policy/modules/system/udev.if

   1 ## <summary>Policy for udev.</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Send generic signals to udev.
   6 ## </summary>
   7 ## <param name="domain">
   8 ##      <summary>
   9 ##      Domain allowed access.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 interface(`udev_signal',`
  14         gen_require(`
  15                 type udev_t;
  16         ')
  17
  18         allow $1 udev_t:process signal;
  19 ')
  20
  21 ########################################
  22 ## <summary>
  23 ##      Execute udev in the udev domain.
  24 ## </summary>
  25 ## <param name="domain">
  26 ##      <summary>
  27 ##      Domain allowed to transition.
  28 ##      </summary>
  29 ## </param>
  30 #
  31 interface(`udev_domtrans',`
  32         gen_require(`
  33                 type udev_t, udev_exec_t;
  34         ')
  35
  36         domtrans_pattern($1, udev_exec_t, udev_t)
  37         allow $1 udev_t:process noatsecure;
  38 ')
  39
  40 ########################################
  41 ## <summary>
  42 ##      Execute udev in the caller domain.
  43 ## </summary>
  44 ## <param name="domain">
  45 ##      <summary>
  46 ##      Domain allowed access.
  47 ##      </summary>
  48 ## </param>
  49 #
  50 interface(`udev_exec',`
  51         gen_require(`
  52                 type udev_exec_t;
  53         ')
  54
  55         can_exec($1, udev_exec_t)
  56 ')
  57
  58 ########################################
  59 ## <summary>
  60 ##      Execute a udev helper in the udev domain.
  61 ## </summary>
  62 ## <param name="domain">
  63 ##      <summary>
  64 ##      Domain allowed to transition.
  65 ##      </summary>
  66 ## </param>
  67 #
  68 interface(`udev_helper_domtrans',`
  69         gen_require(`
  70                 type udev_t, udev_helper_exec_t;
  71         ')
  72
  73         domtrans_pattern($1, udev_helper_exec_t, udev_t)
  74 ')
  75
  76 ########################################
  77 ## <summary>
  78 ##      Allow process to read udev process state.
  79 ## </summary>
  80 ## <param name="domain">
  81 ##      <summary>
  82 ##      Domain allowed access.
  83 ##      </summary>
  84 ## </param>
  85 #
  86 interface(`udev_read_state',`
  87         gen_require(`
  88                 type udev_t;
  89         ')
  90
  91         kernel_search_proc($1)
  92         ps_process_pattern($1, udev_t)
  93 ')
  94
  95 ########################################
  96 ## <summary>
  97 ##      Do not audit attempts to inherit a
  98 ##      udev file descriptor.
  99 ## </summary>
 100 ## <param name="domain">
 101 ##      <summary>
 102 ##      Domain to not audit.
 103 ##      </summary>
 104 ## </param>
 105 #
 106 interface(`udev_dontaudit_use_fds',`
 107         gen_require(`
 108                 type udev_t;
 109         ')
 110
 111         dontaudit $1 udev_t:fd use;
 112 ')
 113
 114 ########################################
 115 ## <summary>
 116 ##      Do not audit attempts to read or write
 117 ##      to a udev unix datagram socket.
 118 ## </summary>
 119 ## <param name="domain">
 120 ##      <summary>
 121 ##      Domain to not audit.
 122 ##      </summary>
 123 ## </param>
 124 #
 125 interface(`udev_dontaudit_rw_dgram_sockets',`
 126         gen_require(`
 127                 type udev_t;
 128         ')
 129
 130         dontaudit $1 udev_t:unix_dgram_socket { read write };
 131 ')
 132
 133 ########################################
 134 ## <summary>
 135 ##      Manage udev rules files
 136 ## </summary>
 137 ## <param name="domain">
 138 ##      <summary>
 139 ##      Domain allowed access.
 140 ##      </summary>
 141 ## </param>
 142 #
 143 interface(`udev_manage_rules_files',`
 144         gen_require(`
 145                 type udev_rules_t;
 146         ')
 147
 148         manage_files_pattern($1, udev_rules_t, udev_rules_t)
 149 ')
 150
 151 ########################################
 152 ## <summary>
 153 ##      Do not audit search of udev database directories.
 154 ## </summary>
 155 ## <param name="domain">
 156 ##      <summary>
 157 ##      Domain to not audit.
 158 ##      </summary>
 159 ## </param>
 160 #
 161 interface(`udev_dontaudit_search_db',`
 162         gen_require(`
 163                 type udev_var_run_t;
 164         ')
 165
 166         dontaudit $1 udev_var_run_t:dir search_dir_perms;
 167 ')
 168
 169 ########################################
 170 ## <summary>
 171 ##      Read the udev device table.
 172 ## </summary>
 173 ## <desc>
 174 ##      <p>
 175 ##      Allow the specified domain to read the udev device table.
