Chris PeBenito 0fbfa5
#DESC hald - server for device info
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <rcoker@redhat.com>
Chris PeBenito 0fbfa5
# X-Debian-Packages: 
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the hald_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# hald_exec_t is the type of the hald executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_domain(hald, `, fs_domain, nscd_client_domain')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec_any(hald_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0907bd
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito 0fbfa5
allow hald_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`dbusd.te', `
Chris PeBenito 0fbfa5
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
Chris PeBenito 0fbfa5
dbusd_client(system, hald)
Chris PeBenito 0fbfa5
allow hald_t self:dbus send_msg;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hald_t { self proc_t }:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hald_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow hald_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow hald_t usr_t:file { getattr read };
Chris PeBenito 0fbfa5
allow hald_t bin_t:file getattr;
Chris PeBenito a08248
Chris PeBenito 0907bd
# For backwards compatibility with older kernels
Chris PeBenito 0907bd
allow hald_t self:netlink_socket create_socket_perms;
Chris PeBenito 0907bd
Chris PeBenito 0907bd
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito a08248
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
Chris PeBenito 0fbfa5
can_network_server(hald_t)
Chris PeBenito 0fbfa5
can_ypbind(hald_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hald_t device_t:lnk_file read;
Chris PeBenito 0fbfa5
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow hald_t removable_device_t:blk_file write;
Chris PeBenito 0fbfa5
allow hald_t event_device_t:chr_file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow hald_t printer_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow hald_t urandom_device_t:chr_file read;
Chris PeBenito a08248
allow hald_t mouse_device_t:chr_file r_file_perms;
Chris PeBenito a08248
allow hald_t device_type:chr_file getattr;
Chris PeBenito a08248
Chris PeBenito a08248
can_getsecurity(hald_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`updfstab.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
Chris PeBenito 0fbfa5
allow updfstab_t hald_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow hald_t updfstab_t:dbus send_msg;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`udev.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hald_t, udev_exec_t, udev_t)
Chris PeBenito 0fbfa5
allow udev_t hald_t:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow hald_t udev_tbl_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hotplug.te', `
Chris PeBenito 0fbfa5
r_dir_file(hald_t, hotplug_etc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito a1fcff
allow hald_t fs_type:dir { search getattr };
Chris PeBenito a1fcff
allow hald_t usbfs_t:dir r_dir_perms;
Chris PeBenito a1fcff
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
Chris PeBenito 0fbfa5
allow hald_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
r_dir_file(hald_t, { selinux_config_t default_context_t } )
Chris PeBenito 0fbfa5
allow hald_t initrc_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow initrc_t hald_t:dbus send_msg;
Chris PeBenito 0fbfa5
allow hald_t etc_runtime_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow hald_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
allow hald_t device_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow hald_t device_t:chr_file create_file_perms;
Chris PeBenito 0fbfa5
tmp_domain(hald)
Chris PeBenito 0fbfa5
allow hald_t mnt_t:dir search;
Chris PeBenito 0fbfa5
r_dir_file(hald_t, proc_net_t)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
Chris PeBenito a1fcff
ifdef(`apmd.te', `
Chris PeBenito a1fcff
allow hald_t apmd_var_run_t:sock_file write;
Chris PeBenito a1fcff
allow hald_t apmd_t:unix_stream_socket connectto;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# For /usr/libexec/hald-probe-smbios
Chris PeBenito a1fcff
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# ??
Chris PeBenito a1fcff
ifdef(`lvm.te', `
Chris PeBenito a1fcff
allow hald_t lvm_control_t:chr_file r_file_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
ifdef(`targeted_policy', `
Chris PeBenito a1fcff
allow unconfined_t hald_t:dbus send_msg;
Chris PeBenito a1fcff
allow hald_t unconfined_t:dbus send_msg;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
ifdef(`mount.te', `
Chris PeBenito a1fcff
domain_auto_trans(hald_t, mount_exec_t, mount_t)
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff