selinux-policy/policy/modules/services/hal.if

## <summary>Hardware abstraction layer</summary>

########################################
## <summary>
##	Execute hal in the hal domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_domtrans',`
	gen_require(`
		type hald_t, hald_exec_t;
	')

	domtrans_pattern($1, hald_exec_t, hald_t)
')

########################################
## <summary>
##	Get the attributes of a hal process.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_getattr',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:process getattr;
')

########################################
## <summary>
##	Read hal system state
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`hal_read_state',`
	gen_require(`
		type hald_t;
	')

	ps_process_pattern($1, hald_t)
')

########################################
## <summary>
##	Allow ptrace of hal domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_ptrace',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:process ptrace;
')

########################################
## <summary>
##	Allow domain to use file descriptors from hal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`hal_use_fds',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:fd use; 
')

########################################
## <summary>
##	Do not audit attempts to use file descriptors from hal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`hal_dontaudit_use_fds',`
	gen_require(`
		type hald_t;
	')

	dontaudit $1 hald_t:fd use; 
')

########################################
## <summary>
##	Allow attempts to read and write to
##	hald unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`hal_rw_pipes',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:fifo_file rw_fifo_file_perms; 
')

########################################
## <summary>
##	Do not audit attempts to read and write to
##	hald unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`hal_dontaudit_rw_pipes',`
	gen_require(`
		type hald_t;
	')

	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
')

########################################
## <summary>
##	Send to hal over a unix domain
##	datagram socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_dgram_send',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:unix_dgram_socket sendto;
')

########################################
## <summary>
##	Send to hal over a unix domain
##	stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_stream_connect',`
	gen_require(`
		type hald_t;
	')

	allow $1 hald_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Send a dbus message to hal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_dbus_send',`
	gen_require(`
		type hald_t;
		class dbus send_msg;
	')

	allow $1 hald_t:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	hal over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_dbus_chat',`
	gen_require(`
		type hald_t;
		class dbus send_msg;
	')

	allow $1 hald_t:dbus send_msg;
	allow hald_t $1:dbus send_msg;
')

########################################
## <summary>
##	Execute hal mac in the hal mac domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_domtrans_mac',`
	gen_require(`
		type hald_mac_t, hald_mac_exec_t;
	')

	domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
')

########################################
## <summary>
##	Allow attempts to write the hal
##	log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_write_log',`
	gen_require(`
		type hald_log_t;
	')

	logging_search_logs($1)
	allow $1 hald_log_t:file write_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to write the hal
##	log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit
##	</summary>
## </param>
#
interface(`hal_dontaudit_write_log',`
	gen_require(`
		type hald_log_t;
	')

	dontaudit $1 hald_log_t:file { append write };
')

########################################
## <summary>
##	Manage hald log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_manage_log',`
	gen_require(`
		type hald_log_t;
	')

	# log files for hald
	manage_files_pattern($1, hald_log_t, hald_log_t)
	logging_log_filetrans($1, hald_log_t, file)
')

########################################
## <summary>
##	Read hald tmp files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_read_tmp_files',`
	gen_require(`
		type hald_tmp_t;
	')

	allow $1 hald_tmp_t:file read_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	HAL libraries files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_dontaudit_append_lib_files',`
	gen_require(`
		type hald_var_lib_t;
	')

	dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
')

########################################
## <summary>
##	Read hald PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_read_pid_files',`
	gen_require(`
		type hald_var_run_t;
	')

	files_search_pids($1)
	allow $1 hald_var_run_t:file read_file_perms;
')

########################################
## <summary>
##	Read/Write hald PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_rw_pid_files',`
	gen_require(`
		type hald_var_run_t;
	')

	files_search_pids($1)
	allow $1 hald_var_run_t:file rw_file_perms;
')

########################################
## <summary>
##	Manage hald PID dirs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_manage_pid_dirs',`
	gen_require(`
		type hald_var_run_t;
	')

	files_search_pids($1)
	manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
')

########################################
## <summary>
##	Manage hald PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hal_manage_pid_files',`
	gen_require(`
		type hald_var_run_t;
	')

	files_search_pids($1)
	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
add hal 2005-09-02 20:29:52 +00:00			`## <summary>Hardware abstraction layer</summary>`
more fixing 2005-10-26 21:03:19 +00:00
			`########################################`
			`## <summary>`
			`## Execute hal in the hal domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
more fixing 2005-10-26 21:03:19 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
more fixing 2005-10-26 21:03:19 +00:00			`## </param>`
			`#`
			interface(`hal_domtrans',`
			gen_require(`
			`type hald_t, hald_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, hald_exec_t, hald_t)`
more fixing 2005-10-26 21:03:19 +00:00			`')`
pile of sediff fixes 2005-11-08 22:00:30 +00:00
trunk: 5 patches from dan. 2008-11-19 15:24:10 +00:00			`########################################`
			`## <summary>`
			`## Get the attributes of a hal process.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_getattr',`
			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:process getattr;`
			`')`

			`########################################`
			`## <summary>`
			`## Read hal system state`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_read_state',`
			gen_require(`
			`type hald_t;`
			`')`

hal patch from dan. 2009-07-27 14:18:50 +00:00			`ps_process_pattern($1, hald_t)`
trunk: 5 patches from dan. 2008-11-19 15:24:10 +00:00			`')`

trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00			`########################################`
			`## <summary>`
			`## Allow ptrace of hal domain`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_ptrace',`
			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:process ptrace;`
			`')`

			`########################################`
			`## <summary>`
			`## Allow domain to use file descriptors from hal.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_use_fds',`
			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:fd use;`
			`')`

patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to use file descriptors from hal.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_dontaudit_use_fds',`
			gen_require(`
			`type hald_t;`
			`')`

