selinux-policy/strict/domains/program/hotplug.te

163 lines
4.9 KiB
Plaintext
Raw Normal View History

2005-04-29 17:45:15 +00:00
#DESC Hotplug - Hardware event manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hotplug
#
#################################
#
# Rules for the hotplug_t domain.
#
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
', `
daemon_domain(hotplug, `, privmodule')
')
etcdir_domain(hotplug)
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
read_sysctl(hotplug_t)
allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
r_dir_file(hotplug_t, proc_t)
allow hotplug_t self:file { getattr read ioctl };
2005-04-29 17:45:15 +00:00
allow hotplug_t devtty_t:chr_file rw_file_perms;
allow hotplug_t device_t:dir r_dir_perms;
# for SSP
allow hotplug_t urandom_device_t:chr_file read;
allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
ifdef(`hostname.te', `
can_exec(hotplug_t, hostname_exec_t)
dontaudit hostname_t hotplug_t:fd use;
')
ifdef(`netutils.te', `
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };
# read config files
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
2005-09-15 21:03:45 +00:00
allow hotplug_t kernel_t:process { sigchld setpgid };
2005-04-29 17:45:15 +00:00
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')
ifdef(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
ifdef(`mount.te', `
2005-04-29 17:45:15 +00:00
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
')
2005-04-29 17:45:15 +00:00
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
')
# init scripts run /etc/hotplug/usb.rc
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
allow initrc_t hotplug_etc_t:dir r_dir_perms;
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
r_dir_file(hotplug_t, modules_object_t)
allow hotplug_t modules_dep_t:file { getattr read ioctl };
# for lsmod
dontaudit hotplug_t self:capability { sys_module sys_admin };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
ifdef(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
allow hotplug_t var_log_t:dir search;
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
ifdef(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
# kernel threads inherit from shared descriptor table used by init
dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
2005-09-15 21:03:45 +00:00
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
2005-04-29 17:45:15 +00:00
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
allow hotplug_t fixed_disk_device_t:blk_file setattr;
allow hotplug_t removable_device_t:blk_file setattr;
allow hotplug_t sound_device_t:chr_file setattr;
ifdef(`udev.te', `
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
ifdef(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
2005-09-15 21:03:45 +00:00
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
2005-04-29 17:45:15 +00:00
2005-09-15 21:03:45 +00:00
dontaudit hotplug_t selinux_config_t:dir search;