add devicekit module from dan.

This commit is contained in:
Chris PeBenito 2009-07-29 10:02:06 -04:00
parent 4e7c0a93a6
commit 677c4c2fea
4 changed files with 413 additions and 0 deletions

View File

@ -22,6 +22,7 @@
- Added modules: - Added modules:
certmaster (Dan Walsh) certmaster (Dan Walsh)
cpufreqselector (Dan Walsh) cpufreqselector (Dan Walsh)
devicekit (Dan Walsh)
git (Dan Walsh) git (Dan Walsh)
gpsd (Miroslav Grepl) gpsd (Miroslav Grepl)
guest (Dan Walsh) guest (Dan Walsh)

View File

@ -0,0 +1,8 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)

View File

@ -0,0 +1,185 @@
## <summary>Devicekit modular hardware abstraction layer</summary>
########################################
## <summary>
## Execute a domain transition to run devicekit.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`devicekit_domtrans',`
gen_require(`
type devicekit_t, devicekit_exec_t;
')
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
')
########################################
## <summary>
## Send to devicekit over a unix domain
## datagram socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_dgram_send',`
gen_require(`
type devicekit_t;
')
allow $1 devicekit_t:unix_dgram_socket sendto;
')
########################################
## <summary>
## Send and receive messages from
## devicekit over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_dbus_chat',`
gen_require(`
type devicekit_t;
class dbus send_msg;
')
allow $1 devicekit_t:dbus send_msg;
allow devicekit_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## devicekit disk over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_dbus_chat_disk',`
gen_require(`
type devicekit_disk_t;
class dbus send_msg;
')
allow $1 devicekit_disk_t:dbus send_msg;
allow devicekit_disk_t $1:dbus send_msg;
')
########################################
## <summary>
## Send signal devicekit power
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_signal_power',`
gen_require(`
type devicekit_power_t;
')
allow $1 devicekit_power_t:process signal;
')
########################################
## <summary>
## Send and receive messages from
## devicekit power over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_dbus_chat_power',`
gen_require(`
type devicekit_power_t;
class dbus send_msg;
')
allow $1 devicekit_power_t:dbus send_msg;
allow devicekit_power_t $1:dbus send_msg;
')
########################################
## <summary>
## Read devicekit PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`devicekit_read_pid_files',`
gen_require(`
type devicekit_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an devicekit environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the devicekit domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_run_t;
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, devicekit_t)
allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, devicekit_disk_t)
allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
files_search_tmp($1)
admin_pattern($1, devicekit_var_lib_t)
files_search_var_lib($1)
admin_pattern($1, devicekit_var_run_t)
files_search_pids($1)
')

View File

@ -0,0 +1,219 @@
policy_module(devicekit, 1.0.0)
########################################
#
# Declarations
#
type devicekit_t;
type devicekit_exec_t;
dbus_system_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
type devicekit_var_run_t;
files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
########################################
#
# DeviceKit local policy
#
allow devicekit_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
miscfiles_read_localization(devicekit_t)
optional_policy(`
dbus_system_bus_client(devicekit_t)
allow devicekit_t devicekit_disk_t:dbus send_msg;
allow devicekit_t devicekit_power_t:dbus send_msg;
')
optional_policy(`
udev_read_db(devicekit_t)
')
########################################
#
# DeviceKit disk local policy
#
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
fstools_domtrans(devicekit_disk_t)
')
optional_policy(`
lvm_domtrans(devicekit_disk_t)
')
optional_policy(`
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
')
optional_policy(`
mount_domtrans(devicekit_disk_t)
')
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
optional_policy(`
consolekit_dbus_chat(devicekit_disk_t)
')
')
optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
########################################
#
# DeviceKit-Power local policy
#
allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
consoletype_exec(devicekit_power_t)
domain_read_all_domains_state(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
bootloader_domtrans(devicekit_power_t)
')
optional_policy(`
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
consolekit_dbus_chat(devicekit_power_t)
')
optional_policy(`
networkmanager_dbus_chat(devicekit_power_t)
')
optional_policy(`
rpm_dbus_chat(devicekit_power_t)
')
')
optional_policy(`
fstools_domtrans(devicekit_power_t)
')
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
policykit_read_reload(devicekit_power_t)
')
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')