|
Chris PeBenito |
31b7c0 |
#DESC Hotplug - Hardware event manager
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: hotplug
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the hotplug_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# hotplug_exec_t is the type of the hotplug executable.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
ifdef(`unlimitedUtils', `
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
|
|
Chris PeBenito |
31b7c0 |
', `
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
etcdir_domain(hotplug)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:fifo_file { read write getattr ioctl };
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
read_sysctl(hotplug_t)
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sysctl_net_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sysctl_net_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# get info from /proc
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(hotplug_t, proc_t)
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:file { getattr read ioctl };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t devtty_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for SSP
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t urandom_device_t:chr_file read;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t { bin_t sbin_t }:lnk_file read;
|
|
Chris PeBenito |
31b7c0 |
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hostname.te', `
|
|
Chris PeBenito |
31b7c0 |
can_exec(hotplug_t, hostname_exec_t)
|
|
Chris PeBenito |
31b7c0 |
dontaudit hostname_t hotplug_t:fd use;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
ifdef(`netutils.te', `
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
31b7c0 |
# for arping used for static IP addresses on PCMCIA ethernet
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t tmpfs_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
')dnl end if distro_redhat
|
|
Chris PeBenito |
31b7c0 |
')dnl end if netutils.te
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t usbdevfs_t:file { getattr read ioctl };
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t modules_dep_t:file { getattr read ioctl };
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(hotplug_t, usbdevfs_t)
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t usbfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t usbfs_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# read config files
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t kernel_t:process { sigchld setpgid };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t var_lock_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t var_lock_t:file getattr;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hald.te', `
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
|
Chris PeBenito |
31b7c0 |
allow hald_t hotplug_etc_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow hald_t hotplug_etc_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for killall
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:process { getsession getattr };
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:file getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
|
|
Chris PeBenito |
31b7c0 |
ifdef(`mount.te', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
31b7c0 |
ifdef(`updfstab.te', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# init scripts run /etc/hotplug/usb.rc
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t hotplug_etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(hotplug_t, modules_object_t)
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t modules_dep_t:file { getattr read ioctl };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for lsmod
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t self:capability { sys_module sys_admin };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`fsadm.te', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t var_log_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for ps
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t domain:dir { getattr search };
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t { init_t kernel_t }:file read;
|
|
Chris PeBenito |
31b7c0 |
ifdef(`initrc.te', `
|
|
Chris PeBenito |
31b7c0 |
can_ps(hotplug_t, initrc_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for when filesystems are not mounted early in the boot
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t file_t:dir { search getattr };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# kernel threads inherit from shared descriptor table used by init
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t initctl_t:fifo_file { read write };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Read /usr/lib/gconv/.*
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t lib_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sysfs_t:dir { getattr read search write };
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sysfs_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sysfs_t:lnk_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(hotplug_t, hwdata_t)
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t udev_runtime_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
ifdef(`lpd.te', `
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t printer_device_t:chr_file setattr;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t fixed_disk_device_t:blk_file setattr;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t removable_device_t:blk_file setattr;
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t sound_device_t:chr_file setattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`udev.te', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_network_server(hotplug_t)
|
|
Chris PeBenito |
31b7c0 |
can_ypbind(hotplug_t)
|
|
Chris PeBenito |
31b7c0 |
dbusd_client(system, hotplug)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Allow hotplug (including /sbin/ifup-local) to start/stop services
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
|
|
Chris PeBenito |
31b7c0 |
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit hotplug_t selinux_config_t:dir search;
|