153 lines
4.9 KiB
Plaintext
153 lines
4.9 KiB
Plaintext
#DESC udev - Linux configurable dynamic device naming support
|
|
#
|
|
# Author: Dan Walsh dwalsh@redhat.com
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the udev_t domain.
|
|
#
|
|
# udev_exec_t is the type of the udev executable.
|
|
#
|
|
daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
|
|
|
|
general_domain_access(udev_t)
|
|
|
|
if (allow_execmem) {
|
|
# for alsactl
|
|
allow udev_t self:process execmem;
|
|
}
|
|
|
|
etc_domain(udev)
|
|
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
|
|
can_exec_any(udev_t)
|
|
|
|
#
|
|
# Rules used for udev
|
|
#
|
|
type udev_tdb_t, file_type, sysadmfile, dev_fs;
|
|
typealias udev_tdb_t alias udev_tbl_t;
|
|
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
|
|
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
|
|
allow udev_t self:file { getattr read };
|
|
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
|
|
allow udev_t self:unix_dgram_socket create_socket_perms;
|
|
allow udev_t self:fifo_file rw_file_perms;
|
|
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow udev_t device_t:file { unlink rw_file_perms };
|
|
allow udev_t device_t:sock_file create_file_perms;
|
|
allow udev_t device_t:lnk_file create_lnk_perms;
|
|
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
|
|
ifdef(`distro_redhat', `
|
|
allow udev_t tmpfs_t:dir create_dir_perms;
|
|
allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
|
|
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
|
|
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
|
|
allow udev_t tmpfs_t:dir search;
|
|
|
|
# for arping used for static IP addresses on PCMCIA ethernet
|
|
domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
|
|
')
|
|
allow udev_t etc_t:file { getattr read ioctl };
|
|
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
|
|
allow udev_t { sbin_t bin_t }:lnk_file read;
|
|
allow udev_t bin_t:lnk_file read;
|
|
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
|
|
can_exec(udev_t, udev_exec_t)
|
|
rw_dir_file(udev_t, sysfs_t)
|
|
allow udev_t sysadm_tty_device_t:chr_file { read write };
|
|
|
|
# to read the file_contexts file
|
|
r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
|
|
|
|
allow udev_t policy_config_t:dir search;
|
|
allow udev_t proc_t:file { getattr read ioctl };
|
|
allow udev_t proc_kcore_t:file getattr;
|
|
|
|
# Get security policy decisions.
|
|
can_getsecurity(udev_t)
|
|
|
|
# set file system create context
|
|
can_setfscreate(udev_t)
|
|
|
|
allow udev_t kernel_t:fd use;
|
|
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
|
allow udev_t kernel_t:process signal;
|
|
|
|
allow udev_t initrc_var_run_t:file r_file_perms;
|
|
dontaudit udev_t initrc_var_run_t:file write;
|
|
|
|
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
|
|
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
|
|
ifdef(`hide_broken_symptoms', `
|
|
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
|
|
')
|
|
allow udev_t devpts_t:dir { getattr search };
|
|
allow udev_t etc_runtime_t:file { getattr read };
|
|
ifdef(`xdm.te', `
|
|
allow udev_t xdm_var_run_t:file { getattr read };
|
|
')
|
|
|
|
ifdef(`hotplug.te', `
|
|
r_dir_file(udev_t, hotplug_etc_t)
|
|
')
|
|
allow udev_t var_log_t:dir search;
|
|
|
|
ifdef(`consoletype.te', `
|
|
can_exec(udev_t, consoletype_exec_t)
|
|
')
|
|
ifdef(`pamconsole.te', `
|
|
allow udev_t pam_var_console_t:dir search;
|
|
allow udev_t pam_var_console_t:file { getattr read };
|
|
domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
|
|
')
|
|
allow udev_t var_lock_t:dir search;
|
|
allow udev_t var_lock_t:file getattr;
|
|
domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
|
|
ifdef(`hide_broken_symptoms', `
|
|
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
|
|
')
|
|
|
|
dontaudit udev_t file_t:dir search;
|
|
ifdef(`dhcpc.te', `
|
|
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
|
|
')
|
|
|
|
allow udev_t udev_helper_exec_t:dir r_dir_perms;
|
|
|
|
dbusd_client(system, udev)
|
|
|
|
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
|
|
allow udev_t sysctl_dev_t:dir search;
|
|
allow udev_t mnt_t:dir search;
|
|
allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
|
|
allow udev_t self:rawip_socket create_socket_perms;
|
|
dontaudit udev_t domain:dir r_dir_perms;
|
|
dontaudit udev_t ttyfile:chr_file unlink;
|
|
ifdef(`hotplug.te', `
|
|
r_dir_file(udev_t, hotplug_var_run_t)
|
|
')
|
|
r_dir_file(udev_t, modules_object_t)
|
|
#
|
|
# Udev is now writing dhclient-eth*.conf* files.
|
|
#
|
|
ifdef(`dhcpd.te', `define(`use_dhcp')')
|
|
ifdef(`dhcpc.te', `define(`use_dhcp')')
|
|
ifdef(`use_dhcp', `
|
|
allow udev_t dhcp_etc_t:file rw_file_perms;
|
|
file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
|
|
')
|
|
r_dir_file(udev_t, domain)
|
|
allow udev_t modules_dep_t:file r_file_perms;
|
|
|
|
nsswitch_domain(udev_t)
|
|
|
|
ifdef(`unlimitedUtils', `
|
|
unconfined_domain(udev_t)
|
|
')
|
|
dontaudit hostname_t udev_t:fd use;
|
|
ifdef(`use_mcs', `
|
|
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
|
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
|
')
|