selinux-refpolicy/strict/domains/program/udev.te

153 lines
4.9 KiB
Plaintext

#DESC udev - Linux configurable dynamic device naming support
#
# Author: Dan Walsh dwalsh@redhat.com
#
#################################
#
# Rules for the udev_t domain.
#
# udev_exec_t is the type of the udev executable.
#
daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
general_domain_access(udev_t)
if (allow_execmem) {
# for alsactl
allow udev_t self:process execmem;
}
etc_domain(udev)
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
can_exec_any(udev_t)
#
# Rules used for udev
#
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
ifdef(`distro_redhat', `
allow udev_t tmpfs_t:dir create_dir_perms;
allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
allow udev_t tmpfs_t:dir search;
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
')
allow udev_t etc_t:file { getattr read ioctl };
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
allow udev_t { sbin_t bin_t }:lnk_file read;
allow udev_t bin_t:lnk_file read;
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
rw_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
# to read the file_contexts file
r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
allow udev_t policy_config_t:dir search;
allow udev_t proc_t:file { getattr read ioctl };
allow udev_t proc_kcore_t:file getattr;
# Get security policy decisions.
can_getsecurity(udev_t)
# set file system create context
can_setfscreate(udev_t)
allow udev_t kernel_t:fd use;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
allow udev_t kernel_t:process signal;
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
ifdef(`hide_broken_symptoms', `
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
')
allow udev_t devpts_t:dir { getattr search };
allow udev_t etc_runtime_t:file { getattr read };
ifdef(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read };
')
ifdef(`hotplug.te', `
r_dir_file(udev_t, hotplug_etc_t)
')
allow udev_t var_log_t:dir search;
ifdef(`consoletype.te', `
can_exec(udev_t, consoletype_exec_t)
')
ifdef(`pamconsole.te', `
allow udev_t pam_var_console_t:dir search;
allow udev_t pam_var_console_t:file { getattr read };
domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
')
allow udev_t var_lock_t:dir search;
allow udev_t var_lock_t:file getattr;
domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
ifdef(`hide_broken_symptoms', `
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
')
dontaudit udev_t file_t:dir search;
ifdef(`dhcpc.te', `
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
')
allow udev_t udev_helper_exec_t:dir r_dir_perms;
dbusd_client(system, udev)
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
allow udev_t sysctl_dev_t:dir search;
allow udev_t mnt_t:dir search;
allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
allow udev_t self:rawip_socket create_socket_perms;
dontaudit udev_t domain:dir r_dir_perms;
dontaudit udev_t ttyfile:chr_file unlink;
ifdef(`hotplug.te', `
r_dir_file(udev_t, hotplug_var_run_t)
')
r_dir_file(udev_t, modules_object_t)
#
# Udev is now writing dhclient-eth*.conf* files.
#
ifdef(`dhcpd.te', `define(`use_dhcp')')
ifdef(`dhcpc.te', `define(`use_dhcp')')
ifdef(`use_dhcp', `
allow udev_t dhcp_etc_t:file rw_file_perms;
file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
')
r_dir_file(udev_t, domain)
allow udev_t modules_dep_t:file r_file_perms;
nsswitch_domain(udev_t)
ifdef(`unlimitedUtils', `
unconfined_domain(udev_t)
')
dontaudit hostname_t udev_t:fd use;
ifdef(`use_mcs', `
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
')