[selinux-policy: 621/3172] add hal
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:58:20 UTC 2010
commit fdae8e755e1ca17e35cf5d801217394bbfb08456
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 2 20:29:52 2005 +0000
add hal
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/devices.if | 19 ++++
refpolicy/policy/modules/services/dbus.if | 18 ++++
refpolicy/policy/modules/services/hal.fc | 9 ++
refpolicy/policy/modules/services/hal.if | 1 +
refpolicy/policy/modules/services/hal.te | 150 ++++++++++++++++++++++++++++
refpolicy/policy/modules/system/files.if | 20 ++++
7 files changed, 218 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b9f6f19..7d79565 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
comsat
dbus
dhcp
+ hal
squid
* Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 3fdbba4..2c306ca 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1442,6 +1442,25 @@ interface(`dev_setattr_printer',`
########################################
## <summary>
+## Read and write the printer device.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_rw_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ class dir search;
+ class chr_file rw_file_perms;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 printer_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read from random devices (e.g., /dev/random)
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 4003f02..c4f6c53 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -181,6 +181,24 @@ template(`dbus_system_bus_client_template',`
########################################
## <summary>
+## Connect to the the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dbus_connect_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
## Send a message on the system DBUS.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/hal.fc b/refpolicy/policy/modules/services/hal.fc
new file mode 100644
index 0000000..5540076
--- /dev/null
+++ b/refpolicy/policy/modules/services/hal.fc
@@ -0,0 +1,9 @@
+
+/etc/hal/device\.d/printer_remove\.hal -- context_template(system_u:object_r:hald_exec_t,s0)
+/etc/hal/capability\.d/printer_update\.hal -- context_template(system_u:object_r:hald_exec_t,s0)
+
+/usr/libexec/hal-hotplug-map -- context_template(system_u:object_r:hald_exec_t,s0)
+
+/usr/sbin/hald -- context_template(system_u:object_r:hald_exec_t,s0)
+
+/usr/share/hal/device-manager/hal-device-manager -- context_template(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
new file mode 100644
index 0000000..f363b35
--- /dev/null
+++ b/refpolicy/policy/modules/services/hal.if
@@ -0,0 +1 @@
+## <summary>Hardware abstraction layer</summary>
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
new file mode 100644
index 0000000..9b2e9eb
--- /dev/null
+++ b/refpolicy/policy/modules/services/hal.te
@@ -0,0 +1,150 @@
+
+policy_module(hal,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type hald_t;
+type hald_exec_t;
+init_daemon_domain(hald_t,hald_exec_t)
+
+type hald_tmp_t;
+files_tmp_file(hald_tmp_t)
+
+type hald_var_run_t;
+files_pid_file(hald_var_run_t)
+
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:fifo_file rw_file_perms;
+allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
+allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:tcp_socket create_stream_socket_perms;
+
+allow hald_t hald_tmp_t:dir create_dir_perms;
+allow hald_t hald_tmp_t:file create_file_perms;
+files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
+
+allow hald_t hald_var_run_t:file create_file_perms;
+files_create_pid(hald_t,hald_var_run_t)
+
+kernel_read_system_state(hald_t)
+kernel_read_network_state(hald_t)
+kernel_read_kernel_sysctl(hald_t)
+
+corenet_tcp_sendrecv_all_if(hald_t)
+corenet_raw_sendrecv_all_if(hald_t)
+corenet_tcp_sendrecv_all_nodes(hald_t)
+corenet_raw_sendrecv_all_nodes(hald_t)
+corenet_tcp_sendrecv_all_ports(hald_t)
+corenet_tcp_bind_all_nodes(hald_t)
+
+dev_read_sysfs(hald_t)
+dev_read_usbfs(hald_t)
+dev_read_urand(hald_t)
+dev_read_input(hald_t)
+dev_rw_printer(hald_t)
+dev_manage_generic_chr_file(hald_t)
+
+fs_getattr_all_fs(hald_t)
+fs_search_auto_mountpoints(hald_t)
+
+storage_raw_read_removable_device(hald_t)
+storage_raw_read_fixed_disk(hald_t)
+storage_raw_write_fixed_disk(hald_t)
+
+term_dontaudit_use_console(hald_t)
+
+corecmd_exec_bin(hald_t)
+corecmd_exec_sbin(hald_t)
+
+domain_use_wide_inherit_fd(hald_t)
+domain_exec_all_entry_files(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_search_mnt(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+
+init_use_fd(hald_t)
+init_use_script_pty(hald_t)
+
+libs_use_ld_so(hald_t)
+libs_use_shared_libs(hald_t)
+libs_exec_ld_so(hald_t)
+libs_exec_lib_files(hald_t)
+
+logging_send_syslog_msg(hald_t)
+
+miscfiles_read_localization(hald_t)
+
+seutil_read_config(hald_t)
+seutil_read_default_contexts(hald_t)
+
+sysnet_read_config(hald_t)
+
+userdom_dontaudit_use_unpriv_user_fd(hald_t)
+userdom_dontaudit_search_sysadm_home_dir(hald_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(hald_t)
+ term_dontaudit_use_generic_pty(hald_t)
+ files_dontaudit_read_root_file(hald_t)
+')
+
+optional_policy(`dbus.te',`
+ allow hald_t self:dbus send_msg;
+ dbus_system_bus_client_template(hald,hald_t)
+ dbus_send_system_bus_msg(hald_t)
+ dbus_connect_system_bus(hald_t)
+')
+
+optional_policy(`hotplug.te',`
+ hotplug_read_config(hald_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(hald_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(hald_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(hald_t)
+')
+
+optional_policy(`udev.te', `
+ udev_domtrans(hald_t)
+ udev_read_db(hald_t)
+')
+
+optional_policy(`updfstab.te',`
+ updfstab_domtrans(hald_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(hald_t)
+')
+
+allow hald_t device_t:dir create_dir_perms;
+
+optional_policy(`updfstab.te',`
+allow updfstab_t hald_t:dbus send_msg;
+allow hald_t updfstab_t:dbus send_msg;
+')
+
+optional_policy(`hald.te',`
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
+
+allow hald_t initrc_t:dbus send_msg;
+allow initrc_t hald_t:dbus send_msg;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index bf0e5b4..e328537 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -957,6 +957,26 @@ interface(`files_dontaudit_read_etc_runtime_files',`
########################################
## <summary>
+## Read and write files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files in
## /etc that are dynamically created on boot,
## such as mtab.
More information about the scm-commits
mailing list