## Hardware abstraction layer ######################################## ## ## Execute hal in the hal domain. ## ## ## ## Domain allowed access. ## ## # interface(`hal_domtrans',` gen_require(` type hald_t, hald_exec_t; ') domtrans_pattern($1,hald_exec_t,hald_t) ') ######################################## ## ## Send to hal over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dgram_send',` gen_require(` type hald_t; ') allow $1 hald_t:unix_dgram_socket sendto; ') ######################################## ## ## Send to hal over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_stream_connect',` gen_require(` type hald_t; ') allow $1 hald_t:unix_stream_socket connectto; ') ######################################## ## ## Send a dbus message to hal. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_send',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## hal over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_chat',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') ######################################## ## ## Read hald tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_tmp_files',` gen_require(` type hald_tmp_t; ') allow $1 hald_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## HAL libraries files ## ## ## ## Domain allowed access. ## ## # interface(`hal_dontaudit_append_lib_files',` gen_require(` type hald_var_lib_t; ') dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; ') ######################################## ## ## Read hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file read_file_perms; ') ######################################## ## ## Read/Write hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ')