1 ## <summary>Policy for udev.</summary>
3 ########################################
5 ## Send generic signals to udev.
7 ## <param name="domain">
9 ## Domain allowed access.
13 interface(`udev_signal',`
18 allow $1 udev_t:process signal;
21 ########################################
23 ## Execute udev in the udev domain.
25 ## <param name="domain">
27 ## Domain allowed to transition.
31 interface(`udev_domtrans',`
33 type udev_t, udev_exec_t;
36 domtrans_pattern($1, udev_exec_t, udev_t)
37 allow $1 udev_t:process noatsecure;
40 ########################################
42 ## Execute udev in the caller domain.
44 ## <param name="domain">
46 ## Domain allowed access.
50 interface(`udev_exec',`
55 can_exec($1, udev_exec_t)
58 ########################################
60 ## Execute a udev helper in the udev domain.
62 ## <param name="domain">
64 ## Domain allowed to transition.
68 interface(`udev_helper_domtrans',`
70 type udev_t, udev_helper_exec_t;
73 domtrans_pattern($1, udev_helper_exec_t, udev_t)
76 ########################################
78 ## Allow process to read udev process state.
80 ## <param name="domain">
82 ## Domain allowed access.
86 interface(`udev_read_state',`
91 kernel_search_proc($1)
92 ps_process_pattern($1, udev_t)
95 ########################################
97 ## Do not audit attempts to inherit a
98 ## udev file descriptor.
100 ## <param name="domain">
102 ## Domain to not audit.
106 interface(`udev_dontaudit_use_fds',`
111 dontaudit $1 udev_t:fd use;
114 ########################################
116 ## Do not audit attempts to read or write
117 ## to a udev unix datagram socket.
119 ## <param name="domain">
121 ## Domain to not audit.
125 interface(`udev_dontaudit_rw_dgram_sockets',`
130 dontaudit $1 udev_t:unix_dgram_socket { read write };
133 ########################################
135 ## Manage udev rules files
137 ## <param name="domain">
139 ## Domain allowed access.
143 interface(`udev_manage_rules_files',`
148 manage_files_pattern($1, udev_rules_t, udev_rules_t)
151 ########################################
153 ## Do not audit search of udev database directories.
155 ## <param name="domain">
157 ## Domain to not audit.
161 interface(`udev_dontaudit_search_db',`
166 dontaudit $1 udev_var_run_t:dir search_dir_perms;
169 ########################################
171 ## Read the udev device table.
175 ## Allow the specified domain to read the udev device table.
178 ## <param name="domain">
180 ## Domain allowed access.
183 ## <infoflow type="read" weight="10"/>
185 interface(`udev_read_db',`
186 udev_read_pid_files($1)
189 ########################################
191 ## Allow process to modify list of devices.
193 ## <param name="domain">
195 ## Domain allowed access.
199 interface(`udev_rw_db',`
204 files_search_pids($1)
205 dev_list_all_dev_nodes($1)
206 rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
209 ########################################
211 ## Allow process to modify relabelto udev database
213 ## <param name="domain">
215 ## Domain allowed access.
219 interface(`udev_relabelto_db',`
224 files_search_pids($1)
225 allow $1 udev_var_run_t:file relabelto_file_perms;
228 ########################################
230 ## Create, read, write, and delete
233 ## <param name="domain">
235 ## Domain allowed access.
239 interface(`udev_read_pid_files',`
244 dev_list_all_dev_nodes($1)
245 files_search_pids($1)
246 allow $1 udev_var_run_t:dir list_dir_perms;
247 read_files_pattern($1, udev_var_run_t, udev_var_run_t)
248 read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
251 ########################################
253 ## Create, read, write, and delete
256 ## <param name="domain">
258 ## Domain allowed access.
262 interface(`udev_manage_pid_files',`
267 files_search_pids($1)
268 manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
271 #######################################
273 ## Execute udev in the udev domain, and
274 ## allow the specified role the udev domain.
276 ## <param name="domain">
278 ## Domain allowed access.
281 ## <param name="role">
283 ## The role to be allowed the iptables domain.
288 interface(`udev_run',`
294 role $2 types udev_t;
297 #######################################
299 ## Allow caller to create kobject uevent socket for udev
301 ## <param name="domain">
303 ## Domain allowed access.
307 interface(`udev_create_kobject_uevent_socket',`
313 allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
316 ########################################
318 ## Create a domain for processes
319 ## which can be started by udev.
321 ## <param name="domain">
323 ## Type to be used as a domain.
326 ## <param name="entry_point">
328 ## Type of the program to be used as an entry point to this domain.
332 interface(`udev_system_domain',`
339 domain_entry_file($1, $2)
341 role system_r types $1;
343 domtrans_pattern(udev_t, $2, $1)
345 dontaudit $1 udev_t:unix_dgram_socket { read write };