selinux-refpolicy/policy/modules/system/modutils.if

195 lines
3.8 KiB
Plaintext

## <summary>Policy for kernel module utilities</summary>
######################################
## <summary>
## Getattr the dependencies of kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_getattr_module_deps',`
gen_require(`
type modules_dep_t;
')
files_search_kernel_modules($1)
allow $1 modules_dep_t:file getattr;
')
########################################
## <summary>
## Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_read_module_deps',`
gen_require(`
type modules_dep_t;
')
files_list_kernel_modules($1)
allow $1 modules_dep_t:file { read_file_perms map };
')
########################################
## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_read_module_config',`
gen_require(`
type modules_conf_t;
')
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
files_search_boot($1)
allow $1 modules_conf_t:dir list_dir_perms;
allow $1 modules_conf_t:file read_file_perms;
allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Rename a file with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_rename_module_config',`
gen_require(`
type modules_conf_t;
')
rename_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Unlink a file with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_delete_module_config',`
gen_require(`
type modules_conf_t;
')
delete_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Manage files with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_manage_module_config',`
gen_require(`
type modules_conf_t;
')
manage_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the kmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`modutils_domtrans',`
gen_require(`
type kmod_t, kmod_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kmod_exec_t, kmod_t)
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the kmod domain, and allow the specified role
## the kmod domain, and use the caller's terminal.
## Has a sigchld backchannel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_run',`
gen_require(`
attribute_role kmod_roles;
')
modutils_domtrans($1)
roleattribute $2 kmod_roles;
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_exec',`
gen_require(`
type kmod_exec_t;
')
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
')