Chris PeBenito 0fbfa5
#DESC Hotplug - Hardware event manager
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: hotplug
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the hotplug_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# hotplug_exec_t is the type of the hotplug executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`unlimitedUtils', `
Chris PeBenito 0fbfa5
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
daemon_domain(hotplug, `, privmodule')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
etcdir_domain(hotplug)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t self:fifo_file { read write getattr ioctl };
Chris PeBenito 0fbfa5
allow hotplug_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow hotplug_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow hotplug_t self:udp_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_sysctl(hotplug_t)
Chris PeBenito 0fbfa5
allow hotplug_t sysctl_net_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow hotplug_t sysctl_net_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# get info from /proc
Chris PeBenito 0fbfa5
r_dir_file(hotplug_t, proc_t)
Chris PeBenito 0fbfa5
allow hotplug_t self:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for SSP
Chris PeBenito 0fbfa5
allow hotplug_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow hotplug_t { bin_t sbin_t }:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
Chris PeBenito 0fbfa5
ifdef(`hostname.te', `
Chris PeBenito 0fbfa5
can_exec(hotplug_t, hostname_exec_t)
Chris PeBenito 0fbfa5
dontaudit hostname_t hotplug_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`netutils.te', `
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
# for arping used for static IP addresses on PCMCIA ethernet
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t tmpfs_t:dir search;
Chris PeBenito 0fbfa5
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
')dnl end if distro_redhat
Chris PeBenito 0fbfa5
')dnl end if netutils.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t usbdevfs_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow initrc_t modules_dep_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
r_dir_file(hotplug_t, usbdevfs_t)
Chris PeBenito 0fbfa5
allow hotplug_t usbfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow hotplug_t usbfs_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read config files
Chris PeBenito 0fbfa5
allow hotplug_t etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t kernel_t:process sigchld;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
allow hotplug_t var_lock_t:dir search;
Chris PeBenito 0fbfa5
allow hotplug_t var_lock_t:file getattr;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hald.te', `
Chris PeBenito 0fbfa5
allow hotplug_t hald_t:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow hald_t hotplug_etc_t:dir search;
Chris PeBenito 0fbfa5
allow hald_t hotplug_etc_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for killall
Chris PeBenito 0fbfa5
allow hotplug_t self:process { getsession getattr };
Chris PeBenito 0fbfa5
allow hotplug_t self:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 0fbfa5
ifdef(`updfstab.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# init scripts run /etc/hotplug/usb.rc
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
Chris PeBenito 0fbfa5
allow initrc_t hotplug_etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(hotplug_t, modules_object_t)
Chris PeBenito 0fbfa5
allow hotplug_t modules_dep_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsmod
Chris PeBenito 0fbfa5
dontaudit hotplug_t self:capability { sys_module sys_admin };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for access("/etc/bashrc", X_OK) on Red Hat
Chris PeBenito 0fbfa5
dontaudit hotplug_t self:capability { dac_override dac_read_search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`fsadm.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t var_log_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for ps
Chris PeBenito 0fbfa5
dontaudit hotplug_t domain:dir { getattr search };
Chris PeBenito 0fbfa5
dontaudit hotplug_t { init_t kernel_t }:file read;
Chris PeBenito 0fbfa5
ifdef(`initrc.te', `
Chris PeBenito 0fbfa5
can_ps(hotplug_t, initrc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for when filesystems are not mounted early in the boot
Chris PeBenito 0fbfa5
dontaudit hotplug_t file_t:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# kernel threads inherit from shared descriptor table used by init
Chris PeBenito 0fbfa5
dontaudit hotplug_t initctl_t:fifo_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /usr/lib/gconv/.*
Chris PeBenito 0fbfa5
allow hotplug_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow hotplug_t self:capability { net_admin sys_tty_config mknod };
Chris PeBenito 0fbfa5
allow hotplug_t sysfs_t:dir { getattr read search };
Chris PeBenito 0fbfa5
allow hotplug_t sysfs_t:file { getattr read };
Chris PeBenito 0fbfa5
allow hotplug_t sysfs_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
allow hotplug_t udev_runtime_t:file rw_file_perms;
Chris PeBenito 0fbfa5
ifdef(`lpd.te', `
Chris PeBenito 0fbfa5
allow hotplug_t printer_device_t:chr_file setattr;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow hotplug_t fixed_disk_device_t:blk_file setattr;
Chris PeBenito 0fbfa5
allow hotplug_t removable_device_t:blk_file setattr;
Chris PeBenito 0fbfa5
allow hotplug_t sound_device_t:chr_file setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`udev.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_server(hotplug_t)
Chris PeBenito 0fbfa5
can_ypbind(hotplug_t)
Chris PeBenito 0fbfa5
dbusd_client(system, hotplug)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow restorecon_t hotplug_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`unlimitedUtils', `
Chris PeBenito 0fbfa5
unconfined_domain(hotplug_t) 
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow kernel_t hotplug_etc_t:dir search;