]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/system/udev.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
trunk: 6 patches from dan.
[people/stevee/selinux-policy.git] / policy / modules / system / udev.if
1 ## <summary>Policy for udev.</summary>
2
3 ########################################
4 ## <summary>
5 ## Execute udev in the udev domain.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## The type of the process performing this action.
10 ## </summary>
11 ## </param>
12 #
13 interface(`udev_domtrans',`
14 gen_require(`
15 type udev_t, udev_exec_t;
16 ')
17
18 domtrans_pattern($1, udev_exec_t, udev_t)
19 ')
20
21 ########################################
22 ## <summary>
23 ## Execute a udev helper in the udev domain.
24 ## </summary>
25 ## <param name="domain">
26 ## <summary>
27 ## The type of the process performing this action.
28 ## </summary>
29 ## </param>
30 #
31 interface(`udev_helper_domtrans',`
32 gen_require(`
33 type udev_t, udev_helper_exec_t;
34 ')
35
36 domtrans_pattern($1, udev_helper_exec_t, udev_t)
37 ')
38
39 ########################################
40 ## <summary>
41 ## Allow process to read udev process state.
42 ## </summary>
43 ## <param name="domain">
44 ## <summary>
45 ## Domain allowed access.
46 ## </summary>
47 ## </param>
48 #
49 interface(`udev_read_state',`
50 gen_require(`
51 type udev_t;
52 ')
53
54 kernel_search_proc($1)
55 allow $1 udev_t:file read_file_perms;
56 allow $1 udev_t:lnk_file read_lnk_file_perms;
57 ')
58
59 ########################################
60 ## <summary>
61 ## Do not audit attempts to inherit a
62 ## udev file descriptor.
63 ## </summary>
64 ## <param name="domain">
65 ## <summary>
66 ## Domain to not audit.
67 ## </summary>
68 ## </param>
69 #
70 interface(`udev_dontaudit_use_fds',`
71 gen_require(`
72 type udev_t;
73 ')
74
75 dontaudit $1 udev_t:fd use;
76 ')
77
78 ########################################
79 ## <summary>
80 ## Do not audit attempts to read or write
81 ## to a udev unix datagram socket.
82 ## </summary>
83 ## <param name="domain">
84 ## <summary>
85 ## Domain to not audit.
86 ## </summary>
87 ## </param>
88 #
89 interface(`udev_dontaudit_rw_dgram_sockets',`
90 gen_require(`
91 type udev_t;
92 ')
93
94 dontaudit $1 udev_t:unix_dgram_socket { read write };
95 ')
96
97 ########################################
98 ## <summary>
99 ## Do not audit search of udev database directories.
100 ## </summary>
101 ## <param name="domain">
102 ## <summary>
103 ## Domain to not audit.
104 ## </summary>
105 ## </param>
106 #
107 interface(`udev_dontaudit_search_db',`
108 gen_require(`
109 type udev_tbl_t;
110 ')
111
112 dontaudit $1 udev_tbl_t:dir search_dir_perms;
113 ')
114
115 ########################################
116 ## <summary>
117 ## Allow process to read list of devices.
118 ## </summary>
119 ## <param name="domain">
120 ## <summary>
121 ## The type of the process performing this action.
122 ## </summary>
123 ## </param>
124 #
125 interface(`udev_read_db',`
126 gen_require(`
127 type udev_tbl_t;
128 ')
129
130 dev_list_all_dev_nodes($1)
131 allow $1 udev_tbl_t:dir list_dir_perms;
132 read_files_pattern($1, udev_tbl_t, udev_tbl_t)
133 read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
134 ')
135
136 ########################################
137 ## <summary>
138 ## Allow process to modify list of devices.
139 ## </summary>
140 ## <param name="domain">
141 ## <summary>
142 ## The type of the process performing this action.
143 ## </summary>
144 ## </param>
145 #
146 interface(`udev_rw_db',`
147 gen_require(`
148 type udev_tbl_t;
149 ')
150
151 dev_list_all_dev_nodes($1)
152 allow $1 udev_tbl_t:file rw_file_perms;
153 ')
The IPFire selinux policy.