|
Chris PeBenito |
0fbfa5 |
#DESC kudzu - Red Hat utility to recognise new hardware
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(kudzu_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /etc/sysconfig/hwconf - probably need a new type
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t etc_runtime_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for kmodule
|
|
Chris PeBenito |
0fbfa5 |
if (allow_execmem) {
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:process execmem;
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t zero_device_t:chr_file rx_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t memory_device_t:chr_file { read write execute };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t ramfs_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t ramfs_t:sock_file write;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
|
|
Chris PeBenito |
2705f9 |
allow kudzu_t modules_conf_t:file { getattr read unlink };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t modules_object_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t mouse_device_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t proc_net_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { bin_t sbin_t }:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(kudzu_t)
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysctl_dev_t:dir { getattr search read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysctl_dev_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysctl_kernel_t:file write;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t usbdevfs_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t usbdevfs_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t usbfs_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t usbfs_t:file { getattr read };
|
|
Chris PeBenito |
2705f9 |
var_run_domain(kudzu)
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t kernel_t:system syslog_console;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:udp_socket { create ioctl };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t var_lock_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t devpts_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# so it can write messages to the console
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types kudzu_t;
|
|
Chris PeBenito |
a08248 |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
|
|
Chris PeBenito |
a08248 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`anaconda.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysadm_home_dir_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(kudzu_t, etc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(kudzu_t, mnt_t)
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
# Read /usr/lib/gconv/gconv-modules.*
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t lib_t:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t usr_t:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Communicate with rhgb-client.
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`rhgb.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t rhgb_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gpm.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t gpmctl_t:sock_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kudzu_t, shell_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Write to /proc/sys/kernel/hotplug. Why?
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysctl_hotplug_t:file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysfs_t:dir { getattr read search };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysfs_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t sysfs_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t tape_device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(kudzu, `', `{ file dir chr_file }')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for file systems that are not yet mounted
|
|
Chris PeBenito |
0fbfa5 |
dontaudit kudzu_t file_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`lpd.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t printconf_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
2705f9 |
ifdef(`cups.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
0fbfa5 |
dontaudit kudzu_t src_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`xserver.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow kudzu_t xserver_exec_t:file getattr;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
ifdef(`userhelper.te', `
|
|
Chris PeBenito |
2705f9 |
role system_r types sysadm_userhelper_t;
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow kudzu_t initrc_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
2705f9 |
allow kudzu_t net_conf_t:file { getattr read };
|
|
Chris PeBenito |
2705f9 |
|