1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
policy_module(plymouthd, 1.1.4)
########################################
#
# Declarations
#
type plymouth_t;
type plymouth_exec_t;
application_domain(plymouth_t, plymouth_exec_t)
role system_r types plymouth_t;
type plymouthd_t;
type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
type plymouthd_var_log_t;
logging_log_file(plymouthd_var_log_t)
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
########################################
#
# Daemon local policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
kernel_read_system_state(plymouthd_t)
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)
dev_rw_dri(plymouthd_t)
dev_read_sysfs(plymouthd_t)
dev_read_framebuffer(plymouthd_t)
dev_write_framebuffer(plymouthd_t)
domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
optional_policy(`
gnome_read_generic_home_content(plymouthd_t)
')
optional_policy(`
sssd_stream_connect(plymouthd_t)
')
optional_policy(`
xserver_manage_xdm_spool_files(plymouthd_t)
xserver_read_xdm_state(plymouthd_t)
')
########################################
#
# Client local policy
#
allow plymouth_t self:process signal;
allow plymouth_t self:fifo_file rw_fifo_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
')
')
optional_policy(`
lvm_domtrans(plymouth_t)
')
|
GitWeb