[people/stevee/selinux-policy.git] / policy / modules / system / udev.te

policy_module(udev, 1.12.2)

########################################
#
# Declarations
#

type udev_t;
type udev_exec_t;
type udev_helper_exec_t;
kernel_domtrans_to(udev_t, udev_exec_t)
domain_obj_id_change_exemption(udev_t)
domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)

type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)

type udev_rules_t;
files_type(udev_rules_t)

type udev_var_run_t;
files_pid_file(udev_var_run_t)
typealias udev_var_run_t alias udev_tbl_t;

ifdef(`enable_mcs',`
	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
	init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
')

########################################
#
# Local policy
#

allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
dontaudit udev_t self:capability sys_tty_config;

ifdef(`hide_broken_symptoms',`
	# caused by some bogus kernel code
	dontaudit udev_t self:capability sys_module;
')

allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
tunable_policy(`deny_ptrace',`',`
	allow udev_t self:process ptrace;
')

allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
allow udev_t self:sock_file read_sock_file_perms;
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
allow udev_t self:msg { send receive };
allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
allow udev_t self:netlink_socket create_socket_perms;

allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)

allow udev_t udev_helper_exec_t:dir list_dir_perms;
can_exec(udev_t, udev_helper_exec_t)

# read udev config
allow udev_t udev_etc_t:file read_file_perms;

list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)

manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
allow udev_t udev_var_run_t:file mounton;
dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )

kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
kernel_getattr_core_if(udev_t)
kernel_use_fds(udev_t)
kernel_read_device_sysctls(udev_t)
kernel_read_hotplug_sysctls(udev_t)
kernel_read_modprobe_sysctls(udev_t)
kernel_read_kernel_sysctls(udev_t)
kernel_rw_hotplug_sysctls(udev_t)
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
kernel_stream_connect(udev_t)

#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
kernel_read_network_state(udev_t)
kernel_read_software_raid_state(udev_t)

corecmd_exec_all_executables(udev_t)

dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_usb_dev(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
dev_relabel_all_dev_nodes(udev_t)
# udev_node.c/node_symlink() symlink labels are explicitly
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
dev_filetrans_all_named_dev(udev_t)

domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these

files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_kernel_modules(udev_t)
files_read_system_conf_files(udev_t)

# console_init manages files in /etc/sysconfig
files_manage_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_exec_usr_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
files_list_tmp(udev_t)

fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_rw_anon_inodefs_files(udev_t)
fs_list_auto_mountpoints(udev_t)
fs_list_hugetlbfs(udev_t)

mcs_ptrace_all(udev_t)

mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
mls_file_upgrade(udev_t)
mls_file_downgrade(udev_t)
mls_process_write_down(udev_t)

selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
selinux_compute_access_vector(udev_t)
selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)

auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)

init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
init_stream_connect(udev_t)

logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)

miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)

modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)

seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
seutil_read_file_contexts(udev_t)
seutil_domtrans_setfiles(udev_t)

sysnet_domtrans_ifconfig(udev_t)
sysnet_domtrans_dhcpc(udev_t)
sysnet_rw_dhcp_config(udev_t)
sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)

systemd_login_read_pid_files(udev_t)

userdom_dontaudit_search_user_home_content(udev_t)

ifdef(`distro_gentoo',`
	# during boot, init scripts use /dev/.rcsysinit
	# existance to determine if we are in early booting
	init_getattr_script_status_files(udev_t)
')

ifdef(`distro_redhat',`
	fs_manage_tmpfs_dirs(udev_t)
	fs_manage_tmpfs_files(udev_t)
	fs_manage_tmpfs_symlinks(udev_t)
	fs_manage_tmpfs_sockets(udev_t)
	fs_manage_tmpfs_blk_files(udev_t)
	fs_manage_tmpfs_chr_files(udev_t)
	fs_relabel_tmpfs_blk_file(udev_t)
	fs_relabel_tmpfs_chr_file(udev_t)
	fs_manage_hugetlbfs_dirs(udev_t)

	term_use_generic_ptys(udev_t)

