## Devicekit modular hardware abstraction layer. ######################################## ## ## Execute a domain transition to run devicekit. ## ## ## ## Domain allowed to transition. ## ## # interface(`devicekit_domtrans',` gen_require(` type devicekit_t, devicekit_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, devicekit_exec_t, devicekit_t) ') ######################################## ## ## Send to devicekit over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_dgram_send',` gen_require(` type devicekit_t, devicekit_runtime_t; ') files_search_pids($1) dgram_send_pattern($1, devicekit_runtime_t, devicekit_runtime_t, devicekit_t) ') ######################################## ## ## Send and receive messages from ## devicekit over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_dbus_chat',` gen_require(` type devicekit_t; class dbus send_msg; ') allow $1 devicekit_t:dbus send_msg; allow devicekit_t $1:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## devicekit disk over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_dbus_chat_disk',` gen_require(` type devicekit_disk_t; class dbus send_msg; ') allow $1 devicekit_disk_t:dbus send_msg; allow devicekit_disk_t $1:dbus send_msg; ') ######################################## ## ## Send generic signals to devicekit power. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_signal_power',` gen_require(` type devicekit_power_t; ') allow $1 devicekit_power_t:process signal; ') ######################################## ## ## Send and receive messages from ## devicekit power over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_dbus_chat_power',` gen_require(` type devicekit_power_t; class dbus send_msg; ') allow $1 devicekit_power_t:dbus send_msg; allow devicekit_power_t $1:dbus send_msg; ') ######################################## ## ## Use and inherit devicekit power ## file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_use_fds_power',` gen_require(` type devicekit_power_t; ') allow $1 devicekit_power_t:fd use; ') ######################################## ## ## Append inherited devicekit log files. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_append_inherited_log_files',` gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) allow $1 devicekit_var_log_t:file { getattr_file_perms append }; devicekit_use_fds_power($1) ') ######################################## ## ## Create, read, write, and delete ## devicekit log files. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_manage_log_files',` gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ') ######################################## ## ## Relabel devicekit log files. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_relabel_log_files',` gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ') ######################################## ## ## Read devicekit PID files. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_read_pid_files',` gen_require(` type devicekit_runtime_t; ') files_search_pids($1) read_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) ') ######################################## ## ## Create, read, write, and delete ## devicekit PID files. ## ## ## ## Domain allowed access. ## ## # interface(`devicekit_manage_pid_files',` gen_require(` type devicekit_runtime_t; ') files_search_pids($1) manage_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) ') ######################################## ## ## All of the rules required to ## administrate an devicekit environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_runtime_t, devicekit_tmp_t; type devicekit_var_log_t; ') allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) files_search_tmp($1) admin_pattern($1, devicekit_tmp_t) files_search_var_lib($1) admin_pattern($1, devicekit_var_lib_t) logging_search_logs($1) admin_pattern($1, devicekit_var_log_t) files_search_pids($1) admin_pattern($1, devicekit_runtime_t) ')