Blob Blame History Raw
## <summary>Policy for udev.</summary>

########################################
## <summary>
##	Execute udev in the udev domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`udev_domtrans',`
	gen_require(`
		type udev_t, udev_exec_t;
	')

	domain_auto_trans($1, udev_exec_t, udev_t)

	allow $1 udev_t:fd use;
	allow udev_t $1:fd use;
	allow udev_t $1:fifo_file rw_file_perms;
	allow udev_t $1:process sigchld;
')

########################################
## <summary>
##	Execute a udev helper in the udev domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`udev_helper_domtrans',`
	gen_require(`
		type udev_t, udev_helper_exec_t;
	')

	domain_auto_trans($1, udev_helper_exec_t, udev_t)

	allow $1 udev_t:fd use;
	allow udev_t $1:fd use;
	allow udev_t $1:fifo_file rw_file_perms;
	allow udev_t $1:process sigchld;
')

########################################
## <summary>
##	Allow process to read udev process state.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`udev_read_state',`
	gen_require(`
		type udev_t;
	')

	kernel_search_proc($1)
	allow $1 udev_t:file r_file_perms;
	allow $1 udev_t:lnk_file r_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to inherit a
##	udev file descriptor.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`udev_dontaudit_use_fds',`
	gen_require(`
		type udev_t;
	')

	dontaudit $1 udev_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	to a udev unix datagram socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`udev_dontaudit_rw_dgram_sockets',`
	gen_require(`
		type udev_t;
	')

	dontaudit $1 udev_t:unix_dgram_socket { read write };
')

########################################
## <summary>
##	Allow process to read list of devices.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`udev_read_db',`
	gen_require(`
		type udev_tdb_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 udev_tdb_t:file r_file_perms;
')

########################################
## <summary>
##	Allow process to modify list of devices.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`udev_rw_db',`
	gen_require(`
		type udev_tdb_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 udev_tdb_t:file rw_file_perms;
')