add devicekit module from dan.
This commit is contained in:
parent
4e7c0a93a6
commit
677c4c2fea
@ -22,6 +22,7 @@
|
||||
- Added modules:
|
||||
certmaster (Dan Walsh)
|
||||
cpufreqselector (Dan Walsh)
|
||||
devicekit (Dan Walsh)
|
||||
git (Dan Walsh)
|
||||
gpsd (Miroslav Grepl)
|
||||
guest (Dan Walsh)
|
||||
|
8
policy/modules/services/devicekit.fc
Normal file
8
policy/modules/services/devicekit.fc
Normal file
@ -0,0 +1,8 @@
|
||||
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
|
||||
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
|
||||
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
|
||||
|
||||
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
|
||||
|
||||
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
185
policy/modules/services/devicekit.if
Normal file
185
policy/modules/services/devicekit.if
Normal file
@ -0,0 +1,185 @@
|
||||
## <summary>Devicekit modular hardware abstraction layer</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run devicekit.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_domtrans',`
|
||||
gen_require(`
|
||||
type devicekit_t, devicekit_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send to devicekit over a unix domain
|
||||
## datagram socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_dgram_send',`
|
||||
gen_require(`
|
||||
type devicekit_t;
|
||||
')
|
||||
|
||||
allow $1 devicekit_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## devicekit over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_dbus_chat',`
|
||||
gen_require(`
|
||||
type devicekit_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 devicekit_t:dbus send_msg;
|
||||
allow devicekit_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## devicekit disk over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_dbus_chat_disk',`
|
||||
gen_require(`
|
||||
type devicekit_disk_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 devicekit_disk_t:dbus send_msg;
|
||||
allow devicekit_disk_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send signal devicekit power
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_signal_power',`
|
||||
gen_require(`
|
||||
type devicekit_power_t;
|
||||
')
|
||||
|
||||
allow $1 devicekit_power_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## devicekit power over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_dbus_chat_power',`
|
||||
gen_require(`
|
||||
type devicekit_power_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 devicekit_power_t:dbus send_msg;
|
||||
allow devicekit_power_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read devicekit PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`devicekit_read_pid_files',`
|
||||
gen_require(`
|
||||
type devicekit_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an devicekit environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the devicekit domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`devicekit_admin',`
|
||||
gen_require(`
|
||||
type devicekit_t, devicekit_disk_t, devicekit_power_t;
|
||||
type devicekit_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 devicekit_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, devicekit_t)
|
||||
|
||||
allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, devicekit_disk_t)
|
||||
|
||||
allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, devicekit_power_t)
|
||||
|
||||
admin_pattern($1, devicekit_tmp_t)
|
||||
files_search_tmp($1)
|
||||
|
||||
admin_pattern($1, devicekit_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
|
||||
admin_pattern($1, devicekit_var_run_t)
|
||||
files_search_pids($1)
|
||||
')
|
219
policy/modules/services/devicekit.te
Normal file
219
policy/modules/services/devicekit.te
Normal file
@ -0,0 +1,219 @@
|
||||
policy_module(devicekit, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type devicekit_t;
|
||||
type devicekit_exec_t;
|
||||
dbus_system_domain(devicekit_t, devicekit_exec_t)
|
||||
|
||||
type devicekit_power_t;
|
||||
type devicekit_power_exec_t;
|
||||
dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
|
||||
|
||||
type devicekit_disk_t;
|
||||
type devicekit_disk_exec_t;
|
||||
dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
|
||||
|
||||
type devicekit_tmp_t;
|
||||
files_tmp_file(devicekit_tmp_t)
|
||||
|
||||
type devicekit_var_run_t;
|
||||
files_pid_file(devicekit_var_run_t)
|
