2018-06-23 13:00:56 +00:00
|
|
|
## <summary>Plymouth graphical boot.</summary>
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Execute a domain transition to run plymouthd.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed to transition.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_domtrans',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_t, plymouthd_exec_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
|
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Execute plymouthd in the caller domain.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_exec',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_exec_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
|
can_exec($1, plymouthd_exec_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Connect to plymouthd using a unix
|
|
|
|
|
## domain stream socket.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_stream_connect',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_t, plymouthd_spool_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_spool($1)
|
|
|
|
|
stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Execute plymouth in the caller domain.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_exec_plymouth',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouth_exec_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
|
can_exec($1, plymouth_exec_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Execute a domain transition to run plymouth.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed to transition.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_domtrans_plymouth',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouth_t, plymouth_exec_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
|
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Search plymouthd spool directories.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_search_spool',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_spool_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_spool($1)
|
|
|
|
|
allow $1 plymouthd_spool_t:dir search_dir_perms;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read plymouthd spool files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_read_spool_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_spool_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_spool($1)
|
|
|
|
|
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Create, read, write, and delete
|
|
|
|
|
## plymouthd spool files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_manage_spool_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_spool_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_spool($1)
|
|
|
|
|
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Search plymouthd lib directories.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_search_lib',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_var_lib_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read plymouthd lib files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_read_lib_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_var_lib_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
|
|
|
|
')
|
|
|
|
|
|
2019-04-11 12:56:12 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read and write plymouthd lib files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_rw_lib_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_var_lib_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
|
|
|
|
')
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Create, read, write, and delete
|
|
|
|
|
## plymouthd lib files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_manage_lib_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_var_lib_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
2020-06-27 20:49:41 +00:00
|
|
|
## Read plymouthd pid files. (Deprecated)
|
2018-06-23 13:00:56 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_read_pid_files',`
|
2020-06-27 20:49:41 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use plymouthd_read_runtime_files() instead.')
|
|
|
|
|
plymouthd_read_runtime_files($1)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Delete the plymouthd pid files. (Deprecated)
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_delete_pid_files',`
|
|
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use plymouthd_delete_runtime_files() instead.')
|
|
|
|
|
plymouthd_delete_runtime_files($1)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read plymouthd runtime files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_read_runtime_files',`
|
2018-06-23 13:00:56 +00:00
|
|
|
gen_require(`
|
2019-09-08 20:55:02 +00:00
|
|
|
type plymouthd_runtime_t;
|
2018-06-23 13:00:56 +00:00
|
|
|
')
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime($1)
|
2020-06-27 20:49:41 +00:00
|
|
|
read_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
')
|
|
|
|
|
|
2019-04-11 12:56:12 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
2020-06-27 20:49:41 +00:00
|
|
|
## Delete the plymouthd runtime files.
|
2019-04-11 12:56:12 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
2020-06-27 20:49:41 +00:00
|
|
|
interface(`plymouthd_delete_runtime_files',`
|
2019-04-11 12:56:12 +00:00
|
|
|
gen_require(`
|
2019-09-08 20:55:02 +00:00
|
|
|
type plymouthd_runtime_t;
|
2019-04-11 12:56:12 +00:00
|
|
|
')
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime($1)
|
2019-09-08 20:55:02 +00:00
|
|
|
delete_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
|
2019-04-11 12:56:12 +00:00
|
|
|
')
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## All of the rules required to
|
|
|
|
|
## administrate an plymouthd environment.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
## <param name="role" unused="true">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Role allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
## <rolecap/>
|
|
|
|
|
#
|
|
|
|
|
interface(`plymouthd_admin',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
|
2019-09-08 20:55:02 +00:00
|
|
|
type plymouthd_runtime_t;
|
2018-06-23 13:00:56 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
allow $1 plymouthd_t:process { ptrace signal_perms };
|
|
|
|
|
read_files_pattern($1, plymouthd_t, plymouthd_t)
|
|
|
|
|
|
|
|
|
|
files_search_spool($1)
|
|
|
|
|
admin_pattern($1, plymouthd_spool_t)
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
admin_pattern($1, plymouthd_var_lib_t)
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime($1)
|
2019-09-08 20:55:02 +00:00
|
|
|
admin_pattern($1, plymouthd_runtime_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
')
|
