#DESC hald - server for device info
#
# Author:  Russell Coker <rcoker@redhat.com>
# X-Debian-Packages: 
#

#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, fs_domain, nscd_client_domain')

can_exec_any(hald_t)

allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow hald_t self:unix_dgram_socket create_socket_perms;

ifdef(`dbusd.te', `
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
dbusd_client(system, hald)
allow hald_t self:dbus send_msg;
')

allow hald_t { self proc_t }:file { getattr read };

allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;

# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;

allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
can_network_server(hald_t)
can_ypbind(hald_t)

allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t removable_device_t:blk_file write;
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
allow hald_t mouse_device_t:chr_file r_file_perms;
allow hald_t device_type:chr_file getattr;

can_getsecurity(hald_t)

ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
allow updfstab_t hald_t:dbus send_msg;
allow hald_t updfstab_t:dbus send_msg;
')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t udev_tbl_t:file { getattr read };
')

ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
allow hald_t etc_runtime_t:file rw_file_perms;
allow hald_t var_lib_t:dir search;
allow hald_t device_t:dir create_dir_perms;
allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)