diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-15 09:53:24 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-15 09:53:24 -0400 |
| commit | ed70158a3936aa04b225d824f863f90ced3b7414 (patch) | |
| tree | ae77472d054682c409f0f55a9f5d6b650424f0c6 | |
| parent | 1d3b9e384c06cc2e57579b61c968bd75a411baeb (diff) | |
add rtkit from dan.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/services/rtkit.fc | 1 | ||||
| -rw-r--r-- | policy/modules/services/rtkit.if | 40 | ||||
| -rw-r--r-- | policy/modules/services/rtkit.te | 35 |
4 files changed, 77 insertions, 0 deletions
@@ -15,6 +15,7 @@ kdump (Dan Walsh) modemmanager(Dan Walsh) nslcd (Dan Walsh) + rtkit (Dan Walsh) shorewall (Dan Walsh) xscreensaver (Corentin Labbe) diff --git a/policy/modules/services/rtkit.fc b/policy/modules/services/rtkit.fc new file mode 100644 index 00000000..52c441e1 --- /dev/null +++ b/policy/modules/services/rtkit.fc @@ -0,0 +1 @@ +/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if new file mode 100644 index 00000000..d536c01a --- /dev/null +++ b/policy/modules/services/rtkit.if @@ -0,0 +1,40 @@ +## <summary>Realtime scheduling for user processes.</summary> + +######################################## +## <summary> +## Execute a domain transition to run rtkit_daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rtkit_daemon_domtrans',` + gen_require(` + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) +') + +######################################## +## <summary> +## Send and receive messages from +## rtkit_daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rtkit_daemon_dbus_chat',` + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; + ') + + allow $1 rtkit_daemon_t:dbus send_msg; + allow rtkit_daemon_t $1:dbus send_msg; +') diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te new file mode 100644 index 00000000..37cd1269 --- /dev/null +++ b/policy/modules/services/rtkit.te @@ -0,0 +1,35 @@ + +policy_module(rtkit, 1.0.0) + +######################################## +# +# Declarations +# + +type rtkit_daemon_t; +type rtkit_daemon_exec_t; +dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + +######################################## +# +# rtkit_daemon local policy +# + +allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; + +kernel_read_system_state(rtkit_daemon_t) + +domain_read_all_domains_state(rtkit_daemon_t) + +fs_rw_anon_inodefs_files(rtkit_daemon_t) + +auth_use_nsswitch(rtkit_daemon_t) + +logging_send_syslog_msg(rtkit_daemon_t) + +miscfiles_read_localization(locale_t) + +optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) +') |