94 lines
3.1 KiB
Plaintext
94 lines
3.1 KiB
Plaintext
#DESC Devfsd - Control daemon for devfs device file system
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: devfsd
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the devfsd_t domain.
|
|
#
|
|
etcdir_domain(devfsd)
|
|
typealias devfsd_etc_t alias etc_devfsd_t;
|
|
|
|
allow kernel_t { device_t root_t }:dir mounton;
|
|
|
|
daemon_domain(devfsd, `, privmodule')
|
|
|
|
allow devfsd_t urandom_device_t:chr_file read;
|
|
|
|
# for startup scripts
|
|
can_exec(devfsd_t, bin_t)
|
|
allow devfsd_t self:fifo_file rw_file_perms;
|
|
allow devfsd_t proc_t:dir r_dir_perms;
|
|
allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
|
|
allow devfsd_t devtty_t:chr_file rw_file_perms;
|
|
|
|
# for alsa
|
|
allow devfsd_t proc_t:file setattr;
|
|
|
|
# for /sbin/modprobe
|
|
allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
|
|
|
|
ifdef(`distro_debian', `
|
|
# for the makedev script - this may be a bad idea
|
|
domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
|
|
|
|
# for package upgrade
|
|
allow devfsd_t lib_t:file execute;
|
|
')
|
|
|
|
# mknod capability is for the startup scripts
|
|
allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
|
|
|
|
# allow devfsd to change any object from type devfsd_t to any other type
|
|
# also allow to unlink
|
|
allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
|
|
# allow devfsd to get and set attributes of any device node and to change the
|
|
# type to any device type
|
|
allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
|
|
allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
|
|
allow devfsd_t initctl_t:fifo_file getattr;
|
|
allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
|
|
allow devfsd_t device_t:dir { r_dir_perms setattr };
|
|
|
|
allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
|
|
allow devfsd_t devpts_t:chr_file { getattr setattr };
|
|
allow devpts_t device_t:filesystem associate;
|
|
allow initctl_t device_t:filesystem associate;
|
|
allow device_t device_t:filesystem associate;
|
|
allow devlog_t device_t:filesystem associate;
|
|
|
|
# allow all devices to be under device_t
|
|
allow { device_type ttyfile ptyfile } device_t:filesystem associate;
|
|
|
|
allow domain device_t:lnk_file r_file_perms;
|
|
|
|
# read the config files
|
|
allow devfsd_t etc_t:dir r_dir_perms;
|
|
|
|
# allow the permissions and symlinks to be done
|
|
allow devfsd_t device_t:lnk_file create_file_perms;
|
|
allow devfsd_t device_t:dir rw_dir_perms;
|
|
allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
|
|
allow devfsd_t file_type:lnk_file r_file_perms;
|
|
|
|
allow devfsd_t self:unix_dgram_socket create_socket_perms;
|
|
allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow devfsd_t self:unix_dgram_socket sendto;
|
|
allow devfsd_t self:unix_stream_socket connect;
|
|
|
|
allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
|
|
dontaudit userdomain devfs_control_t:chr_file getattr;
|
|
|
|
# allow resolv.conf and UDP access for LDAP or other NSS data source
|
|
allow devfsd_t self:udp_socket create_socket_perms;
|
|
|
|
allow devfsd_t privfd:fd use;
|
|
|
|
allow kernel_t device_t:filesystem mount;
|
|
|
|
# for nss-ldap etc
|
|
can_network_client_tcp(devfsd_t)
|
|
can_ypbind(devfsd_t)
|