selinux-refpolicy/policy/modules/services/devicekit.te
Dave Sugar 6ff1259688 domain: move kernel_read_crypto_sysctls to a common location
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2022-09-14 17:03:04 -04:00

349 lines
9.8 KiB
Plaintext

policy_module(devicekit)
########################################
#
# Declarations
#
type devicekit_t;
type devicekit_exec_t;
dbus_system_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_runtime_t alias devicekit_var_run_t;
files_runtime_file(devicekit_runtime_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
type devicekit_var_log_t;
logging_log_file(devicekit_var_log_t)
########################################
#
# Local policy
#
allow devicekit_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(devicekit_t, devicekit_runtime_t, devicekit_runtime_t)
manage_files_pattern(devicekit_t, devicekit_runtime_t, devicekit_runtime_t)
files_runtime_filetrans(devicekit_t, devicekit_runtime_t, { dir file })
kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_rand(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
miscfiles_read_localization(devicekit_t)
optional_policy(`
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
')
optional_policy(`
xserver_dbus_chat_xdm(devicekit_power_t)
')
########################################
#
# Disk local policy
#
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:capability2 wake_alarm;
allow devicekit_disk_t self:process { getsched setsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { dir file })
manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
allow devicekit_disk_t devicekit_runtime_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_runtime_t, devicekit_runtime_t)
manage_files_pattern(devicekit_disk_t, devicekit_runtime_t, devicekit_runtime_t)
files_runtime_filetrans(devicekit_disk_t, devicekit_runtime_t, { dir file })
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_read_system_state(devicekit_disk_t)
kernel_read_vm_overcommit_sysctl(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
kernel_manage_unlabeled_dirs(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t)
corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_read_rand(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_rw_sysfs(devicekit_disk_t)
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
domain_getattr_all_stream_sockets(devicekit_disk_t)
domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
files_watch_etc_dirs(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)
mount_rw_runtime_files(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
term_use_all_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
logging_send_syslog_msg(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
optional_policy(`
policykit_dbus_chat(devicekit_disk_t)
')
optional_policy(`
# gwenview triggers the need for this
xserver_dbus_chat_xdm(devicekit_disk_t)
')
')
optional_policy(`
dmidecode_domtrans(devicekit_disk_t)
')
optional_policy(`
fstools_domtrans(devicekit_disk_t)
')
optional_policy(`
lvm_domtrans(devicekit_disk_t)
')
optional_policy(`
mount_domtrans(devicekit_disk_t)
mount_rw_runtime_files(devicekit_disk_t)
')
optional_policy(`
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
')
optional_policy(`
raid_domtrans_mdadm(devicekit_disk_t)
')
optional_policy(`
udev_domtrans_udevadm(devicekit_disk_t)
udev_read_runtime_files(devicekit_disk_t)
')
optional_policy(`
virt_manage_images(devicekit_disk_t)
')
########################################
#
# Power local policy
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:unix_stream_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_runtime_t, devicekit_runtime_t)
manage_files_pattern(devicekit_power_t, devicekit_runtime_t, devicekit_runtime_t)
files_runtime_filetrans(devicekit_power_t, devicekit_runtime_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
dev_read_input(devicekit_power_t)
dev_read_urand(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_pmqos(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
dev_read_rand(devicekit_power_t)
dev_getattr_all_blk_files(devicekit_power_t)
dev_getattr_all_chr_files(devicekit_power_t)
domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
files_dontaudit_list_mnt(devicekit_power_t)
fs_getattr_all_fs(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
init_search_run(devicekit_power_t)
logging_send_syslog_msg(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
bootloader_domtrans(devicekit_power_t)
')
optional_policy(`
consoletype_exec(devicekit_power_t)
')
optional_policy(`
dbus_system_bus_client(devicekit_power_t)
init_dbus_chat(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
networkmanager_dbus_chat(devicekit_power_t)
')
optional_policy(`
policykit_dbus_chat(devicekit_power_t)
')
optional_policy(`
rpm_dbus_chat(devicekit_power_t)
')
')
optional_policy(`
fstools_domtrans(devicekit_power_t)
')
optional_policy(`
modutils_domtrans(devicekit_power_t)
')
optional_policy(`
mount_domtrans(devicekit_power_t)
')
optional_policy(`
networkmanager_domtrans(devicekit_power_t)
')
optional_policy(`
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
policykit_read_reload(devicekit_power_t)
')
optional_policy(`
systemd_write_inherited_logind_inhibit_pipes(devicekit_power_t)
')
optional_policy(`
udev_manage_runtime_files(devicekit_power_t)
')
optional_policy(`
usbmuxd_stream_connect(devicekit_power_t)
')
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')