163 lines
4.9 KiB
Plaintext
163 lines
4.9 KiB
Plaintext
#DESC Hotplug - Hardware event manager
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: hotplug
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the hotplug_t domain.
|
|
#
|
|
# hotplug_exec_t is the type of the hotplug executable.
|
|
#
|
|
ifdef(`unlimitedUtils', `
|
|
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
|
|
', `
|
|
daemon_domain(hotplug, `, privmodule')
|
|
')
|
|
|
|
etcdir_domain(hotplug)
|
|
|
|
allow hotplug_t self:fifo_file { read write getattr ioctl };
|
|
allow hotplug_t self:unix_dgram_socket create_socket_perms;
|
|
allow hotplug_t self:unix_stream_socket create_socket_perms;
|
|
allow hotplug_t self:udp_socket create_socket_perms;
|
|
|
|
read_sysctl(hotplug_t)
|
|
allow hotplug_t sysctl_net_t:dir r_dir_perms;
|
|
allow hotplug_t sysctl_net_t:file { getattr read };
|
|
|
|
# get info from /proc
|
|
r_dir_file(hotplug_t, proc_t)
|
|
allow hotplug_t self:file { getattr read ioctl };
|
|
|
|
allow hotplug_t devtty_t:chr_file rw_file_perms;
|
|
|
|
allow hotplug_t device_t:dir r_dir_perms;
|
|
|
|
# for SSP
|
|
allow hotplug_t urandom_device_t:chr_file read;
|
|
|
|
allow hotplug_t { bin_t sbin_t }:dir search;
|
|
allow hotplug_t { bin_t sbin_t }:lnk_file read;
|
|
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
|
|
ifdef(`hostname.te', `
|
|
can_exec(hotplug_t, hostname_exec_t)
|
|
dontaudit hostname_t hotplug_t:fd use;
|
|
')
|
|
ifdef(`netutils.te', `
|
|
ifdef(`distro_redhat', `
|
|
# for arping used for static IP addresses on PCMCIA ethernet
|
|
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
|
|
|
|
allow hotplug_t tmpfs_t:dir search;
|
|
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
|
|
')dnl end if distro_redhat
|
|
')dnl end if netutils.te
|
|
|
|
allow initrc_t usbdevfs_t:file { getattr read ioctl };
|
|
allow initrc_t modules_dep_t:file { getattr read ioctl };
|
|
r_dir_file(hotplug_t, usbdevfs_t)
|
|
allow hotplug_t usbfs_t:dir r_dir_perms;
|
|
allow hotplug_t usbfs_t:file { getattr read };
|
|
|
|
# read config files
|
|
allow hotplug_t etc_t:dir r_dir_perms;
|
|
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
|
|
|
|
allow hotplug_t kernel_t:process { sigchld setpgid };
|
|
|
|
ifdef(`distro_redhat', `
|
|
allow hotplug_t var_lock_t:dir search;
|
|
allow hotplug_t var_lock_t:file getattr;
|
|
')
|
|
|
|
ifdef(`hald.te', `
|
|
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
|
allow hald_t hotplug_etc_t:dir search;
|
|
allow hald_t hotplug_etc_t:file { getattr read };
|
|
')
|
|
|
|
# for killall
|
|
allow hotplug_t self:process { getsession getattr };
|
|
allow hotplug_t self:file getattr;
|
|
|
|
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
|
|
ifdef(`mount.te', `
|
|
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
|
|
')
|
|
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
|
|
ifdef(`updfstab.te', `
|
|
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
|
|
')
|
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
|
|
allow initrc_t hotplug_etc_t:dir r_dir_perms;
|
|
|
|
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
|
|
|
|
r_dir_file(hotplug_t, modules_object_t)
|
|
allow hotplug_t modules_dep_t:file { getattr read ioctl };
|
|
|
|
# for lsmod
|
|
dontaudit hotplug_t self:capability { sys_module sys_admin };
|
|
|
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
|
|
|
ifdef(`fsadm.te', `
|
|
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
|
')
|
|
|
|
allow hotplug_t var_log_t:dir search;
|
|
|
|
# for ps
|
|
dontaudit hotplug_t domain:dir { getattr search };
|
|
dontaudit hotplug_t { init_t kernel_t }:file read;
|
|
ifdef(`initrc.te', `
|
|
can_ps(hotplug_t, initrc_t)
|
|
')
|
|
|
|
# for when filesystems are not mounted early in the boot
|
|
dontaudit hotplug_t file_t:dir { search getattr };
|
|
|
|
# kernel threads inherit from shared descriptor table used by init
|
|
dontaudit hotplug_t initctl_t:fifo_file { read write };
|
|
|
|
# Read /usr/lib/gconv/.*
|
|
allow hotplug_t lib_t:file { getattr read };
|
|
|
|
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
|
allow hotplug_t sysfs_t:dir { getattr read search write };
|
|
allow hotplug_t sysfs_t:file rw_file_perms;
|
|
allow hotplug_t sysfs_t:lnk_file { getattr read };
|
|
allow hotplug_t udev_runtime_t:file rw_file_perms;
|
|
ifdef(`lpd.te', `
|
|
allow hotplug_t printer_device_t:chr_file setattr;
|
|
')
|
|
allow hotplug_t fixed_disk_device_t:blk_file setattr;
|
|
allow hotplug_t removable_device_t:blk_file setattr;
|
|
allow hotplug_t sound_device_t:chr_file setattr;
|
|
|
|
ifdef(`udev.te', `
|
|
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
|
|
')
|
|
|
|
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
|
|
|
|
can_network_server(hotplug_t)
|
|
can_ypbind(hotplug_t)
|
|
dbusd_client(system, hotplug)
|
|
|
|
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
|
|
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
|
|
ifdef(`mta.te', `
|
|
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
|
|
')
|
|
|
|
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
|
|
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
dontaudit hotplug_t selinux_config_t:dir search;
|