Devicekit patch from Dan Walsh.
This commit is contained in:
parent
857d37e84a
commit
61738f11ec
|
@ -1,8 +1,14 @@
|
|||
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
|
||||
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
|
||||
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
|
||||
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
|
||||
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
|
||||
|
||||
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
|
||||
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
|
||||
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
|
||||
|
||||
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||
|
|
|
@ -139,7 +139,7 @@ interface(`devicekit_read_pid_files',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## All of the rules required to administrate
|
||||
## an devicekit environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
@ -162,7 +162,7 @@ interface(`devicekit_read_pid_files',`
|
|||
interface(`devicekit_admin',`
|
||||
gen_require(`
|
||||
type devicekit_t, devicekit_disk_t, devicekit_power_t;
|
||||
type devicekit_var_run_t;
|
||||
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 devicekit_t:process { ptrace signal_perms getattr };
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(devicekit, 1.0.0)
|
||||
policy_module(devicekit, 1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -37,6 +37,8 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
|||
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
|
||||
|
||||
kernel_read_system_state(devicekit_t)
|
||||
|
||||
dev_read_sysfs(devicekit_t)
|
||||
dev_read_urand(devicekit_t)
|
||||
|
||||
|
@ -60,8 +62,10 @@ optional_policy(`
|
|||
# DeviceKit disk local policy
|
||||
#
|
||||
|
||||
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
|
||||
allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
|
||||
allow devicekit_disk_t self:process { getsched signal_perms };
|
||||
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
||||
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
|
||||
|
@ -71,29 +75,60 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
|||
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
|
||||
|
||||
kernel_getattr_message_if(devicekit_disk_t)
|
||||
kernel_read_fs_sysctls(devicekit_disk_t)
|
||||
kernel_read_network_state(devicekit_disk_t)
|
||||
kernel_read_software_raid_state(devicekit_disk_t)
|
||||
kernel_read_system_state(devicekit_disk_t)
|
||||
kernel_request_load_module(devicekit_disk_t)
|
||||
kernel_setsched(devicekit_disk_t)
|
||||
|
||||
corecmd_exec_bin(devicekit_disk_t)
|
||||
corecmd_exec_shell(devicekit_disk_t)
|
||||
corecmd_getattr_all_executables(devicekit_disk_t)
|
||||
|
||||
dev_rw_sysfs(devicekit_disk_t)
|
||||
dev_read_urand(devicekit_disk_t)
|
||||
dev_getattr_usbfs_dirs(devicekit_disk_t)
|
||||
dev_manage_generic_files(devicekit_disk_t)
|
||||
dev_getattr_all_chr_files(devicekit_disk_t)
|
||||
dev_getattr_mtrr_dev(devicekit_disk_t)
|
||||
|
||||
domain_getattr_all_pipes(devicekit_disk_t)
|
||||
domain_getattr_all_sockets(devicekit_disk_t)
|
||||
domain_getattr_all_stream_sockets(devicekit_disk_t)
|
||||
domain_read_all_domains_state(devicekit_disk_t)
|
||||
|
||||
files_dontaudit_read_all_symlinks(devicekit_disk_t)
|
||||
files_getattr_all_sockets(devicekit_disk_t)
|
||||
files_getattr_all_mountpoints(devicekit_disk_t)
|
||||
files_getattr_all_files(devicekit_disk_t)
|
||||
files_manage_isid_type_dirs(devicekit_disk_t)
|
||||
files_manage_mnt_dirs(devicekit_disk_t)
|
||||
files_read_etc_files(devicekit_disk_t)
|
||||
files_read_etc_runtime_files(devicekit_disk_t)
|
||||
files_read_usr_files(devicekit_disk_t)
|
||||
|
||||
fs_list_inotifyfs(devicekit_disk_t)
|
||||
fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||
fs_mount_all_fs(devicekit_disk_t)
|
||||
fs_unmount_all_fs(devicekit_disk_t)
|
||||
fs_manage_fusefs_dirs(devicekit_disk_t)
|
||||
fs_search_all(devicekit_disk_t)
|
||||
|
||||
mls_file_read_all_levels(devicekit_disk_t)
|
||||
