## Hardware abstraction layer ######################################## ## ## Execute hal in the hal domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`hal_domtrans',` gen_require(` type hald_t, hald_exec_t; ') domtrans_pattern($1, hald_exec_t, hald_t) ') ######################################## ## ## Get the attributes of a hal process. ## ## ## ## Domain allowed access. ## ## # interface(`hal_getattr',` gen_require(` type hald_t; ') allow $1 hald_t:process getattr; ') ######################################## ## ## Read hal system state ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_state',` gen_require(` type hald_t; ') kernel_search_proc($1) ps_process_pattern($1, hald_t) ') ######################################## ## ## Allow ptrace of hal domain ## ## ## ## Domain allowed access. ## ## # interface(`hal_ptrace',` gen_require(` type hald_t; ') allow $1 hald_t:process ptrace; ') ######################################## ## ## Allow domain to use file descriptors from hal. ## ## ## ## Domain allowed access. ## ## # interface(`hal_use_fds',` gen_require(` type hald_t; ') allow $1 hald_t:fd use; ') ######################################## ## ## Do not audit attempts to use file descriptors from hal. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_use_fds',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fd use; ') ######################################## ## ## Allow attempts to read and write to ## hald unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pipes',` gen_require(` type hald_t; ') allow $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## hald unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_rw_pipes',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Send to hal over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dgram_send',` gen_require(` type hald_t; ') allow $1 hald_t:unix_dgram_socket sendto; ') ######################################## ## ## Send to hal over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_stream_connect',` gen_require(` type hald_t; ') allow $1 hald_t:unix_stream_socket connectto; ') ######################################## ## ## Dontaudit read/write to a hal unix datagram socket. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_rw_dgram_sockets',` gen_require(` type hald_t; ') dontaudit $1 hald_t:unix_dgram_socket { read write }; ') ######################################## ## ## Send a dbus message to hal. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_send',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## hal over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_chat',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') ######################################## ## ## Execute hal mac in the hal mac domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`hal_domtrans_mac',` gen_require(` type hald_mac_t, hald_mac_exec_t; ') domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) ') ######################################## ## ## Allow attempts to write the hal ## log files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_write_log',` gen_require(` type hald_log_t; ') logging_search_logs($1) allow $1 hald_log_t:file write_file_perms; ') ######################################## ## ## Do not audit attempts to write the hal ## log files. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_write_log',` gen_require(` type hald_log_t; ') dontaudit $1 hald_log_t:file { append write }; ') ######################################## ## ## Manage hald log files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_log',` gen_require(` type hald_log_t; ') # log files for hald manage_files_pattern($1, hald_log_t, hald_log_t) logging_log_filetrans($1, hald_log_t, file) ') ######################################## ## ## Read hald tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_tmp_files',` gen_require(` type hald_tmp_t; ') allow $1 hald_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## HAL libraries files ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_append_lib_files',` gen_require(` type hald_var_lib_t; ') dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; ') ######################################## ## ## Read hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read ## hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dontaudit_read_pid_files',` gen_require(` type hald_var_run_t; ') dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ') ######################################## ## ## Read/Write hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ') ######################################## ## ## Manage hald PID dirs. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_pid_dirs',` gen_require(` type hald_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) ') ######################################## ## ## Manage hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_manage_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain allowed access. ## ## # interface(`hal_dontaudit_leaks',` gen_require(` type hald_log_t; type hald_t; type hald_var_run_t; ') dontaudit $1 hald_t:fd use; dontaudit $1 hald_log_t:file rw_inherited_file_perms; dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; dontaudit hald_t $1:socket_class_set { read write }; dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ')