3639880cf6
Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
196 lines
3.8 KiB
Plaintext
196 lines
3.8 KiB
Plaintext
## <summary>Systemd components (not PID 1)</summary>
|
|
|
|
######################################
|
|
## <summary>
|
|
## Read systemd_login PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_logind_pids',`
|
|
gen_require(`
|
|
type systemd_logind_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Manage systemd_login PID pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_logind_pid_pipes',`
|
|
gen_require(`
|
|
type systemd_logind_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Use inherited systemd
|
|
## logind file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_use_logind_fds',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## systemd logind over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_dbus_chat_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:dbus send_msg;
|
|
allow systemd_logind_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow process to write to systemd_kmod_conf_t.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`systemd_write_kmod_files',`
|
|
gen_require(`
|
|
type systemd_kmod_conf_t;
|
|
')
|
|
|
|
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow process to relabel to systemd_kmod_conf_t.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`systemd_relabelto_kmod_files',`
|
|
gen_require(`
|
|
type systemd_kmod_conf_t;
|
|
')
|
|
|
|
allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read systemd homedir content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_home_content',`
|
|
gen_require(`
|
|
type systemd_home_t;
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_search_gconf_data_dir($1)
|
|
')
|
|
read_files_pattern($1, systemd_home_t, systemd_home_t)
|
|
read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the system status information from systemd_login
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_status_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send systemd_login a null signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_signull_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to start power units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_start_power_units',`
|
|
gen_require(`
|
|
type power_unit_t;
|
|
class service start;
|
|
')
|
|
|
|
allow $1 power_unit_t:service start;
|
|
')
|