allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_logger_stream_connect',`
+ gen_require(`
+ type systemd_logger_t;
+ ')
+
+ allow $1 systemd_logger_t:unix_stream_socket connectto;
+')
attribute systemd_unit_file_type;
# New in f16
+permissive systemd_logger_t;
+
+type systemd_logger_t;
+type systemd_logger_exec_t;
+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
+
permissive systemd_logind_t;
type systemd_logind_t;
dev_read_sysfs(systemd_logind_t)
-dev_getattr_dri_dev(systemd_logind_t)
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
-dev_getattr_sound_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
-dev_getattr_video_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
# /etc/udev/udev.conf should probably have a private type if only for confined administration
# /etc/nsswitch.conf
# write getattr open setattr
fs_manage_cgroup_files(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
term_use_unallocated_ttys(systemd_logind_t)
# /run/user/.*
optional_policy(`
readahead_manage_pid_files(systemd_notify_t)
')
+
+########################################
+#
+# systemd_logger local policy
+#
+allow systemd_logger_t self:capability { sys_admin chown kill };
+allow systemd_logger_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_logger_t)
+
+files_read_etc_files(systemd_logger_t)
+
+auth_use_nsswitch(systemd_logger_t)
+
+logging_send_syslog_msg(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
+
+#============= abrt_helper_t ==============
+kernel_read_kernel_sysctls(abrt_helper_t)
+kernel_read_system_state(abrt_helper_t)
+
+#============= init_t ==============
+allow init_t systemd_logger_t:unix_stream_socket connectto;
+
+#============= initrc_t ==============
+allow initrc_t wdmd_var_run_t:dir add_name;
+allow initrc_t wdmd_var_run_t:file create;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t systemd_logind_sessions_t:fifo_file write;
+domain_type(system_dbusd_t)
+
+#============= systemd_logger_t ==============
+
+#============= virtd_t ==============
+allow virtd_t dnsmasq_var_run_t:dir create;
+
+#============= xdm_t ==============
+allow xdm_t systemd_logind_sessions_t:fifo_file write;
+domain_type(xdm_t)
projects / people / stevee / selinux-policy.git / commitdiff
