selinux-refpolicy/policy/modules/services/rhgb.if

## <summary> Red Hat Graphical Boot.</summary>

########################################
## <summary>
##	RHGB stub interface.  No access allowed.
## </summary>
## <param name="domain" unused="true">
##	<summary>
##	N/A
##	</summary>
## </param>
#
interface(`rhgb_stub',`
	gen_require(`
		type rhgb_t;
	')
')

########################################
## <summary>
##	Inherit and use rhgb file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_use_fds',`
	gen_require(`
		type rhgb_t;
	')

	allow $1 rhgb_t:fd use;
')

########################################
## <summary>
##	Get the process group of rhgb.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_getpgid',`
	gen_require(`
		type rhgb_t;
	')

	allow $1 rhgb_t:process getpgid;
')

########################################
## <summary>
##	Send generic signals to rhgb.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_signal',`
	gen_require(`
		type rhgb_t;
	')

	allow $1 rhgb_t:process signal;
')

########################################
## <summary>
##	Read and write inherited rhgb unix
##	domain stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_rw_stream_sockets',`
	gen_require(`
		type rhgb_t;
	')

	allow $1 rhgb_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Do not audit attempts to read and write
##	rhgb unix domain stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`rhgb_dontaudit_rw_stream_sockets',`
	gen_require(`
		type rhgb_t;
	')

	dontaudit $1 rhgb_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Connected to rhgb with a unix
##	domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_stream_connect',`
	gen_require(`
		type rhgb_t, rhgb_tmpfs_t;
	')

	fs_search_tmpfs($1)
	stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
')

########################################
## <summary>
##	Read and write to rhgb shared memory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_rw_shm',`
	gen_require(`
		type rhgb_t;
	')

	allow $1 rhgb_t:shm rw_shm_perms;
')

########################################
## <summary>
##	Read and write rhgb pty devices.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_use_ptys',`
	gen_require(`
		type rhgb_devpts_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 rhgb_devpts_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write rhgb pty devices.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`rhgb_dontaudit_use_ptys',`
	gen_require(`
		type rhgb_devpts_t;
	')

	dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
')

########################################
## <summary>
##	Read and write to rhgb tmpfs files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`rhgb_rw_tmpfs_files',`
	gen_require(`
		type rhgb_tmpfs_t;
	')


	fs_search_tmpfs($1)
	allow $1 rhgb_tmpfs_t:file rw_file_perms;
')