nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a3f02b2f6c
selinux-refpolicy/policy/modules/system/udev.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

660 lines
13 KiB
Plaintext
Raw Blame History

## <summary>Policy for udev.</summary>
########################################
## <summary>
## Send generic signals to udev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_signal',`
gen_require(`
type udev_t;
')
allow $1 udev_t:process signal;
')
########################################
## <summary>
## Execute udev in the udev domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`udev_domtrans',`
gen_require(`
type udev_t, udev_exec_t;
')
domtrans_pattern($1, udev_exec_t, udev_t)
')
########################################
## <summary>
## Allow udev to execute the specified program in
## the specified domain.
## </summary>
## <desc>
## <p>
## This is a interface to support the UDEV 'RUN'
## command. This will allow the command run by
## udev to be run in a domain other than udev_t.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
## <param name="entry_file">
## <summary>
## Domain entry point file.
## </summary>
## </param>
#
interface(`udev_run_domain',`
gen_require(`
type udev_t;
')
domtrans_pattern(udev_t,$2,$1)
')
########################################
## <summary>
## Execute udev in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_exec',`
gen_require(`
type udev_exec_t;
')
can_exec($1, udev_exec_t)
')
########################################
## <summary>
## Execute a udev helper in the udev domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`udev_helper_domtrans',`
gen_require(`
type udev_t, udev_helper_exec_t;
')
domtrans_pattern($1, udev_helper_exec_t, udev_t)
')
########################################
## <summary>
## Allow process to read udev process state.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_read_state',`
gen_require(`
type udev_t;
')
kernel_search_proc($1)
allow $1 udev_t:file read_file_perms;
allow $1 udev_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Allow domain to create uevent sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_create_kobject_uevent_sockets',`
gen_require(`
type udev_t;
')
allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
')
########################################
## <summary>
## Do not audit attempts to inherit a
## udev file descriptor.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`udev_dontaudit_use_fds',`
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to read or write
## to a udev unix datagram socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`udev_dontaudit_rw_dgram_sockets',`
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:unix_dgram_socket { read write };
')
########################################
## <summary>
## Manage udev rules files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_rules_files',`
gen_require(`
type udev_rules_t;
')
manage_files_pattern($1, udev_rules_t, udev_rules_t)
files_search_etc($1)
udev_search_runtime($1)
')
########################################
## <summary>
## Relabel udev rules directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_relabel_rules_dirs',`
gen_require(`
type udev_rules_t;
')
relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
files_search_etc($1)
')
########################################
## <summary>
## Relabel udev rules files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_relabel_rules_files',`
gen_require(`
type udev_rules_t;
')
relabel_files_pattern($1, udev_rules_t, udev_rules_t)
files_search_etc($1)
')
########################################
## <summary>
## Do not audit search of udev database directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`udev_dontaudit_search_db',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Read the udev device table. (Deprecated)
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the udev device table. (Deprecated)
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`udev_read_db',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Allow process to modify list of devices. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_rw_db',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Allow process to relabelto udev database (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_relabelto_db',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Allow process to relabelto sockets in /run/udev (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_relabelto_db_sockets',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Search through udev pid content (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_search_pids',`
refpolicywarn(`$0($*) has been deprecated, please use udev_search_runtime() instead.')
udev_search_runtime($1)
')
########################################
## <summary>
## list udev pid content (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_list_pids',`
refpolicywarn(`$0($*) has been deprecated, please use udev_list_runtime() instead.')
udev_list_runtime($1)
')
########################################
## <summary>
## Create, read, write, and delete
## udev pid directories (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_pid_dirs',`
refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_dirs() instead.')
udev_manage_runtime_dirs($1)
')
########################################
## <summary>
## Read udev pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_read_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use udev_read_runtime_files() instead.')
udev_read_runtime_files($1)
')
########################################
## <summary>
## dontaudit attempts to read/write udev pidfiles (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_dontaudit_rw_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use udev_dontaudit_rw_runtime_files() instead.')
udev_dontaudit_rw_runtime_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
## udev pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use udev_manage_runtime_files() instead.')
udev_manage_runtime_files($1)
')
########################################
## <summary>
## Create directories in the run location with udev_runtime_t type (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## Name of the directory that is created
## </summary>
## </param>
#
interface(`udev_generic_pid_filetrans_run_dirs',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Search through udev runtime dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_search_runtime',`
gen_require(`
type udev_runtime_t;
')
files_search_runtime($1)
search_dirs_pattern($1, udev_runtime_t, udev_runtime_t)
')
########################################
## <summary>
## List udev runtime dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_list_runtime',`
gen_require(`
type udev_runtime_t;
')
files_search_runtime($1)
allow $1 udev_runtime_t:dir list_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## udev runtime directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_runtime_dirs',`
gen_require(`
type udev_runtime_t;
')
files_search_var($1)
manage_dirs_pattern($1, udev_runtime_t, udev_runtime_t)
')
########################################
## <summary>
## Read udev runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_read_runtime_files',`
gen_require(`
type udev_runtime_t;
')
files_search_runtime($1)
read_files_pattern($1, udev_runtime_t, udev_runtime_t)
')
########################################
## <summary>
## dontaudit attempts to read/write udev runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_dontaudit_rw_runtime_files',`
gen_require(`
type udev_runtime_t;
')
dontaudit $1 udev_runtime_t:file { read write };
')
########################################
## <summary>
## Create, read, write, and delete
## udev runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_runtime_files',`
gen_require(`
type udev_runtime_t;
')
files_search_runtime($1)
manage_files_pattern($1, udev_runtime_t, udev_runtime_t)
')
########################################
## <summary>
## Execute udev admin in the udevadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`udev_domtrans_udevadm',`
gen_require(`
type udevadm_t, udev_exec_t;
')
domtrans_pattern($1, udev_exec_t, udevadm_t)
')
########################################
## <summary>
## Execute udev admin in the udevadm domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`udevadm_domtrans',`
refpolicywarn(`$0($*) has been deprecated, use udev_domtrans_udevadm() instead.')
udev_domtrans_udevadm($1)
')
########################################
## <summary>
## Execute udevadm in the udevadm domain, and
## allow the specified role the udevadm domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`udevadm_run',`
refpolicywarn(`$0($*) has been deprecated, use udev_run_udevadm() instead.')
udev_run_udevadm($1, $2)
')
########################################
## <summary>
## Execute udevadm in the udevadm domain, and
## allow the specified role the udevadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`udev_run_udevadm',`
gen_require(`
attribute_role udevadm_roles;
')
udev_domtrans_udevadm($1)
roleattribute $2 udevadm_roles;
')
########################################
## <summary>
## Execute udevadm in the caller domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udevadm_exec',`
refpolicywarn(`$0($*) has been deprecated, use udev_exec_udevadm() instead.')
udev_exec_udevadm($1)
')
########################################
## <summary>
## Execute udevadm in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_exec_udevadm',`
gen_require(`
type udev_exec_t;
')
can_exec($1, udev_exec_t)
')
Reference in New Issue View Git Blame Copy Permalink