	# for arping used for static IP addresses on PCMCIA ethernet
	netutils_domtrans(udev_t)

	optional_policy(`
		unconfined_domain(udev_t)
	')
')

optional_policy(`
	alsa_domtrans(udev_t)
	alsa_read_lib(udev_t)
	alsa_read_rw_config(udev_t)
')

optional_policy(`
	bluetooth_domtrans(udev_t)
')

optional_policy(`
	brctl_domtrans(udev_t)
')

optional_policy(`
	clock_domtrans(udev_t)
')

optional_policy(`
	consolekit_read_pid_files(udev_t)
')

optional_policy(`
	consoletype_exec(udev_t)
')

optional_policy(`
	cups_domtrans_config(udev_t)
	cups_read_config(udev_t)
')

optional_policy(`
	dbus_system_bus_client(udev_t)
')

optional_policy(`
	devicekit_read_pid_files(udev_t)
	devicekit_dgram_send(udev_t)
	devicekit_domtrans_disk(udev_t)
')

optional_policy(`
	gpsd_domtrans(udev_t)
')

optional_policy(`
	lvm_domtrans(udev_t)
	lvm_dgram_send(udev_t)
')

optional_policy(`
	fstools_domtrans(udev_t)
')

optional_policy(`
	hal_dgram_send(udev_t)

	ifdef(`hide_broken_symptoms',`
		hal_dontaudit_rw_dgram_sockets(udev_t)
	')
')

optional_policy(`
	hotplug_read_config(udev_t)
	# usb.agent searches /var/run/usb
	hotplug_search_pids(udev_t)
')

optional_policy(`
	mount_domtrans(udev_t)
')

optional_policy(`
	networkmanager_dbus_chat(udev_t)
')

optional_policy(`
	openct_read_pid_files(udev_t)
	openct_domtrans(udev_t)
')

optional_policy(`
	pcscd_read_pub_files(udev_t)
	pcscd_domtrans(udev_t)
')

optional_policy(`
	raid_domtrans_mdadm(udev_t)
')

optional_policy(`
	usbmuxd_domtrans(udev_t)
	usbmuxd_stream_connect(udev_t)
')

optional_policy(`
	unconfined_signal(udev_t)
')

optional_policy(`
	vbetool_domtrans(udev_t)
')

optional_policy(`
	kernel_write_xen_state(udev_t)
	kernel_read_xen_state(udev_t)
	xen_manage_log(udev_t)
	xen_read_image_files(udev_t)
')

