diff options
Diffstat (limited to 'policy/modules/services/hal.if')
| -rw-r--r-- | policy/modules/services/hal.if | 440 |
1 files changed, 440 insertions, 0 deletions
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if new file mode 100644 index 000000000..98c4f127d --- /dev/null +++ b/policy/modules/services/hal.if @@ -0,0 +1,440 @@ +## <summary>Hardware abstraction layer.</summary> + +######################################## +## <summary> +## Execute hal in the hal domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans',` + gen_require(` + type hald_t, hald_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hald_exec_t, hald_t) +') + +######################################## +## <summary> +## Get attributes of hald processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_getattr',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process getattr; +') + +######################################## +## <summary> +## Read hal process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_state',` + gen_require(` + type hald_t; + ') + + ps_process_pattern($1, hald_t) +') + +######################################## +## <summary> +## Trace hald processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_ptrace',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process ptrace; +') + +######################################## +## <summary> +## Inherit and use hald file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_use_fds',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherited +## and use hald file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_use_fds',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fd use; +') + +######################################## +## <summary> +## Read and write hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pipes',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_pipes',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send to hald over a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dgram_send',` + gen_require(` + type hald_t, hald_var_lib_t; + ') + + files_search_var_lib($1) + dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) +') + +######################################## +## <summary> +## Send to hald over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_stream_connect',` + gen_require(` + type hald_t, hald_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write hald unix datagram sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_dgram_sockets',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') + +######################################## +## <summary> +## Send messages to hald over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_send',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## hald over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_chat',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; + allow hald_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute hal mac in the hal mac domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans_mac',` + gen_require(` + type hald_mac_t, hald_mac_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## <summary> +## Write hald log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_write_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + write_files_pattern($1, hald_log_t, hald_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to write hald +## log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_write_log',` + gen_require(` + type hald_log_t; + ') + + dontaudit $1 hald_log_t:file { append write }; +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, hald_log_t, hald_log_t) +') + +######################################## +## <summary> +## Read hald temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_tmp_files',` + gen_require(` + type hald_tmp_t; + ') + + files_search_tmp($1) + allow $1 hald_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to append +## hald libraries files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_append_lib_files',` + gen_require(` + type hald_var_lib_t; + ') + + dontaudit $1 hald_var_lib_t:file append_file_perms; +') + +######################################## +## <summary> +## Read hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_dirs',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') |