175 lines
3.9 KiB
Plaintext
175 lines
3.9 KiB
Plaintext
policy_module(modutils, 1.17.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type kmod_t alias { insmod_t depmod_t update_modules_t };
|
|
type kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
|
|
application_domain(kmod_t, kmod_exec_t)
|
|
kernel_domtrans_to(kmod_t, kmod_exec_t)
|
|
mls_file_write_all_levels(kmod_t)
|
|
role system_r types kmod_t;
|
|
|
|
# module loading config
|
|
type modules_conf_t;
|
|
files_type(modules_conf_t)
|
|
|
|
# module dependencies
|
|
type modules_dep_t;
|
|
files_type(modules_dep_t)
|
|
|
|
type kmod_var_run_t;
|
|
files_pid_file(kmod_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# insmod local policy
|
|
#
|
|
|
|
allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
|
|
allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
|
|
|
allow kmod_t self:udp_socket create_socket_perms;
|
|
allow kmod_t self:rawip_socket create_socket_perms;
|
|
|
|
# Read module config and dependency information
|
|
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
|
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
|
list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
|
|
manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
|
|
filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
|
|
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
|
|
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
|
|
|
|
can_exec(kmod_t, kmod_exec_t)
|
|
|
|
kernel_load_module(kmod_t)
|
|
kernel_request_load_module(kmod_t)
|
|
kernel_read_system_state(kmod_t)
|
|
kernel_read_network_state(kmod_t)
|
|
kernel_write_proc_files(kmod_t)
|
|
kernel_mount_debugfs(kmod_t)
|
|
kernel_mount_kvmfs(kmod_t)
|
|
kernel_read_debugfs(kmod_t)
|
|
kernel_search_key(kmod_t)
|
|
# Rules for /proc/sys/kernel/tainted
|
|
kernel_read_kernel_sysctls(kmod_t)
|
|
kernel_rw_kernel_sysctl(kmod_t)
|
|
kernel_read_hotplug_sysctls(kmod_t)
|
|
kernel_setsched(kmod_t)
|
|
# for when /var is not mounted early in the boot:
|
|
kernel_dontaudit_search_unlabeled(kmod_t)
|
|
|
|
corecmd_exec_bin(kmod_t)
|
|
corecmd_exec_shell(kmod_t)
|
|
|
|
# for /run/tmpfiles.d/kmod.conf
|
|
files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
|
|
allow kmod_t kmod_var_run_t:dir manage_dir_perms;
|
|
allow kmod_t kmod_var_run_t:file manage_file_perms;
|
|
|
|
dev_rw_sysfs(kmod_t)
|
|
dev_search_usbfs(kmod_t)
|
|
dev_rw_mtrr(kmod_t)
|
|
dev_read_urand(kmod_t)
|
|
dev_rw_agp(kmod_t)
|
|
dev_read_sound(kmod_t)
|
|
dev_write_sound(kmod_t)
|
|
dev_rw_apm_bios(kmod_t)
|
|
|
|
domain_signal_all_domains(kmod_t)
|
|
domain_use_interactive_fds(kmod_t)
|
|
|
|
files_read_kernel_modules(kmod_t)
|
|
files_read_etc_runtime_files(kmod_t)
|
|
files_read_etc_files(kmod_t)
|
|
files_read_usr_files(kmod_t)
|
|
files_exec_etc_files(kmod_t)
|
|
# for nscd:
|
|
files_dontaudit_search_pids(kmod_t)
|
|
# to manage modules.dep
|
|
files_manage_kernel_modules(kmod_t)
|
|
|
|
fs_getattr_xattr_fs(kmod_t)
|
|
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
|
|
|
|
init_rw_initctl(kmod_t)
|
|
init_use_fds(kmod_t)
|
|
init_use_script_fds(kmod_t)
|
|
init_use_script_ptys(kmod_t)
|
|
|
|
logging_send_syslog_msg(kmod_t)
|
|
logging_search_logs(kmod_t)
|
|
|
|
miscfiles_read_localization(kmod_t)
|
|
|
|
seutil_read_file_contexts(kmod_t)
|
|
|
|
userdom_use_user_terminals(kmod_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(kmod_t)
|
|
|
|
ifdef(`init_systemd',`
|
|
init_rw_stream_sockets(kmod_t)
|
|
|
|
systemd_write_kmod_files(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
alsa_domtrans(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
firstboot_dontaudit_rw_pipes(kmod_t)
|
|
firstboot_dontaudit_rw_stream_sockets(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hal_write_log(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hotplug_search_config(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mount_domtrans(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_use(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fs_manage_ramfs_files(kmod_t)
|
|
|
|
rhgb_use_fds(kmod_t)
|
|
rhgb_dontaudit_use_ptys(kmod_t)
|
|
|
|
xserver_dontaudit_write_log(kmod_t)
|
|
xserver_stream_connect(kmod_t)
|
|
xserver_dontaudit_rw_stream_sockets(kmod_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
xserver_dontaudit_rw_tcp_sockets(kmod_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_rw_pipes(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# cjp: why is this needed:
|
|
dev_rw_xserver_misc(kmod_t)
|
|
|
|
xserver_getattr_log(kmod_t)
|
|
')
|
|
|