diff options
Diffstat (limited to 'policy/modules/contrib/hal.if')
-rw-r--r-- | policy/modules/contrib/hal.if | 440 |
1 files changed, 0 insertions, 440 deletions
diff --git a/policy/modules/contrib/hal.if b/policy/modules/contrib/hal.if deleted file mode 100644 index 5e94c213..00000000 --- a/policy/modules/contrib/hal.if +++ /dev/null @@ -1,440 +0,0 @@ -## <summary>Hardware abstraction layer.</summary> - -######################################## -## <summary> -## Execute hal in the hal domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hal_domtrans',` - gen_require(` - type hald_t, hald_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_exec_t, hald_t) -') - -######################################## -## <summary> -## Get attributes of hald processes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_getattr',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process getattr; -') - -######################################## -## <summary> -## Read hal process state files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_state',` - gen_require(` - type hald_t; - ') - - ps_process_pattern($1, hald_t) -') - -######################################## -## <summary> -## Trace hald processes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_ptrace',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process ptrace; -') - -######################################## -## <summary> -## Inherit and use hald file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_use_fds',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to inherited -## and use hald file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_use_fds',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fd use; -') - -######################################## -## <summary> -## Read and write hald unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_rw_pipes',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write hald unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_rw_pipes',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send to hald over a unix domain -## datagram socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dgram_send',` - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) -') - -######################################## -## <summary> -## Send to hald over a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_stream_connect',` - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write hald unix datagram sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_rw_dgram_sockets',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:unix_dgram_socket { read write }; -') - -######################################## -## <summary> -## Send messages to hald over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dbus_send',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## hald over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_dbus_chat',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - allow hald_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Execute hal mac in the hal mac domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hal_domtrans_mac',` - gen_require(` - type hald_mac_t, hald_mac_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -') - -######################################## -## <summary> -## Write hald log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_write_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, hald_log_t, hald_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to write hald -## log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_write_log',` - gen_require(` - type hald_log_t; - ') - - dontaudit $1 hald_log_t:file { append write }; -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, hald_log_t, hald_log_t) -') - -######################################## -## <summary> -## Read hald temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_tmp_files',` - gen_require(` - type hald_tmp_t; - ') - - files_search_tmp($1) - allow $1 hald_tmp_t:file read_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to append -## hald libraries files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`hal_dontaudit_append_lib_files',` - gen_require(` - type hald_var_lib_t; - ') - - dontaudit $1 hald_var_lib_t:file append_file_perms; -') - -######################################## -## <summary> -## Read hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_read_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Read and write hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_rw_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald pid directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_pid_dirs',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## hald pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hal_manage_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -') |