selinux-refpolicy/policy/modules/apps/userhelper.te
Chris PeBenito 613708cad6 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00

165 lines
5.0 KiB
Plaintext

policy_module(userhelper, 1.12.1)
########################################
#
# Declarations
#
attribute consolehelper_type;
attribute userhelper_type;
attribute_role consolehelper_roles;
attribute_role userhelper_roles;
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
type userhelper_exec_t;
application_executable_file(userhelper_exec_t)
type consolehelper_exec_t;
application_executable_file(consolehelper_exec_t)
########################################
#
# Common consolehelper domain local policy
#
allow consolehelper_type self:capability { dac_override setgid setuid };
allow consolehelper_type self:process signal;
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
allow consolehelper_type self:shm create_shm_perms;
dontaudit consolehelper_type userhelper_conf_t:file audit_access;
read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
domain_use_interactive_fds(consolehelper_type)
kernel_read_system_state(consolehelper_type)
kernel_read_kernel_sysctls(consolehelper_type)
corecmd_exec_bin(consolehelper_type)
dev_getattr_all_chr_files(consolehelper_type)
dev_dontaudit_list_all_dev_nodes(consolehelper_type)
files_read_config_files(consolehelper_type)
files_read_usr_files(consolehelper_type)
fs_getattr_all_dirs(consolehelper_type)
fs_getattr_all_fs(consolehelper_type)
fs_search_auto_mountpoints(consolehelper_type)
files_search_mnt(consolehelper_type)
term_list_ptys(consolehelper_type)
auth_search_pam_console_data(consolehelper_type)
auth_read_pam_runtime_files(consolehelper_type)
miscfiles_read_localization(consolehelper_type)
miscfiles_read_fonts(consolehelper_type)
userhelper_exec(consolehelper_type)
userdom_use_user_terminals(consolehelper_type)
# might want to make this consolehelper_tmp_t
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
')
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(consolehelper_type)
')
optional_policy(`
shutdown_run(consolehelper_type, consolehelper_roles)
shutdown_signal(consolehelper_type)
')
optional_policy(`
xserver_domtrans_xauth(consolehelper_type)
xserver_read_xdm_runtime_files(consolehelper_type)
xserver_stream_connect(consolehelper_type)
')
########################################
#
# Common userhelper domain local policy
#
allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
allow userhelper_type self:shm create_shm_perms;
allow userhelper_type self:sem create_sem_perms;
allow userhelper_type self:msgq create_msgq_perms;
allow userhelper_type self:msg { send receive };
allow userhelper_type self:unix_dgram_socket sendto;
allow userhelper_type self:unix_stream_socket { accept connectto listen };
dontaudit userhelper_type userhelper_conf_t:file audit_access;
read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
can_exec(userhelper_type, userhelper_exec_t)
kernel_read_all_sysctls(userhelper_type)
kernel_getattr_debugfs(userhelper_type)
kernel_read_system_state(userhelper_type)
corecmd_exec_shell(userhelper_type)
domain_use_interactive_fds(userhelper_type)
domain_sigchld_interactive_fds(userhelper_type)
dev_read_urand(userhelper_type)
dev_list_all_dev_nodes(userhelper_type)
files_list_var_lib(userhelper_type)
files_read_var_files(userhelper_type)
files_read_var_symlinks(userhelper_type)
files_search_home(userhelper_type)
fs_getattr_all_fs(userhelper_type)
fs_search_auto_mountpoints(userhelper_type)
selinux_get_fs_mount(userhelper_type)
selinux_validate_context(userhelper_type)
selinux_compute_access_vector(userhelper_type)
selinux_compute_create_context(userhelper_type)
selinux_compute_relabel_context(userhelper_type)
selinux_compute_user_contexts(userhelper_type)
term_list_ptys(userhelper_type)
term_relabel_all_ttys(userhelper_type)
term_relabel_all_ptys(userhelper_type)
term_use_all_ttys(userhelper_type)
term_use_all_ptys(userhelper_type)
auth_manage_pam_runtime_dirs(userhelper_type)
auth_manage_pam_runtime_files(userhelper_type)
auth_manage_var_auth(userhelper_type)
auth_search_pam_console_data(userhelper_type)
init_use_fds(userhelper_type)
init_manage_utmp(userhelper_type)
init_runtime_filetrans_utmp(userhelper_type)
logging_send_syslog_msg(userhelper_type)
miscfiles_read_localization(userhelper_type)
seutil_read_config(userhelper_type)
seutil_read_default_contexts(userhelper_type)
optional_policy(`
rpm_domtrans(userhelper_type)
')