diff options
Diffstat (limited to 'policy/modules/contrib/policykit.if')
-rw-r--r-- | policy/modules/contrib/policykit.if | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if new file mode 100644 index 000000000..48ff1e8a3 --- /dev/null +++ b/policy/modules/contrib/policykit.if @@ -0,0 +1,209 @@ +## <summary>Policy framework for controlling privileges for system-wide services.</summary> + +######################################## +## <summary> +## Send and receive messages from +## policykit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_dbus_chat',` + gen_require(` + type policykit_t; + class dbus send_msg; + ') + + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_auth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_auth',` + gen_require(` + type policykit_auth_t, policykit_auth_exec_t; + ') + + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) +') + +######################################## +## <summary> +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`policykit_run_auth',` + gen_require(` + type policykit_auth_t; + ') + + policykit_domtrans_auth($1) + role $2 types policykit_auth_t; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_grant. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_grant',` + gen_require(` + type policykit_grant_t, policykit_grant_exec_t; + ') + + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) +') + +######################################## +## <summary> +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`policykit_run_grant',` + gen_require(` + type policykit_grant_t; + ') + + policykit_domtrans_grant($1) + role $2 types policykit_grant_t; + + allow $1 policykit_grant_t:process signal; + + ps_process_pattern(policykit_grant_t, $1) +') + +######################################## +## <summary> +## read policykit reload files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## rw policykit reload files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_rw_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_resolve. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_resolve',` + gen_require(` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) + + ps_process_pattern(policykit_resolve_t, $1) +') + +######################################## +## <summary> +## Search policykit lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_search_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + allow $1 policykit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## read policykit lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) +') |