			`dontaudit $1 hald_t:fd use;`
			`')`

trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00			`########################################`
			`## <summary>`
			`## Allow attempts to read and write to`
			`## hald unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_rw_pipes',`
			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:fifo_file rw_fifo_file_perms;`
			`')`

patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to read and write to`
			`## hald unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_dontaudit_rw_pipes',`
			gen_require(`
			`type hald_t;`
			`')`

			`dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;`
			`')`

pile of sediff fixes 2005-11-08 22:00:30 +00:00			`########################################`
			`## <summary>`
			`## Send to hal over a unix domain`
			`## datagram socket.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
pile of sediff fixes 2005-11-08 22:00:30 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
pile of sediff fixes 2005-11-08 22:00:30 +00:00			`## </param>`
			`#`
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames. 2006-03-02 23:41:11 +00:00			interface(`hal_dgram_send',`
pile of sediff fixes 2005-11-08 22:00:30 +00:00			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:unix_dgram_socket sendto;`
			`')`
fix transitions in and out of unconfined. fix bugs uncovered by rawhide testing 2005-11-16 21:08:52 +00:00
			`########################################`
			`## <summary>`
			`## Send to hal over a unix domain`
			`## stream socket.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
fix transitions in and out of unconfined. fix bugs uncovered by rawhide testing 2005-11-16 21:08:52 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
fix transitions in and out of unconfined. fix bugs uncovered by rawhide testing 2005-11-16 21:08:52 +00:00			`## </param>`
			`#`
			interface(`hal_stream_connect',`
			gen_require(`
			`type hald_t;`
			`')`

			`allow $1 hald_t:unix_stream_socket connectto;`
			`')`
patch from dan 2005-11-23 19:02:40 +00:00
			`########################################`
			`## <summary>`
			`## Send a dbus message to hal.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
patch from dan 2005-11-23 19:02:40 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
patch from dan 2005-11-23 19:02:40 +00:00			`## </param>`
			`#`
			interface(`hal_dbus_send',`
			gen_require(`
			`type hald_t;`
			`class dbus send_msg;`
			`')`

			`allow $1 hald_t:dbus send_msg;`
			`')`
work on users 2005-11-29 15:49:18 +00:00
			`########################################`
			`## <summary>`
			`## Send and receive messages from`
			`## hal over dbus.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
work on users 2005-11-29 15:49:18 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
work on users 2005-11-29 15:49:18 +00:00			`## </param>`
			`#`
			interface(`hal_dbus_chat',`
			gen_require(`
			`type hald_t;`
			`class dbus send_msg;`
			`')`

			`allow $1 hald_t:dbus send_msg;`
			`allow hald_t $1:dbus send_msg;`
			`')`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00
hal patch from dan. 2009-07-27 14:18:50 +00:00			`########################################`
			`## <summary>`
			`## Execute hal mac in the hal mac domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_domtrans_mac',`
			gen_require(`
			`type hald_mac_t, hald_mac_exec_t;`
			`')`

			`domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)`
			`')`

trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00			`########################################`
			`## <summary>`
			`## Allow attempts to write the hal`
			`## log files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
trunk: hal xml doc fix pointed out by Rob Myers. 2008-04-18 15:55:03 +00:00			`## Domain allowed access.`
trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_write_log',`
			gen_require(`
			`type hald_log_t;`
			`')`

			`logging_search_logs($1)`
			`allow $1 hald_log_t:file write_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to write the hal`
			`## log files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_dontaudit_write_log',`
			gen_require(`
			`type hald_log_t;`
			`')`

			`dontaudit $1 hald_log_t:file { append write };`
			`')`

hal patch from dan. 2009-07-27 14:18:50 +00:00			`########################################`
			`## <summary>`
			`## Manage hald log files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_manage_log',`
			gen_require(`
			`type hald_log_t;`
			`')`

			`# log files for hald`
			`manage_files_pattern($1, hald_log_t, hald_log_t)`
			`logging_log_filetrans($1, hald_log_t, file)`
			`')`

patch from Dan Tue, 20 Jun 2006 16:19:13 -0400 2006-06-21 18:25:06 +00:00			`########################################`
			`## <summary>`
			`## Read hald tmp files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_read_tmp_files',`
			gen_require(`
			`type hald_tmp_t;`
			`')`

merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 hald_tmp_t:file read_file_perms;`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400 2006-06-21 18:25:06 +00:00			`')`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00
patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to read or write`
			`## HAL libraries files`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_dontaudit_append_lib_files',`
			gen_require(`
			`type hald_var_lib_t;`
			`')`

merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };`
patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00			`')`

patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00			`########################################`
			`## <summary>`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400 2006-06-21 18:25:06 +00:00			`## Read hald PID files.`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_read_pid_files',`
			gen_require(`
			`type hald_var_run_t;`
			`')`

			`files_search_pids($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 hald_var_run_t:file read_file_perms;`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00			`')`

			`########################################`
			`## <summary>`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400 2006-06-21 18:25:06 +00:00			`## Read/Write hald PID files.`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500 2006-03-23 19:19:38 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_rw_pid_files',`
			gen_require(`
			`type hald_var_run_t;`
			`')`

			`files_search_pids($1)`
			`allow $1 hald_var_run_t:file rw_file_perms;`
			`')`
hal patch from dan. 2009-07-27 14:18:50 +00:00
			`########################################`
			`## <summary>`
			`## Manage hald PID dirs.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_manage_pid_dirs',`
			gen_require(`
			`type hald_var_run_t;`
			`')`

			`files_search_pids($1)`
			`manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Manage hald PID files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`hal_manage_pid_files',`
			gen_require(`
			`type hald_var_run_t;`
			`')`

			`files_search_pids($1)`
			`manage_files_pattern($1, hald_var_run_t, hald_var_run_t)`
			`')`