Chris PeBenito 0fbfa5
#DESC Devfsd - Control daemon for devfs device file system
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: devfsd
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the devfsd_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
etcdir_domain(devfsd)
Chris PeBenito 0fbfa5
typealias devfsd_etc_t alias etc_devfsd_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow kernel_t { device_t root_t }:dir mounton;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_domain(devfsd, `, privmodule')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow devfsd_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for startup scripts
Chris PeBenito 0fbfa5
can_exec(devfsd_t, bin_t)
Chris PeBenito 0fbfa5
allow devfsd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow devfsd_t proc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
Chris PeBenito 0fbfa5
allow devfsd_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for alsa
Chris PeBenito 0fbfa5
allow devfsd_t proc_t:file setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /sbin/modprobe
Chris PeBenito 0fbfa5
allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_debian', `
Chris PeBenito 0fbfa5
# for the makedev script - this may be a bad idea
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for package upgrade
Chris PeBenito 0fbfa5
allow devfsd_t lib_t:file execute;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# mknod capability is for the startup scripts
Chris PeBenito 0fbfa5
allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow devfsd to change any object from type devfsd_t to any other type
Chris PeBenito 0fbfa5
# also allow to unlink
Chris PeBenito 0fbfa5
allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
Chris PeBenito 0fbfa5
# allow devfsd to get and set attributes of any device node and to change the
Chris PeBenito 0fbfa5
# type to any device type
Chris PeBenito 0fbfa5
allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
Chris PeBenito 0fbfa5
allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
Chris PeBenito 0fbfa5
allow devfsd_t initctl_t:fifo_file getattr;
Chris PeBenito 0fbfa5
allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
Chris PeBenito 0fbfa5
allow devfsd_t device_t:dir { r_dir_perms setattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
Chris PeBenito 0fbfa5
allow devfsd_t devpts_t:chr_file { getattr setattr };
Chris PeBenito 0fbfa5
allow devpts_t device_t:filesystem associate;
Chris PeBenito 0fbfa5
allow initctl_t device_t:filesystem associate;
Chris PeBenito 0fbfa5
allow device_t device_t:filesystem associate;
Chris PeBenito 0fbfa5
allow devlog_t device_t:filesystem associate;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow all devices to be under device_t
Chris PeBenito 0fbfa5
allow { device_type ttyfile ptyfile } device_t:filesystem associate;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow domain device_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read the config files
Chris PeBenito 0fbfa5
allow devfsd_t etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow the permissions and symlinks to be done
Chris PeBenito 0fbfa5
allow devfsd_t device_t:lnk_file create_file_perms;
Chris PeBenito 0fbfa5
allow devfsd_t device_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
allow devfsd_t file_type:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow devfsd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow devfsd_t self:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow devfsd_t self:unix_stream_socket connect;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
Chris PeBenito 0fbfa5
dontaudit userdomain devfs_control_t:chr_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow resolv.conf and UDP access for LDAP or other NSS data source
Chris PeBenito 0fbfa5
allow devfsd_t self:udp_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow devfsd_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow kernel_t device_t:filesystem mount;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for nss-ldap etc
Chris PeBenito 0fbfa5
can_network_client_tcp(devfsd_t)
Chris PeBenito 0fbfa5
can_ypbind(devfsd_t)