9127219358
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.
param with one space
and content inside with one tab
This was done with:
sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
s/^##[[:space:]]*/##\t/;
s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
311 lines
6.4 KiB
Plaintext
311 lines
6.4 KiB
Plaintext
## <summary>Devicekit modular hardware abstraction layer.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run devicekit.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_domtrans',`
|
|
gen_require(`
|
|
type devicekit_t, devicekit_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send to devicekit over a unix domain
|
|
## datagram socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_dgram_send',`
|
|
gen_require(`
|
|
type devicekit_t, devicekit_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
dgram_send_pattern($1, devicekit_runtime_t, devicekit_runtime_t, devicekit_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## devicekit over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_dbus_chat',`
|
|
gen_require(`
|
|
type devicekit_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 devicekit_t:dbus send_msg;
|
|
allow devicekit_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## devicekit disk over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_dbus_chat_disk',`
|
|
gen_require(`
|
|
type devicekit_disk_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 devicekit_disk_t:dbus send_msg;
|
|
allow devicekit_disk_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic signals to devicekit power.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_signal_power',`
|
|
gen_require(`
|
|
type devicekit_power_t;
|
|
')
|
|
|
|
allow $1 devicekit_power_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## devicekit power over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_dbus_chat_power',`
|
|
gen_require(`
|
|
type devicekit_power_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 devicekit_power_t:dbus send_msg;
|
|
allow devicekit_power_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use and inherit devicekit power
|
|
## file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_use_fds_power',`
|
|
gen_require(`
|
|
type devicekit_power_t;
|
|
')
|
|
|
|
allow $1 devicekit_power_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append inherited devicekit log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_append_inherited_log_files',`
|
|
gen_require(`
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 devicekit_var_log_t:file { getattr_file_perms append };
|
|
|
|
devicekit_use_fds_power($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## devicekit log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_manage_log_files',`
|
|
gen_require(`
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel devicekit log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_relabel_log_files',`
|
|
gen_require(`
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read devicekit PID files. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_read_pid_files',`
|
|
refpolicywarn(`$0($*) has been deprecated, please use devicekit_read_runtime_files() instead.')
|
|
devicekit_read_runtime_files($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## devicekit PID files. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_manage_pid_files',`
|
|
refpolicywarn(`$0($*) has been deprecated, please use devicekit_manage_runtime_files() instead.')
|
|
devicekit_manage_runtime_files($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read devicekit runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_read_runtime_files',`
|
|
gen_require(`
|
|
type devicekit_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
read_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## devicekit runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`devicekit_manage_runtime_files',`
|
|
gen_require(`
|
|
type devicekit_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
manage_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an devicekit environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role" unused="true">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`devicekit_admin',`
|
|
gen_require(`
|
|
type devicekit_t, devicekit_disk_t, devicekit_power_t;
|
|
type devicekit_var_lib_t, devicekit_runtime_t, devicekit_tmp_t;
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
|
|
ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
|
|
|
|
files_search_tmp($1)
|
|
admin_pattern($1, devicekit_tmp_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, devicekit_var_lib_t)
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, devicekit_var_log_t)
|
|
|
|
files_search_runtime($1)
|
|
admin_pattern($1, devicekit_runtime_t)
|
|
')
|