diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2006-07-12 20:32:27 +0000 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2006-07-12 20:32:27 +0000 |
| commit | 17de1b790b30095d8dc26ef720d3cc6d0fbdceb5 (patch) | |
| tree | 89e24b9b7407840b4b6b56d58c908f1df022f712 /policy/modules/system/udev.if | |
| parent | b6a9bc355553f05e84f937005f53d39cdad70e27 (diff) | |
remove extra level of directory
Diffstat (limited to 'policy/modules/system/udev.if')
| -rw-r--r-- | policy/modules/system/udev.if | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if new file mode 100644 index 00000000..6aa57cef --- /dev/null +++ b/policy/modules/system/udev.if @@ -0,0 +1,143 @@ +## <summary>Policy for udev.</summary> + +######################################## +## <summary> +## Execute udev in the udev domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`udev_domtrans',` + gen_require(` + type udev_t, udev_exec_t; + ') + + domain_auto_trans($1, udev_exec_t, udev_t) + + allow $1 udev_t:fd use; + allow udev_t $1:fd use; + allow udev_t $1:fifo_file rw_file_perms; + allow udev_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute a udev helper in the udev domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`udev_helper_domtrans',` + gen_require(` + type udev_t, udev_helper_exec_t; + ') + + domain_auto_trans($1, udev_helper_exec_t, udev_t) + + allow $1 udev_t:fd use; + allow udev_t $1:fd use; + allow udev_t $1:fifo_file rw_file_perms; + allow udev_t $1:process sigchld; +') + +######################################## +## <summary> +## Allow process to read udev process state. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`udev_read_state',` + gen_require(` + type udev_t; + ') + + kernel_search_proc($1) + allow $1 udev_t:file r_file_perms; + allow $1 udev_t:lnk_file r_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to inherit a +## udev file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`udev_dontaudit_use_fds',` + gen_require(` + type udev_t; + ') + + dontaudit $1 udev_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read or write +## to a udev unix datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`udev_dontaudit_rw_dgram_sockets',` + gen_require(` + type udev_t; + ') + + dontaudit $1 udev_t:unix_dgram_socket { read write }; +') + +######################################## +## <summary> +## Allow process to read list of devices. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`udev_read_db',` + gen_require(` + type udev_tdb_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 udev_tdb_t:file r_file_perms; +') + +######################################## +## <summary> +## Allow process to modify list of devices. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`udev_rw_db',` + gen_require(` + type udev_tdb_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 udev_tdb_t:file rw_file_perms; +') |