nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
eea649c0f4
selinux-refpolicy/policy/modules/system/modutils.if
Luis Ressel 14107ce1c0 modutils: libkmod mmap()s modules.dep and *.ko's 
Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
2017-09-11 20:31:23 -04:00

400 lines
8.4 KiB
Plaintext
Raw Blame History

## <summary>Policy for kernel module utilities</summary>
######################################
## <summary>
## Getattr the dependencies of kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_getattr_module_deps',`
gen_require(`
type modules_dep_t;
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
')
########################################
## <summary>
## Read the dependencies of kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_read_module_deps',`
gen_require(`
type modules_dep_t;
')
files_list_kernel_modules($1)
allow $1 modules_dep_t:file { read_file_perms map };
')
########################################
## <summary>
## Read the kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_read_module_objects',`
gen_require(`
type modules_object_t;
')
files_list_kernel_modules($1)
allow $1 modules_object_t:file { read_file_perms map };
')
########################################
## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_read_module_config',`
gen_require(`
type modules_conf_t;
')
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
files_search_boot($1)
allow $1 modules_conf_t:dir list_dir_perms;
allow $1 modules_conf_t:file read_file_perms;
allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Rename a file with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_rename_module_config',`
gen_require(`
type modules_conf_t;
')
rename_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Unlink a file with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_delete_module_config',`
gen_require(`
type modules_conf_t;
')
delete_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Manage files with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_manage_module_config',`
gen_require(`
type modules_conf_t;
')
manage_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the kmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`modutils_domtrans',`
gen_require(`
type kmod_t, kmod_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kmod_exec_t, kmod_t)
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the kmod domain, and allow the specified role
## the kmod domain, and use the caller's terminal.
## Has a sigchld backchannel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_run',`
gen_require(`
attribute_role kmod_roles;
')
modutils_domtrans($1)
roleattribute $2 kmod_roles;
')
########################################
## <summary>
## Execute any modutil,
## like insmod, kmod, depmod or updates-modules,
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_exec',`
gen_require(`
type kmod_exec_t;
')
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
')
########################################
## <summary>
## Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
interface(`modutils_domtrans_insmod_uncond',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
modutils_domtrans($1)
')
########################################
## <summary>
## Execute insmod in the insmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`modutils_domtrans_insmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
modutils_domtrans($1)
')
########################################
## <summary>
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_insmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
modutils_run($1, $2)
')
########################################
## <summary>
## Execute insmod in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_exec_insmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
modutils_exec($1)
')
########################################
## <summary>
## Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`modutils_domtrans_depmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
modutils_domtrans($1)
')
########################################
## <summary>
## Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_depmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
modutils_run($1, $2)
')
########################################
## <summary>
## Execute depmod in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_exec_depmod',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
modutils_exec($1)
')
########################################
## <summary>
## Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`modutils_domtrans_update_mods',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
modutils_domtrans($1)
')
########################################
## <summary>
## Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`modutils_run_update_mods',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
modutils_run($1, $2)
')
########################################
## <summary>
## Execute update_modules in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_exec_update_mods',`
refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
modutils_exec($1)
')
########################################
## <summary>
## Read kmod lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_read_var_run_files',`
refpolicywarn(`$0($*) has been deprecated.')
')
Reference in New Issue View Git Blame Copy Permalink