1 ## <summary>Policy for udev.</summary>
3 ########################################
5 ## Execute udev in the udev domain.
7 ## <param name="domain">
9 ## The type of the process performing this action.
13 interface(`udev_domtrans',`
15 type udev_t, udev_exec_t;
18 domtrans_pattern($1, udev_exec_t, udev_t)
21 ########################################
23 ## Execute a udev helper in the udev domain.
25 ## <param name="domain">
27 ## The type of the process performing this action.
31 interface(`udev_helper_domtrans',`
33 type udev_t, udev_helper_exec_t;
36 domtrans_pattern($1, udev_helper_exec_t, udev_t)
39 ########################################
41 ## Allow process to read udev process state.
43 ## <param name="domain">
45 ## Domain allowed access.
49 interface(`udev_read_state',`
54 kernel_search_proc($1)
55 allow $1 udev_t:file read_file_perms;
56 allow $1 udev_t:lnk_file read_lnk_file_perms;
59 ########################################
61 ## Do not audit attempts to inherit a
62 ## udev file descriptor.
64 ## <param name="domain">
66 ## Domain to not audit.
70 interface(`udev_dontaudit_use_fds',`
75 dontaudit $1 udev_t:fd use;
78 ########################################
80 ## Do not audit attempts to read or write
81 ## to a udev unix datagram socket.
83 ## <param name="domain">
85 ## Domain to not audit.
89 interface(`udev_dontaudit_rw_dgram_sockets',`
94 dontaudit $1 udev_t:unix_dgram_socket { read write };
97 ########################################
99 ## Do not audit search of udev database directories.
101 ## <param name="domain">
103 ## Domain to not audit.
107 interface(`udev_dontaudit_search_db',`
112 dontaudit $1 udev_tbl_t:dir search_dir_perms;
115 ########################################
117 ## Allow process to read list of devices.
119 ## <param name="domain">
121 ## The type of the process performing this action.
125 interface(`udev_read_db',`
130 dev_list_all_dev_nodes($1)
131 allow $1 udev_tbl_t:dir list_dir_perms;
132 read_files_pattern($1, udev_tbl_t, udev_tbl_t)
133 read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
136 ########################################
138 ## Allow process to modify list of devices.
140 ## <param name="domain">
142 ## The type of the process performing this action.
146 interface(`udev_rw_db',`
151 dev_list_all_dev_nodes($1)
152 allow $1 udev_tbl_t:file rw_file_perms;