selinux-policy/strict/domains/program/unused/devfsd.te
2005-04-29 17:45:15 +00:00

94 lines
3.1 KiB
Plaintext

#DESC Devfsd - Control daemon for devfs device file system
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: devfsd
#
#################################
#
# Rules for the devfsd_t domain.
#
etcdir_domain(devfsd)
typealias devfsd_etc_t alias etc_devfsd_t;
allow kernel_t { device_t root_t }:dir mounton;
daemon_domain(devfsd, `, privmodule')
allow devfsd_t urandom_device_t:chr_file read;
# for startup scripts
can_exec(devfsd_t, bin_t)
allow devfsd_t self:fifo_file rw_file_perms;
allow devfsd_t proc_t:dir r_dir_perms;
allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
allow devfsd_t devtty_t:chr_file rw_file_perms;
# for alsa
allow devfsd_t proc_t:file setattr;
# for /sbin/modprobe
allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
ifdef(`distro_debian', `
# for the makedev script - this may be a bad idea
domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
# for package upgrade
allow devfsd_t lib_t:file execute;
')
# mknod capability is for the startup scripts
allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
# allow devfsd to change any object from type devfsd_t to any other type
# also allow to unlink
allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
# allow devfsd to get and set attributes of any device node and to change the
# type to any device type
allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
allow devfsd_t initctl_t:fifo_file getattr;
allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
allow devfsd_t device_t:dir { r_dir_perms setattr };
allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
allow devfsd_t devpts_t:chr_file { getattr setattr };
allow devpts_t device_t:filesystem associate;
allow initctl_t device_t:filesystem associate;
allow device_t device_t:filesystem associate;
allow devlog_t device_t:filesystem associate;
# allow all devices to be under device_t
allow { device_type ttyfile ptyfile } device_t:filesystem associate;
allow domain device_t:lnk_file r_file_perms;
# read the config files
allow devfsd_t etc_t:dir r_dir_perms;
# allow the permissions and symlinks to be done
allow devfsd_t device_t:lnk_file create_file_perms;
allow devfsd_t device_t:dir rw_dir_perms;
allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
allow devfsd_t file_type:lnk_file r_file_perms;
allow devfsd_t self:unix_dgram_socket create_socket_perms;
allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
allow devfsd_t self:unix_dgram_socket sendto;
allow devfsd_t self:unix_stream_socket connect;
allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
dontaudit userdomain devfs_control_t:chr_file getattr;
# allow resolv.conf and UDP access for LDAP or other NSS data source
allow devfsd_t self:udp_socket create_socket_perms;
allow devfsd_t privfd:fd use;
allow kernel_t device_t:filesystem mount;
# for nss-ldap etc
can_network_client_tcp(devfsd_t)
can_ypbind(devfsd_t)