optional_policy(`
	xserver_read_xdm_pid(udev_t)
')
Commit	Line	Data
63db3b7e	1	policy_module(udev, 1.12.2)
3a9aef92 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
f0574fa9	8	type udev_t;
e070dd2d	9	type udev_exec_t;
dfb86add	10	type udev_helper_exec_t;
3f67f722	11	kernel_domtrans_to(udev_t, udev_exec_t)
1815bad1	12	domain_obj_id_change_exemption(udev_t)
3f67f722	13	domain_entry_file(udev_t, udev_helper_exec_t)
15722ec9	14	domain_interactive_fd(udev_t)
3f67f722	15	init_daemon_domain(udev_t, udev_exec_t)
dfb86add CP	16
dfb86add CP	17	type udev_etc_t alias etc_udev_t;
9bbc757a	18	files_config_file(udev_etc_t)
dfb86add	19
d56b33a1 CR	20	type udev_rules_t;
	21	files_type(udev_rules_t)
	22
3a9aef92	23	type udev_var_run_t;
c9428d33	24	files_pid_file(udev_var_run_t)
49dc3648	25	typealias udev_var_run_t alias udev_tbl_t;
3a9aef92	26
e070dd2d	27	ifdef(`enable_mcs',`
3f67f722 CP	28	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
3f67f722 CP	29	init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
e070dd2d CP	30	')
e070dd2d CP	31
3a9aef92 CP	32	########################################
	33	#
	34	# Local policy
	35	#
dfb86add	36
995bdbb1	37	allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
30910b37	38	dontaudit udev_t self:capability sys_tty_config;
d51f8cff DW	39
	40	ifdef(`hide_broken_symptoms',`
	41	# caused by some bogus kernel code
	42	dontaudit udev_t self:capability sys_module;
	43	')
	44
995bdbb1	45	allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	46	tunable_policy(`deny_ptrace',`',`
	47	allow udev_t self:process ptrace;
	48	')
	49
dfb86add CP	50	allow udev_t self:process { execmem setfscreate };
dfb86add CP	51	allow udev_t self:fd use;
c0868a7a	52	allow udev_t self:fifo_file rw_fifo_file_perms;
0b36a214	53	allow udev_t self:sock_file read_sock_file_perms;
7edd02d4 CP	54	allow udev_t self:shm create_shm_perms;
	55	allow udev_t self:sem create_sem_perms;
	56	allow udev_t self:msgq create_msgq_perms;
dfb86add	57	allow udev_t self:msg { send receive };
77f6e2cd CP	58	allow udev_t self:unix_stream_socket { listen accept };
	59	allow udev_t self:unix_dgram_socket sendto;
	60	allow udev_t self:unix_stream_socket connectto;
	61	allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
7edd02d4	62	allow udev_t self:rawip_socket create_socket_perms;
3eaa9939	63	allow udev_t self:netlink_socket create_socket_perms;
dfb86add	64
7edd02d4 CP	65	allow udev_t udev_exec_t:file write;
7edd02d4 CP	66	can_exec(udev_t, udev_exec_t)
f5c42bd8	67
c0868a7a	68	allow udev_t udev_helper_exec_t:dir list_dir_perms;
3c9b2e9b	69	can_exec(udev_t, udev_helper_exec_t)
dfb86add CP	70
dfb86add CP	71	# read udev config
c0868a7a	72	allow udev_t udev_etc_t:file read_file_perms;
dfb86add	73
d56b33a1	74	list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
3e3080f0 DW	75	manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
3e3080f0 DW	76	manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
d56b33a1	77
3f67f722	78	manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
12a9ca53	79	manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
3f67f722	80	manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
837163cf	81	manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
3eaa9939	82	files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
66668399	83	allow udev_t udev_var_run_t:file mounton;
382acd84 DW	84	dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
382acd84 DW	85
dfb86add	86	kernel_read_system_state(udev_t)
837163cf	87	kernel_request_load_module(udev_t)
445522dc	88	kernel_getattr_core_if(udev_t)
1c1ac67f	89	kernel_use_fds(udev_t)
445522dc CP	90	kernel_read_device_sysctls(udev_t)
	91	kernel_read_hotplug_sysctls(udev_t)
	92	kernel_read_modprobe_sysctls(udev_t)
	93	kernel_read_kernel_sysctls(udev_t)
	94	kernel_rw_hotplug_sysctls(udev_t)