 176 ##      </p>
 177 ## </desc>
 178 ## <param name="domain">
 179 ##      <summary>
 180 ##      Domain allowed access.
 181 ##      </summary>
 182 ## </param>
 183 ## <infoflow type="read" weight="10"/>
 184 #
 185 interface(`udev_read_db',`
 186         udev_read_pid_files($1)
 187 ')
 188
 189 ########################################
 190 ## <summary>
 191 ##      Allow process to modify list of devices.
 192 ## </summary>
 193 ## <param name="domain">
 194 ##      <summary>
 195 ##      Domain allowed access.
 196 ##      </summary>
 197 ## </param>
 198 #
 199 interface(`udev_rw_db',`
 200         gen_require(`
 201                 type udev_var_run_t;
 202         ')
 203
 204         files_search_pids($1)
 205         dev_list_all_dev_nodes($1)
 206         rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
 207 ')
 208
 209 ########################################
 210 ## <summary>
 211 ##      Allow process to modify relabelto udev database
 212 ## </summary>
 213 ## <param name="domain">
 214 ##      <summary>
 215 ##      Domain allowed access.
 216 ##      </summary>
 217 ## </param>
 218 #
 219 interface(`udev_relabelto_db',`
 220         gen_require(`
 221                 type udev_var_run_t;
 222         ')
 223
 224         files_search_pids($1)
 225         allow $1 udev_var_run_t:file relabelto_file_perms;
 226 ')
 227
 228 ########################################
 229 ## <summary>
 230 ##      Create, read, write, and delete
 231 ##      udev pid files.
 232 ## </summary>
 233 ## <param name="domain">
 234 ##      <summary>
 235 ##      Domain allowed access.
 236 ##      </summary>
 237 ## </param>
 238 #
 239 interface(`udev_read_pid_files',`
 240         gen_require(`
 241                 type udev_var_run_t;
 242         ')
 243
 244         dev_list_all_dev_nodes($1)
 245         files_search_pids($1)
 246         allow $1 udev_var_run_t:dir list_dir_perms;
 247         read_files_pattern($1, udev_var_run_t, udev_var_run_t)
 248         read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
 249 ')
 250
 251 ########################################
 252 ## <summary>
 253 ##      Create, read, write, and delete
 254 ##      udev pid files.
 255 ## </summary>
 256 ## <param name="domain">
 257 ##      <summary>
 258 ##      Domain allowed access.
 259 ##      </summary>
 260 ## </param>
 261 #
 262 interface(`udev_manage_pid_files',`
 263         gen_require(`
 264                 type udev_var_run_t;
 265         ')
 266
 267         files_search_pids($1)
 268         manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 269 ')
 270
 271 #######################################
 272 ## <summary>
 273 ##  Execute udev in the udev domain, and
 274 ##  allow the specified role the udev domain.
 275 ## </summary>
 276 ## <param name="domain">
 277 ##  <summary>
 278 ##  Domain allowed access.
 279 ##  </summary>
 280 ## </param>
 281 ## <param name="role">
 282 ##  <summary>
 283 ##  The role to be allowed the iptables domain.
 284 ##  </summary>
 285 ## </param>
 286 ## <rolecap/>
 287 #
 288 interface(`udev_run',`
 289     gen_require(`
 290         type udev_t;
 291     ')
 292
 293     udev_domtrans($1)
 294     role $2 types udev_t;
 295 ')
 296
 297 #######################################
 298 ## <summary>
 299 ##      Allow caller to create kobject uevent socket for udev
 300 ## </summary>
 301 ## <param name="domain">
 302 ##      <summary>
 303 ##      Domain allowed access.
 304 ##      </summary>
 305 ## </param>
 306 #
 307 interface(`udev_create_kobject_uevent_socket',`
 308         gen_require(`
 309                 type udev_t;
 310                 role system_r;
 311         ')
 312
 313         allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
 314 ')
 315
 316 ########################################
 317 ## <summary>
 318 ##      Create a domain for processes
 319 ##      which can be started by udev.
 320 ## </summary>
 321 ## <param name="domain">
 322 ##      <summary>
 323 ##      Type to be used as a domain.
 324 ##      </summary>
 325 ## </param>
 326 ## <param name="entry_point">
 327 ##      <summary>
 328 ##      Type of the program to be used as an entry point to this domain.
 329 ##      </summary>
 330 ## </param>
 331 #
 332 interface(`udev_system_domain',`
 333         gen_require(`
 334                 type udev_t;
 335                 role system_r;
 336         ')
 337
 338         domain_type($1)
 339         domain_entry_file($1, $2)
 340
 341         role system_r types $1;
 342
 343         domtrans_pattern(udev_t, $2, $1)
 344
 345         dontaudit $1 udev_t:unix_dgram_socket { read write };
 346 ')
 347