#DESC Devfsd - Control daemon for devfs device file system
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: devfsd
#

#################################
#
# Rules for the devfsd_t domain.
#
etcdir_domain(devfsd)
typealias devfsd_etc_t alias etc_devfsd_t;

allow kernel_t { device_t root_t }:dir mounton;

daemon_domain(devfsd, `, privmodule')

allow devfsd_t urandom_device_t:chr_file read;

# for startup scripts
can_exec(devfsd_t, bin_t)
allow devfsd_t self:fifo_file rw_file_perms;
allow devfsd_t proc_t:dir r_dir_perms;
allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
allow devfsd_t devtty_t:chr_file rw_file_perms;

# for alsa
allow devfsd_t proc_t:file setattr;

# for /sbin/modprobe
allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;

ifdef(`distro_debian', `
# for the makedev script - this may be a bad idea
domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)

# for package upgrade
allow devfsd_t lib_t:file execute;
')

# mknod capability is for the startup scripts
allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };

# allow devfsd to change any object from type devfsd_t to any other type
# also allow to unlink
allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
# allow devfsd to get and set attributes of any device node and to change the
# type to any device type
allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
allow devfsd_t initctl_t:fifo_file getattr;
allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
allow devfsd_t device_t:dir { r_dir_perms setattr };

allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
allow devfsd_t devpts_t:chr_file { getattr setattr };
allow devpts_t device_t:filesystem associate;
allow initctl_t device_t:filesystem associate;
allow device_t device_t:filesystem associate;
allow devlog_t device_t:filesystem associate;

# allow all devices to be under device_t
allow { device_type ttyfile ptyfile } device_t:filesystem associate;

allow domain device_t:lnk_file r_file_perms;

# read the config files
allow devfsd_t etc_t:dir r_dir_perms;

# allow the permissions and symlinks to be done
allow devfsd_t device_t:lnk_file create_file_perms;
allow devfsd_t device_t:dir rw_dir_perms;
allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
allow devfsd_t file_type:lnk_file r_file_perms;

allow devfsd_t self:unix_dgram_socket create_socket_perms;
allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
allow devfsd_t self:unix_dgram_socket sendto;
allow devfsd_t self:unix_stream_socket connect;

allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
dontaudit userdomain devfs_control_t:chr_file getattr;

# allow resolv.conf and UDP access for LDAP or other NSS data source
allow devfsd_t self:udp_socket create_socket_perms;

allow devfsd_t privfd:fd use;

allow kernel_t device_t:filesystem mount;

# for nss-ldap etc
can_network_client_tcp(devfsd_t)
can_ypbind(devfsd_t)