	95	kernel_rw_unix_dgram_sockets(udev_t)
37f15c52	96	kernel_dgram_send(udev_t)
0907bda1	97	kernel_signal(udev_t)
3c9b2e9b	98	kernel_search_debugfs(udev_t)
2082ce40	99	kernel_stream_connect(udev_t)
d35c621e	100
8241b538 CP	101	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
	102	kernel_rw_net_sysctls(udev_t)
	103	kernel_read_network_state(udev_t)
3c9b2e9b	104	kernel_read_software_raid_state(udev_t)
8241b538	105
eac818f0 CP	106	corecmd_exec_all_executables(udev_t)
eac818f0 CP	107
98a8ead4	108	dev_rw_sysfs(udev_t)
25c043d1	109	dev_manage_all_dev_nodes(udev_t)
7e9cab9c	110	dev_rw_generic_usb_dev(udev_t)
207c4763 CP	111	dev_rw_generic_files(udev_t)
207c4763 CP	112	dev_delete_generic_files(udev_t)
8241b538 CP	113	dev_search_usbfs(udev_t)
8241b538 CP	114	dev_relabel_all_dev_nodes(udev_t)
08dccef2 CP	115	# udev_node.c/node_symlink() symlink labels are explicitly
	116	# preserved, instead of short circuiting the relabel
	117	dev_relabel_generic_symlinks(udev_t)
a124c0a8	118	dev_manage_generic_symlinks(udev_t)
f312c842	119	dev_filetrans_all_named_dev(udev_t)
d35c621e	120
eac818f0	121	domain_read_all_domains_state(udev_t)
837163cf	122	domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
eac818f0	123
8241b538	124	files_read_usr_files(udev_t)
eac818f0	125	files_read_etc_runtime_files(udev_t)
431a14d0	126	files_read_kernel_modules(udev_t)
795f6214	127	files_read_system_conf_files(udev_t)
dfe675b8 DW	128
	129	# console_init manages files in /etc/sysconfig
	130	files_manage_etc_files(udev_t)
eac818f0	131	files_exec_etc_files(udev_t)
7f4447f7	132	files_exec_usr_files(udev_t)
eac818f0 CP	133	files_dontaudit_search_isid_type_dirs(udev_t)
	134	files_getattr_generic_locks(udev_t)
	135	files_search_mnt(udev_t)
3eaa9939	136	files_list_tmp(udev_t)
eac818f0	137
d35c621e	138	fs_getattr_all_fs(udev_t)
b0d2243c	139	fs_list_inotifyfs(udev_t)
837163cf	140	fs_rw_anon_inodefs_files(udev_t)
3eaa9939 DW	141	fs_list_auto_mountpoints(udev_t)
3eaa9939 DW	142	fs_list_hugetlbfs(udev_t)
d35c621e	143
eac818f0 CP	144	mcs_ptrace_all(udev_t)
eac818f0 CP	145
f8233ab7 CP	146	mls_file_read_all_levels(udev_t)
f8233ab7 CP	147	mls_file_write_all_levels(udev_t)
eac818f0 CP	148	mls_file_upgrade(udev_t)
	149	mls_file_downgrade(udev_t)
	150	mls_process_write_down(udev_t)
	151
5e0da6a0 CP	152	selinux_get_fs_mount(udev_t)
	153	selinux_validate_context(udev_t)
	154	selinux_compute_access_vector(udev_t)
	155	selinux_compute_create_context(udev_t)
	156	selinux_compute_relabel_context(udev_t)
	157	selinux_compute_user_contexts(udev_t)
3a9aef92	158
3ef029db CP	159	auth_read_pam_console_data(udev_t)
3ef029db CP	160	auth_domtrans_pam_console(udev_t)
77f6e2cd CP	161	auth_use_nsswitch(udev_t)
77f6e2cd CP	162
68228b33 CP	163	init_read_utmp(udev_t)
68228b33 CP	164	init_dontaudit_write_utmp(udev_t)
6c911897	165	init_getattr_initctl(udev_t)
2082ce40	166	init_stream_connect(udev_t)
dfb86add	167
7a2f20a3	168	logging_search_logs(udev_t)
c9428d33	169	logging_send_syslog_msg(udev_t)
3c9b2e9b	170	logging_send_audit_msgs(udev_t)
dfb86add	171
f5c42bd8	172	miscfiles_read_localization(udev_t)
837163cf	173	miscfiles_read_hwdata(udev_t)
f5c42bd8	174
c9428d33	175	modutils_domtrans_insmod(udev_t)
ed38ca9f CP	176	# read modules.inputmap:
ed38ca9f CP	177	modutils_read_module_deps(udev_t)
f5c42bd8	178
5e0da6a0 CP	179	seutil_read_config(udev_t)
	180	seutil_read_default_contexts(udev_t)
	181	seutil_read_file_contexts(udev_t)
762d2cb9	182	seutil_domtrans_setfiles(udev_t)
f5c42bd8	183
c9428d33	184	sysnet_domtrans_ifconfig(udev_t)
3ef029db	185	sysnet_domtrans_dhcpc(udev_t)
8241b538 CP	186	sysnet_rw_dhcp_config(udev_t)
	187	sysnet_read_dhcpc_pid(udev_t)
	188	sysnet_delete_dhcpc_pid(udev_t)
	189	sysnet_signal_dhcpc(udev_t)
	190	sysnet_manage_config(udev_t)
	191	sysnet_etc_filetrans_config(udev_t)
1e5c2a41	192
56e0f315 DW	193	systemd_login_read_pid_files(udev_t)
56e0f315 DW	194
296273a7	195	userdom_dontaudit_search_user_home_content(udev_t)
fd89e19f	196
ed38ca9f CP	197	ifdef(`distro_gentoo',`
	198	# during boot, init scripts use /dev/.rcsysinit
	199	# existance to determine if we are in early booting
	200	init_getattr_script_status_files(udev_t)
	201	')
	202
254bbc7b	203	ifdef(`distro_redhat',`
98a8ead4 CP	204	fs_manage_tmpfs_dirs(udev_t)
98a8ead4 CP	205	fs_manage_tmpfs_files(udev_t)
ebdc3b79 CP	206	fs_manage_tmpfs_symlinks(udev_t)
ebdc3b79 CP	207	fs_manage_tmpfs_sockets(udev_t)
4d851fe9 CP	208	fs_manage_tmpfs_blk_files(udev_t)
	209	fs_manage_tmpfs_chr_files(udev_t)
	210	fs_relabel_tmpfs_blk_file(udev_t)
	211	fs_relabel_tmpfs_chr_file(udev_t)
ee4b1e0a	212	fs_manage_hugetlbfs_dirs(udev_t)
daa0e0b0	213
9c306697	214	term_use_generic_ptys(udev_t)
69748904	215
0c73cd25	216	# for arping used for static IP addresses on PCMCIA ethernet
c9428d33	217	netutils_domtrans(udev_t)
153fe24b	218
594e29e6 DW	219	optional_policy(`
	220	unconfined_domain(udev_t)
	221	')
254bbc7b	222	')
daa0e0b0	223
6c911897 CP	224	optional_policy(`
6c911897 CP	225	alsa_domtrans(udev_t)
3c9b2e9b	226	alsa_read_lib(udev_t)
6c911897 CP	227	alsa_read_rw_config(udev_t)
	228	')
	229
837163cf CP	230	optional_policy(`
	231	bluetooth_domtrans(udev_t)
	232	')
	233
8241b538 CP	234	optional_policy(`
	235	brctl_domtrans(udev_t)
	236	')
	237
3c9b2e9b CP	238	optional_policy(`
	239	clock_domtrans(udev_t)
	240	')
	241
3eaa9939 DW	242	optional_policy(`
	243	consolekit_read_pid_files(udev_t)
	244	')
	245
bb7170f6	246	optional_policy(`
e200bcc0	247	consoletype_exec(udev_t)
dfb86add CP	248	')
dfb86add CP	249
837163cf CP	250	optional_policy(`
837163cf CP	251	cups_domtrans_config(udev_t)
c71f02c0	252	cups_read_config(udev_t)
837163cf CP	253	')
837163cf CP	254
bb7170f6	255	optional_policy(`
296273a7	256	dbus_system_bus_client(udev_t)
0c3d1705 CP	257	')
0c3d1705 CP	258
837163cf CP	259	optional_policy(`
	260	devicekit_read_pid_files(udev_t)
	261	devicekit_dgram_send(udev_t)
7e9cab9c	262	devicekit_domtrans_disk(udev_t)
837163cf CP	263	')
837163cf CP	264
7d58fe42 DW	265	optional_policy(`
	266	gpsd_domtrans(udev_t)
	267	')
	268
3c9b2e9b CP	269	optional_policy(`
3c9b2e9b CP	270	lvm_domtrans(udev_t)
93ff1436	271	lvm_dgram_send(udev_t)
3c9b2e9b CP	272	')
3c9b2e9b CP	273
8241b538 CP	274	optional_policy(`
	275	fstools_domtrans(udev_t)
	276	')
	277
bb7170f6	278	optional_policy(`
1c1ac67f	279	hal_dgram_send(udev_t)
a124c0a8 CP	280
	281	ifdef(`hide_broken_symptoms',`
	282	hal_dontaudit_rw_dgram_sockets(udev_t)
	283	')
9fd4b818 CP	284	')
9fd4b818 CP	285
bb7170f6	286	optional_policy(`
0c73cd25	287	hotplug_read_config(udev_t)
ed38ca9f CP	288	# usb.agent searches /var/run/usb
ed38ca9f CP	289	hotplug_search_pids(udev_t)
1e5c2a41 CP	290	')
1e5c2a41 CP	291
837163cf CP	292	optional_policy(`
	293	mount_domtrans(udev_t)
	294	')
	295
3eaa9939 DW	296	optional_policy(`
	297	networkmanager_dbus_chat(udev_t)
	298	')
	299
8241b538 CP	300	optional_policy(`
	301	openct_read_pid_files(udev_t)
	302	openct_domtrans(udev_t)
	303	')
	304
	305	optional_policy(`
	306	pcscd_read_pub_files(udev_t)
	307	pcscd_domtrans(udev_t)
	308	')
	309
6c911897 CP	310	optional_policy(`
	311	raid_domtrans_mdadm(udev_t)
	312	')
	313
3eaa9939 DW	314	optional_policy(`
3eaa9939 DW	315	usbmuxd_domtrans(udev_t)
4fccad90	316	usbmuxd_stream_connect(udev_t)
3eaa9939 DW	317	')
3eaa9939 DW	318
837163cf CP	319	optional_policy(`
	320	unconfined_signal(udev_t)
	321	')
	322
	323	optional_policy(`
	324	vbetool_domtrans(udev_t)
	325	')
	326
8241b538 CP	327	optional_policy(`
	328	kernel_write_xen_state(udev_t)
	329	kernel_read_xen_state(udev_t)
	330	xen_manage_log(udev_t)
	331	xen_read_image_files(udev_t)
	332	')
	333
3b914745 CP	334	optional_policy(`
	335	xserver_read_xdm_pid(udev_t)
	336	')