $1 hald_log_t:file write_file_perms;
283 ########################################
285 ## Do not audit attempts to write the hal
288 ## <param name="domain">
290 ## Domain to not audit.
294 interface(`hal_dontaudit_write_log',`
299 dontaudit $1 hald_log_t:file { append write };
302 ########################################
304 ## Manage hald log files.
306 ## <param name="domain">
308 ## Domain allowed access.
312 interface(`hal_manage_log',`
318 manage_files_pattern($1, hald_log_t, hald_log_t)
319 logging_log_filetrans($1, hald_log_t, file)
322 ########################################
324 ## Read hald tmp files.
326 ## <param name="domain">
328 ## Domain allowed access.
332 interface(`hal_read_tmp_files',`
337 allow $1 hald_tmp_t:file read_file_perms;
340 ########################################
342 ## Do not audit attempts to read or write
343 ## HAL libraries files
345 ## <param name="domain">
347 ## Domain to not audit.
351 interface(`hal_dontaudit_append_lib_files',`
356 dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
359 ########################################
361 ## Read hald PID files.
363 ## <param name="domain">
365 ## Domain allowed access.
369 interface(`hal_read_pid_files',`
374 files_search_pids($1)
375 allow $1 hald_var_run_t:file read_file_perms;
378 ########################################
380 ## Read/Write hald PID files.
382 ## <param name="domain">
384 ## Domain allowed access.
388 interface(`hal_rw_pid_files',`
393 files_search_pids($1)
394 allow $1 hald_var_run_t:file rw_file_perms;
397 ########################################
399 ## Manage hald PID dirs.
401 ## <param name="domain">
403 ## Domain allowed access.
407 interface(`hal_manage_pid_dirs',`
412 files_search_pids($1)
413 manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
416 ########################################
418 ## Manage hald PID files.
420 ## <param name="domain">
422 ## Domain allowed access.
426 interface(`hal_manage_pid_files',`
431 files_search_pids($1)
432 manage_files_pattern($1, hald_var_run_t, hald_var_run_t)