## Hardware abstraction layer ######################################## ## ## Execute hal in the hal domain. ## ## ## ## Domain allowed access. ## ## # interface(`hal_domtrans',` gen_require(` type hald_t, hald_exec_t; ') domtrans_pattern($1,hald_exec_t,hald_t) ') ######################################## ## ## Allow ptrace of hal domain ## ## ## ## Domain allowed access. ## ## # interface(`hal_ptrace',` gen_require(` type hald_t; ') allow $1 hald_t:process ptrace; ') ######################################## ## ## Allow domain to use file descriptors from hal. ## ## ## ## Domain to not audit. ## ## # interface(`hal_use_fds',` gen_require(` type hald_t; ') allow $1 hald_t:fd use; ') ######################################## ## ## Do not audit attempts to use file descriptors from hal. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_use_fds',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fd use; ') ######################################## ## ## Allow attempts to read and write to ## hald unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`hal_rw_pipes',` gen_require(` type hald_t; ') allow $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and write to ## hald unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`hal_dontaudit_rw_pipes',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Send to hal over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dgram_send',` gen_require(` type hald_t; ') allow $1 hald_t:unix_dgram_socket sendto; ') ######################################## ## ## Send to hal over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`hal_stream_connect',` gen_require(` type hald_t; ') allow $1 hald_t:unix_stream_socket connectto; ') ######################################## ## ## Send a dbus message to hal. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_send',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## hal over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`hal_dbus_chat',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') ######################################## ## ## Allow attempts to write the hal ## log files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_write_log',` gen_require(` type hald_log_t; ') logging_search_logs($1) allow $1 hald_log_t:file write_file_perms; ') ######################################## ## ## Do not audit attempts to write the hal ## log files. ## ## ## ## Domain to not audit ## ## # interface(`hal_dontaudit_write_log',` gen_require(` type hald_log_t; ') dontaudit $1 hald_log_t:file { append write }; ') ######################################## ## ## Read hald tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_tmp_files',` gen_require(` type hald_tmp_t; ') allow $1 hald_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## HAL libraries files ## ## ## ## Domain allowed access. ## ## # interface(`hal_dontaudit_append_lib_files',` gen_require(` type hald_var_lib_t; ') dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; ') ######################################## ## ## Read hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_read_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file read_file_perms; ') ######################################## ## ## Read/Write hald PID files. ## ## ## ## Domain allowed access. ## ## # interface(`hal_rw_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ')