Chris PeBenito 0fbfa5
#DESC udev - Linux configurable dynamic device naming support
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Dan Walsh dwalsh@redhat.com
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the udev_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# udev_exec_t is the type of the udev executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0907bd
daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access(udev_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
if (allow_execmem) {
Chris PeBenito 0fbfa5
# for alsactl
Chris PeBenito 0fbfa5
allow udev_t self:process execmem;
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
etc_domain(udev)
Chris PeBenito 0fbfa5
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
can_exec_any(udev_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules used for udev
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type udev_tdb_t, file_type, sysadmfile, dev_fs;
Chris PeBenito 0fbfa5
typealias udev_tdb_t alias udev_tbl_t;
Chris PeBenito 0fbfa5
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
Chris PeBenito 5493c2
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
Chris PeBenito 0fbfa5
allow udev_t self:file { getattr read };
Chris PeBenito 0fbfa5
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
Chris PeBenito 0fbfa5
allow udev_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow udev_t self:fifo_file rw_file_perms;
Chris PeBenito a08248
allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; 
Chris PeBenito 5493c2
allow udev_t device_t:file { unlink rw_file_perms };
Chris PeBenito 0fbfa5
allow udev_t device_t:sock_file create_file_perms;
Chris PeBenito 0fbfa5
allow udev_t device_t:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 5493c2
allow udev_t tmpfs_t:dir create_dir_perms;
Chris PeBenito 5493c2
allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
Chris PeBenito 0fbfa5
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
Chris PeBenito 0fbfa5
allow udev_t tmpfs_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for arping used for static IP addresses on PCMCIA ethernet
Chris PeBenito 0fbfa5
domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow udev_t etc_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow udev_t { sbin_t bin_t }:lnk_file read;
Chris PeBenito 0fbfa5
allow udev_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
Chris PeBenito 0fbfa5
can_exec(udev_t, udev_exec_t)
Chris PeBenito 5493c2
rw_dir_file(udev_t, sysfs_t)
Chris PeBenito 0fbfa5
allow udev_t sysadm_tty_device_t:chr_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# to read the file_contexts file
Chris PeBenito 0fbfa5
r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow udev_t policy_config_t:dir search;
Chris PeBenito 0fbfa5
allow udev_t proc_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow udev_t proc_kcore_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Get security policy decisions.
Chris PeBenito 0fbfa5
can_getsecurity(udev_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# set file system create context
Chris PeBenito 0fbfa5
can_setfscreate(udev_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow udev_t kernel_t:fd use;
Chris PeBenito 0fbfa5
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
Chris PeBenito 0907bd
allow udev_t kernel_t:process signal;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow udev_t initrc_var_run_t:file r_file_perms;
Chris PeBenito 0fbfa5
dontaudit udev_t initrc_var_run_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
Chris PeBenito 0fbfa5
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow udev_t devpts_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow udev_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
allow udev_t xdm_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hotplug.te', `
Chris PeBenito 0fbfa5
r_dir_file(udev_t, hotplug_etc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow udev_t var_log_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
can_exec(udev_t, consoletype_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`pamconsole.te', `
Chris PeBenito 0fbfa5
allow udev_t pam_var_console_t:dir search;
Chris PeBenito 0fbfa5
allow udev_t pam_var_console_t:file { getattr read };
Chris PeBenito 0fbfa5
domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow udev_t var_lock_t:dir search;
Chris PeBenito 0fbfa5
allow udev_t var_lock_t:file getattr;
Chris PeBenito 0fbfa5
domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit udev_t file_t:dir search;
Chris PeBenito 0fbfa5
ifdef(`dhcpc.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow udev_t udev_helper_exec_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dbusd_client(system, udev)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
Chris PeBenito 0fbfa5
allow udev_t sysctl_dev_t:dir search;
Chris PeBenito 0fbfa5
allow udev_t mnt_t:dir search;
Chris PeBenito 0fbfa5
allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow udev_t self:rawip_socket create_socket_perms;
Chris PeBenito 0fbfa5
dontaudit udev_t domain:dir r_dir_perms;
Chris PeBenito 0fbfa5
dontaudit udev_t ttyfile:chr_file unlink;
Chris PeBenito 0fbfa5
ifdef(`hotplug.te', `
Chris PeBenito 0fbfa5
r_dir_file(udev_t, hotplug_var_run_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
r_dir_file(udev_t, modules_object_t)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Udev is now writing dhclient-eth*.conf* files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`dhcpd.te', `define(`use_dhcp')')
Chris PeBenito 0fbfa5
ifdef(`dhcpc.te', `define(`use_dhcp')')
Chris PeBenito 0fbfa5
ifdef(`use_dhcp', `
Chris PeBenito 0fbfa5
allow udev_t dhcp_etc_t:file rw_file_perms;
Chris PeBenito 0fbfa5
file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
r_dir_file(udev_t, domain)
Chris PeBenito 0fbfa5
allow udev_t modules_dep_t:file r_file_perms;
Chris PeBenito 5493c2
Chris PeBenito 5493c2
ifdef(`unlimitedUtils', `
Chris PeBenito 5493c2
unconfined_domain(udev_t) 
Chris PeBenito 5493c2
')
Chris PeBenito 5493c2
dontaudit hostname_t udev_t:fd use;