Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/policykit.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/policykit.if')
-rw-r--r--policy/modules/contrib/policykit.if209
1 files changed, 209 insertions, 0 deletions
diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if
new file mode 100644
index 000000000..48ff1e8a3
--- /dev/null
+++ b/policy/modules/contrib/policykit.if
@@ -0,0 +1,209 @@
+## <summary>Policy framework for controlling privileges for system-wide services.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## policykit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_dbus_chat',`
+ gen_require(`
+ type policykit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 policykit_t:dbus send_msg;
+ allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_auth',`
+ gen_require(`
+ type policykit_auth_t, policykit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+## <summary>
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_run_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ policykit_domtrans_auth($1)
+ role $2 types policykit_auth_t;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_grant.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_grant',`
+ gen_require(`
+ type policykit_grant_t, policykit_grant_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+## <summary>
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`policykit_run_grant',`
+ gen_require(`
+ type policykit_grant_t;
+ ')
+
+ policykit_domtrans_grant($1)
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+## <summary>
+## read policykit reload files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_read_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+## rw policykit reload files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_rw_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_resolve.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_resolve',`
+ gen_require(`
+ type policykit_resolve_t, policykit_resolve_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
+')
+
+########################################
+## <summary>
+## Search policykit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_search_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## read policykit lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_read_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+')