| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434 |
- ## <summary>Policy for udev.</summary>
- ########################################
- ## <summary>
- ## Send generic signals to udev.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_signal',`
- gen_require(`
- type udev_t;
- ')
- allow $1 udev_t:process signal;
- ')
- ########################################
- ## <summary>
- ## Execute udev in the udev domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`udev_domtrans',`
- gen_require(`
- type udev_t, udev_exec_t;
- ')
- domtrans_pattern($1, udev_exec_t, udev_t)
- ')
- ########################################
- ## <summary>
- ## Execute udev in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_exec',`
- gen_require(`
- type udev_exec_t;
- ')
- can_exec($1, udev_exec_t)
- ')
- ########################################
- ## <summary>
- ## Execute a udev helper in the udev domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`udev_helper_domtrans',`
- gen_require(`
- type udev_t, udev_helper_exec_t;
- ')
- domtrans_pattern($1, udev_helper_exec_t, udev_t)
- ')
- ########################################
- ## <summary>
- ## Allow process to read udev process state.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_read_state',`
- gen_require(`
- type udev_t;
- ')
- kernel_search_proc($1)
- allow $1 udev_t:file read_file_perms;
- allow $1 udev_t:lnk_file read_lnk_file_perms;
- ')
- ########################################
- ## <summary>
- ## Do not audit attempts to inherit a
- ## udev file descriptor.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain to not audit.
- ## </summary>
- ## </param>
- #
- interface(`udev_dontaudit_use_fds',`
- gen_require(`
- type udev_t;
- ')
- dontaudit $1 udev_t:fd use;
- ')
- ########################################
- ## <summary>
- ## Do not audit attempts to read or write
- ## to a udev unix datagram socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain to not audit.
- ## </summary>
- ## </param>
- #
- interface(`udev_dontaudit_rw_dgram_sockets',`
- gen_require(`
- type udev_t;
- ')
- dontaudit $1 udev_t:unix_dgram_socket { read write };
- ')
- ########################################
- ## <summary>
- ## Manage udev rules files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_manage_rules_files',`
- gen_require(`
- type udev_rules_t;
- ')
- manage_files_pattern($1, udev_rules_t, udev_rules_t)
- files_search_etc($1)
- udev_search_pids($1)
- ')
- ########################################
- ## <summary>
- ## Do not audit search of udev database directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain to not audit.
- ## </summary>
- ## </param>
- #
- interface(`udev_dontaudit_search_db',`
- gen_require(`
- type udev_tbl_t;
- ')
- dontaudit $1 udev_tbl_t:dir search_dir_perms;
- ')
- ########################################
- ## <summary>
- ## Allow process to read the table dir
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## The type of the process performing this action.
- ## </summary>
- ## </param>
- #
- interface(`udev_list_table_dir',`
- gen_require(`
- type udev_tbl_t;
- ')
- allow $1 udev_tbl_t:dir list_dir_perms;
- ')
- ########################################
- ## <summary>
- ## Read the udev device table.
- ## </summary>
- ## <desc>
- ## <p>
- ## Allow the specified domain to read the udev device table.
- ## </p>
- ## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- ## <infoflow type="read" weight="10"/>
- #
- interface(`udev_read_db',`
- gen_require(`
- type udev_tbl_t;
- ')
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
- dev_list_all_dev_nodes($1)
- files_search_etc($1)
- udev_search_pids($1)
- ')
- ########################################
- ## <summary>
- ## Allow process to modify list of devices.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_rw_db',`
- gen_require(`
- type udev_tbl_t;
- ')
- dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
- ')
- ########################################
- ## <summary>
- ## Search through udev pid content
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_search_pids',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_search_pids($1)
- search_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
- ########################################
- ## <summary>
- ## dontaudit attempts to read/write udev pidfiles
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`dontaudit_udev_pidfile_rw',`
- gen_require(`
- type udev_var_run_t;
- ')
- dontaudit $1 udev_var_run_t:file { read write };
- ')
- ########################################
- ## <summary>
- ## Create, read, write, and delete
- ## udev pid directories
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_manage_pid_dirs',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_search_var($1)
- manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
- ########################################
- ## <summary>
- ## Allow process to modify relabelto udev database
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_relabelto_db',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_search_pids($1)
- allow $1 udev_var_run_t:file relabelto_file_perms;
- allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
- ')
- ########################################
- ## <summary>
- ## Read udev pid files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_read_pid_files',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_search_pids($1)
- read_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
- ########################################
- ## <summary>
- ## Create, read, write, and delete
- ## udev pid files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_manage_pid_files',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_search_pids($1)
- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
- ########################################
- ## <summary>
- ## Create directories in the run location with udev_var_run_t type
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
- ## <summary>
- ## Name of the directory that is created
- ## </summary>
- ## </param>
- #
- interface(`udev_generic_pid_filetrans_run_dirs',`
- gen_require(`
- type udev_var_run_t;
- ')
- files_pid_filetrans($1, udev_var_run_t, dir, $2)
- ')
- #######################################
- ## <summary>
- ## Allow caller to create kobject uevent socket for udev
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`udev_create_kobject_uevent_socket',`
- gen_require(`
- type udev_t;
- role system_r;
- ')
- allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
- ')
- #######################################
- ## <summary>
- ## Allow udev_t to write to a unix_stream_socket
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## domain to connect to
- ## </summary>
- ## </param>
- #
- interface(`udev_write_socket',`
- gen_require(`
- type udev_t;
- ')
- allow udev_t $1:unix_stream_socket connectto;
- ')
- #######################################
- ## <summary>
- ## Allows process to write to a udp socket of type udev_t
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access
- ## </summary>
- ## </param>
- #
- interface(`connect_udev_udp_socket',`
- gen_require(`
- type udev_t;
- ')
- allow $1 udev_t:udp_socket { read write };
- ')
|