||||
|
||||
type devicekit_var_lib_t;
|
||||
files_type(devicekit_var_lib_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# DeviceKit local policy
|
||||
#
|
||||
|
||||
allow devicekit_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
|
||||
|
||||
dev_read_sysfs(devicekit_t)
|
||||
dev_read_urand(devicekit_t)
|
||||
|
||||
files_read_etc_files(devicekit_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(devicekit_t)
|
||||
|
||||
allow devicekit_t devicekit_disk_t:dbus send_msg;
|
||||
allow devicekit_t devicekit_power_t:dbus send_msg;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(devicekit_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# DeviceKit disk local policy
|
||||
#
|
||||
|
||||
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
|
||||
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
|
||||
|
||||
kernel_read_software_raid_state(devicekit_disk_t)
|
||||
kernel_setsched(devicekit_disk_t)
|
||||
|
||||
corecmd_exec_bin(devicekit_disk_t)
|
||||
|
||||
dev_rw_sysfs(devicekit_disk_t)
|
||||
dev_read_urand(devicekit_disk_t)
|
||||
dev_getattr_usbfs_dirs(devicekit_disk_t)
|
||||
|
||||
files_manage_mnt_dirs(devicekit_disk_t)
|
||||
files_read_etc_files(devicekit_disk_t)
|
||||
files_read_etc_runtime_files(devicekit_disk_t)
|
||||
files_read_usr_files(devicekit_disk_t)
|
||||
|
||||
fs_mount_all_fs(devicekit_disk_t)
|
||||
fs_unmount_all_fs(devicekit_disk_t)
|
||||
fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||
|
||||
storage_raw_read_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_write_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_read_removable_device(devicekit_disk_t)
|
||||
storage_raw_write_removable_device(devicekit_disk_t)
|
||||
|
||||
auth_use_nsswitch(devicekit_disk_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_disk_t)
|
||||
|
||||
userdom_read_all_users_state(devicekit_disk_t)
|
||||
userdom_search_user_home_dirs(devicekit_disk_t)
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lvm_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_domtrans_auth(devicekit_disk_t)
|
||||
policykit_read_lib(devicekit_disk_t)
|
||||
policykit_read_reload(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(devicekit_disk_t)
|
||||
|
||||
allow devicekit_disk_t devicekit_t:dbus send_msg;
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(devicekit_disk_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_domtrans(devicekit_disk_t)
|
||||
udev_read_db(devicekit_disk_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# DeviceKit-Power local policy
|
||||
#
|
||||
|
||||
allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
|
||||
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
||||
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
|
||||
|
||||
kernel_read_network_state(devicekit_power_t)
|
||||
kernel_read_system_state(devicekit_power_t)
|
||||
kernel_rw_hotplug_sysctls(devicekit_power_t)
|
||||
kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
|
||||
corecmd_exec_bin(devicekit_power_t)
|
||||
corecmd_exec_shell(devicekit_power_t)
|
||||
|
||||
consoletype_exec(devicekit_power_t)
|
||||
|
||||
domain_read_all_domains_state(devicekit_power_t)
|
||||
|
||||
dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
dev_rw_netcontrol(devicekit_power_t)
|
||||
dev_rw_sysfs(devicekit_power_t)
|
||||
|
||||
files_read_kernel_img(devicekit_power_t)
|
||||
files_read_etc_files(devicekit_power_t)
|
||||
files_read_usr_files(devicekit_power_t)
|
||||
|
||||
term_use_all_terms(devicekit_power_t)
|
||||
|
||||
auth_use_nsswitch(devicekit_power_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_power_t)
|
||||
|
||||
userdom_read_all_users_state(devicekit_power_t)
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(devicekit_power_t)
|
||||
|
||||
allow devicekit_power_t devicekit_t:dbus send_msg;
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_dbus_chat(devicekit_power_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_domtrans_mac(devicekit_power_t)
|
||||
hal_manage_pid_dirs(devicekit_power_t)
|
||||
hal_manage_pid_files(devicekit_power_t)
|
||||
hal_dbus_chat(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_domtrans_auth(devicekit_power_t)
|
||||
policykit_read_lib(devicekit_power_t)
|
||||
policykit_read_reload(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
Loading…
Reference in New Issue
Block a user