## Policy for udev. ######################################## ## ## Send generic signals to udev. ## ## ## ## Domain allowed access. ## ## # interface(`udev_signal',` gen_require(` type udev_t; ') allow $1 udev_t:process signal; ') ######################################## ## ## Execute udev in the udev domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`udev_domtrans',` gen_require(` type udev_t, udev_exec_t; ') domtrans_pattern($1, udev_exec_t, udev_t) allow $1 udev_t:process noatsecure; ') ######################################## ## ## Execute udev in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`udev_exec',` gen_require(` type udev_exec_t; ') can_exec($1, udev_exec_t) ') ######################################## ## ## Execute a udev helper in the udev domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`udev_helper_domtrans',` gen_require(` type udev_t, udev_helper_exec_t; ') domtrans_pattern($1, udev_helper_exec_t, udev_t) ') ######################################## ## ## Allow process to read udev process state. ## ## ## ## Domain allowed access. ## ## # interface(`udev_read_state',` gen_require(` type udev_t; ') kernel_search_proc($1) ps_process_pattern($1, udev_t) ') ######################################## ## ## Do not audit attempts to inherit a ## udev file descriptor. ## ## ## ## Domain to not audit. ## ## # interface(`udev_dontaudit_use_fds',` gen_require(` type udev_t; ') dontaudit $1 udev_t:fd use; ') ######################################## ## ## Do not audit attempts to read or write ## to a udev unix datagram socket. ## ## ## ## Domain to not audit. ## ## # interface(`udev_dontaudit_rw_dgram_sockets',` gen_require(` type udev_t; ') dontaudit $1 udev_t:unix_dgram_socket { read write }; ') ######################################## ## ## Manage udev rules files ## ## ## ## Domain allowed access. ## ## # interface(`udev_manage_rules_files',` gen_require(` type udev_rules_t; ') manage_files_pattern($1, udev_rules_t, udev_rules_t) ') ######################################## ## ## Do not audit search of udev database directories. ## ## ## ## Domain to not audit. ## ## # interface(`udev_dontaudit_search_db',` gen_require(` type udev_tbl_t; ') dontaudit $1 udev_tbl_t:dir search_dir_perms; ') ######################################## ## ## Read the udev device table. ## ## ## ## Allow the specified domain to read the udev device table. ## ## ## ## ## Domain allowed access. ## ## ## # interface(`udev_read_db',` gen_require(` type udev_tbl_t; ') dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:dir list_dir_perms; read_files_pattern($1, udev_tbl_t, udev_tbl_t) read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ') ######################################## ## ## Allow process to modify list of devices. ## ## ## ## Domain allowed access. ## ## # interface(`udev_rw_db',` gen_require(` type udev_tbl_t; ') dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete ## udev pid files. ## ## ## ## Domain allowed access. ## ## # interface(`udev_manage_pid_files',` gen_require(` type udev_var_run_t; ') files_search_var_lib($1) manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ')
## Allow the specified domain to read the udev device table. ##