mls_file_write_to_clearance(devicekit_disk_t)
|
||||
|
||||
storage_raw_read_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_write_fixed_disk(devicekit_disk_t)
|
||||
storage_raw_read_removable_device(devicekit_disk_t)
|
||||
storage_raw_write_removable_device(devicekit_disk_t)
|
||||
|
||||
term_use_all_terms(devicekit_disk_t)
|
||||
|
||||
auth_use_nsswitch(devicekit_disk_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_disk_t)
|
||||
|
@ -101,24 +136,6 @@ miscfiles_read_localization(devicekit_disk_t)
|
|||
userdom_read_all_users_state(devicekit_disk_t)
|
||||
userdom_search_user_home_dirs(devicekit_disk_t)
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lvm_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_domtrans_auth(devicekit_disk_t)
|
||||
policykit_read_lib(devicekit_disk_t)
|
||||
policykit_read_reload(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(devicekit_disk_t)
|
||||
|
||||
|
@ -129,19 +146,48 @@ optional_policy(`
|
|||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lvm_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_domtrans(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(devicekit_disk_t)
|
||||
policykit_domtrans_auth(devicekit_disk_t)
|
||||
policykit_read_lib(devicekit_disk_t)
|
||||
policykit_read_reload(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
raid_domtrans_mdadm(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_domtrans(devicekit_disk_t)
|
||||
udev_read_db(devicekit_disk_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_manage_images(devicekit_disk_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# DeviceKit-Power local policy
|
||||
#
|
||||
|
||||
allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
|
||||
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
|
||||
allow devicekit_power_t self:process getsched;
|
||||
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
||||
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
||||
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
|
@ -151,6 +197,8 @@ kernel_read_network_state(devicekit_power_t)
|
|||
kernel_read_system_state(devicekit_power_t)
|
||||
kernel_rw_hotplug_sysctls(devicekit_power_t)
|
||||
kernel_rw_kernel_sysctl(devicekit_power_t)
|
||||
kernel_search_debugfs(devicekit_power_t)
|
||||
kernel_write_proc_files(devicekit_power_t)
|
||||
|
||||
corecmd_exec_bin(devicekit_power_t)
|
||||
corecmd_exec_shell(devicekit_power_t)
|
||||
|
@ -159,7 +207,9 @@ consoletype_exec(devicekit_power_t)
|
|||
|
||||
domain_read_all_domains_state(devicekit_power_t)
|
||||
|
||||
dev_read_input(devicekit_power_t)
|
||||
dev_rw_generic_usb_dev(devicekit_power_t)
|
||||
dev_rw_generic_chr_files(devicekit_power_t)
|
||||
dev_rw_netcontrol(devicekit_power_t)
|
||||
dev_rw_sysfs(devicekit_power_t)
|
||||
|
||||
|
@ -167,18 +217,27 @@ files_read_kernel_img(devicekit_power_t)
|
|||
files_read_etc_files(devicekit_power_t)
|
||||
files_read_usr_files(devicekit_power_t)
|
||||
|
||||
fs_list_inotifyfs(devicekit_power_t)
|
||||
|
||||
term_use_all_terms(devicekit_power_t)
|
||||
|
||||
auth_use_nsswitch(devicekit_power_t)
|
||||
|
||||
miscfiles_read_localization(devicekit_power_t)
|
||||
|
||||
sysnet_read_config(devicekit_power_t)
|
||||
sysnet_domtrans_ifconfig(devicekit_power_t)
|
||||
|
||||
userdom_read_all_users_state(devicekit_power_t)
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_initrc_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(devicekit_power_t)
|
||||
|
||||
|
@ -203,17 +262,23 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
hal_domtrans_mac(devicekit_power_t)
|
||||
hal_manage_log(devicekit_power_t)
|
||||
hal_manage_pid_dirs(devicekit_power_t)
|
||||
hal_manage_pid_files(devicekit_power_t)
|
||||
hal_dbus_chat(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(devicekit_power_t)
|
||||
policykit_domtrans_auth(devicekit_power_t)
|
||||
policykit_read_lib(devicekit_power_t)
|
||||
policykit_read_reload(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(devicekit_power_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue