#DESC Hotplug - Hardware event manager
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hotplug
#

#################################
#
# Rules for the hotplug_t domain.
#
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
', `
daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
')

etcdir_domain(hotplug)

allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;

read_sysctl(hotplug_t)
allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };

# get info from /proc
r_dir_file(hotplug_t, proc_t)
allow hotplug_t self:file { getattr read ioctl };

allow hotplug_t devtty_t:chr_file rw_file_perms;

allow hotplug_t device_t:dir r_dir_perms;

# for SSP
allow hotplug_t urandom_device_t:chr_file read;

allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
ifdef(`hostname.te', `
can_exec(hotplug_t, hostname_exec_t)
dontaudit hostname_t hotplug_t:fd use;
')
ifdef(`netutils.te', `
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)

allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te

allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };

# read config files
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;

allow hotplug_t kernel_t:process { sigchld setpgid };

ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')

ifdef(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')

# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;

domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
ifdef(`mount.te', `
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
')
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
')

# init scripts run /etc/hotplug/usb.rc
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
allow initrc_t hotplug_etc_t:dir r_dir_perms;

ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')

r_dir_file(hotplug_t, modules_object_t)
allow hotplug_t modules_dep_t:file { getattr read ioctl };

# for lsmod
dontaudit hotplug_t self:capability { sys_module sys_admin };

# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };

ifdef(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')

allow hotplug_t var_log_t:dir search;

# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
ifdef(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')

# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };

# kernel threads inherit from shared descriptor table used by init
dontaudit hotplug_t initctl_t:fifo_file { read write };

# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };

allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
allow hotplug_t sysfs_t:lnk_file { getattr read };
r_dir_file(hotplug_t, hwdata_t)
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
allow hotplug_t fixed_disk_device_t:blk_file setattr;
allow hotplug_t removable_device_t:blk_file setattr;
allow hotplug_t sound_device_t:chr_file setattr;

ifdef(`udev.te', `
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')

file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)

can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)

# Allow hotplug (including /sbin/ifup-local) to start/stop services
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)

allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;

dontaudit hotplug_t selinux_config_t:dir search;