rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
76bff31d96
selinux-policy/refpolicy/policy/modules/system/hotplug.te
Chris PeBenito dd14d0d892 change read_shared_libraries to use_shared_libraries, since the execute 
permission is checked when using shared libs to execute code in them, which
is not the same as just reading the shared libs.
2005-05-17 15:32:52 +00:00

201 lines
5.5 KiB
Plaintext
Raw Blame History

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(hotplug, 1.0)
########################################
#
# Declarations
#
type hotplug_t;
type hotplug_exec_t;
kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t)
init_make_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread;
files_make_file(hotplug_etc_t)
type hotplug_var_run_t;
files_make_daemon_runtime_file(hotplug_var_run_t)
########################################
#
# Local policy
#
allow hotplug_t self:capability { net_admin sys_tty_config mknod };
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
allow hotplug_t hotplug_etc_t:lnk_file { getattr read };
allow hotplug_t { hotplug_exec_t hotplug_etc_t }:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
kernel_read_hardware_state(hotplug_t)
kernel_read_network_sysctl(hotplug_t)
kernel_read_usb_hardware_state(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
# for SSP
devices_get_pseudorandom_data(hotplug_t)
filesystem_get_all_filesystems_attributes(hotplug_t)
storage_set_fixed_disk_attributes(hotplug_t)
storage_set_removable_device_attributes(hotplug_t)
terminal_ignore_use_console(hotplug_t)
init_use_file_descriptors(hotplug_t)
init_script_use_pseudoterminal(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
# run sendmail -q
init_script_transition(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
init_ignore_use_control_channel(hotplug_t)
domain_use_widely_inheritable_file_descriptors(hotplug_t)
files_read_general_system_config(hotplug_t)
files_create_runtime_system_config(hotplug_t)
files_execute_system_config_script(hotplug_t)
corecommands_execute_general_programs(hotplug_t)
corecommands_execute_shell(hotplug_t)
corecommands_execute_system_programs(hotplug_t)
logging_send_system_log_message(hotplug_t)
libraries_use_dynamic_loader(hotplug_t)
libraries_use_shared_libraries(hotplug_t)
# Read /usr/lib/gconv/.*
libraries_read_library_resources(hotplug_t)
modutils_insmod_transition(hotplug_t)
modutils_read_kernel_module_dependencies(hotplug_t)
miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t)
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
files_ignore_read_rootfs_file(hotplug_t)
')
optional_policy(`consoletype.te',`
consoletype_transition(hotplug_t)
')
optional_policy(`hostname.te',`
hostname_execute(hotplug_t)
')
optional_policy(`iptables.te',`
iptables_transition(hotplug_t)
')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(hotplug_t)
')
optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition(hotplug_t)
')
optional_policy(`udev.te', `
udev_transition(hotplug_t)
udev_read_database(hotplug_t)
')
optional_policy(`updfstab.te', `
updfstab_transition(hotplug_t)
')
ifdef(`TODO',`
dontaudit hotplug_t unpriv_userdomain:fd use;
allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
allow hotplug_t rhgb_t:process sigchld;
allow hotplug_t rhgb_t:fd use;
allow hotplug_t rhgb_t:fifo_file { read write };
')
can_exec(hotplug_t, { ls_exec_t })
allow kernel_t hotplug_etc_t:dir search;
allow hotplug_t sound_device_t:chr_file setattr;
can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
# init scripts run /etc/hotplug/usb.rc
allow initrc_t hotplug_etc_t:dir r_dir_perms;
allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
allow hotplug_t udev_runtime_t:file rw_file_perms;
allow hotplug_t var_log_t:dir search;
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
tunable_policy(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(hotplug_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
') dnl endif netutils optional
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')dnl end distro_redhat tunable
optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
optional_policy(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
optional_policy(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
optional_policy(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
') dnl end TODO
Reference in New Issue View Git Blame Copy Permalink