policy_module(devicekit, 1.3.1) ######################################## # # Declarations # type devicekit_t; type devicekit_exec_t; init_daemon_domain(devicekit_t, devicekit_exec_t) init_nnp_daemon_domain(devicekit_t) type devicekit_power_t; type devicekit_power_exec_t; init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) init_nnp_daemon_domain(devicekit_power_t) type devicekit_disk_t; type devicekit_disk_exec_t; init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) init_nnp_daemon_domain(devicekit_disk_t) type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) type devicekit_var_run_t; files_pid_file(devicekit_var_run_t) type devicekit_var_lib_t; files_type(devicekit_var_lib_t) systemd_mount_dir(devicekit_var_lib_t) type devicekit_var_log_t; logging_log_file(devicekit_var_log_t) typealias devicekit_t alias { udisks2_t }; typealias devicekit_var_lib_t alias { udisks2_var_lib_t }; typealias devicekit_var_run_t alias { udisks2_var_run_t }; ######################################## # # Local policy # allow devicekit_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file }) kernel_read_system_state(devicekit_t) dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) dev_getattr_all(devicekit_t) optional_policy(` dbus_system_domain(devicekit_t, devicekit_exec_t) dbus_system_bus_client(devicekit_t) allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; ') optional_policy(` udev_read_db(devicekit_t) ') ######################################## # # Disk local policy # allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { dir file }) manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) files_filetrans_named_content(devicekit_disk_t) kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) kernel_getattr_message_if(devicekit_disk_t) kernel_list_unlabeled(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) kernel_read_system_state(devicekit_disk_t) kernel_read_vm_sysctls(devicekit_disk_t) kernel_request_load_module(devicekit_disk_t) kernel_get_sysvipc_info(devicekit_disk_t) kernel_dontaudit_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t) corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) dev_rw_generic_blk_files(devicekit_disk_t) dev_rw_loop_control(devicekit_disk_t) dev_rw_lvm_control(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_rand(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_rw_sysfs(devicekit_disk_t) domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) domain_getattr_all_stream_sockets(devicekit_disk_t) domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) files_getattr_all_dirs(devicekit_disk_t) files_getattr_all_files(devicekit_disk_t) files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_watch_etc_dirs(devicekit_disk_t) # udisksd watches /etc files_manage_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) files_mounton_mnt(devicekit_disk_t) fs_getattr_all_fs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) fs_unmount_all_fs(devicekit_disk_t) fs_search_all(devicekit_disk_t) mls_file_read_all_levels(devicekit_disk_t) mls_file_write_to_clearance(devicekit_disk_t) storage_raw_read_fixed_disk(devicekit_disk_t) storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) term_use_all_inherited_terms(devicekit_disk_t) auth_use_nsswitch(devicekit_disk_t) logging_send_syslog_msg(devicekit_disk_t) userdom_read_all_users_state(devicekit_disk_t) userdom_search_user_home_dirs(devicekit_disk_t) userdom_manage_user_tmp_dirs(devicekit_disk_t) optional_policy(` dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; optional_policy(` consolekit_dbus_chat(devicekit_disk_t) ') optional_policy(` policykit_dbus_chat(devicekit_disk_t) ') ') optional_policy(` fstools_domtrans(devicekit_disk_t) ') optional_policy(` lvm_domtrans(devicekit_disk_t) ') optional_policy(` mount_domtrans(devicekit_disk_t) mount_manage_pid_files(devicekit_disk_t) ') optional_policy(` policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) ') optional_policy(` raid_domtrans_mdadm(devicekit_disk_t) ') optional_policy(` systemd_read_logind_sessions_files(devicekit_disk_t) systemd_login_read_pid_files(devicekit_disk_t) systemd_write_inhibit_pipes(devicekit_disk_t) ') optional_policy(` udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) udev_read_pid_files(devicekit_disk_t) ') optional_policy(` virt_manage_images(devicekit_disk_t) ') optional_policy(` unconfined_domain(devicekit_t) unconfined_domain(devicekit_power_t) unconfined_domain(devicekit_disk_t) ') ######################################## # # Power local policy # allow devicekit_power_t self:capability { dac_read_search net_admin sys_admin sys_tty_config sys_nice }; #allow devicekit_power_t self:capability2 compromise_kernel; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:unix_stream_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) kernel_rw_usermodehelper_state(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) kernel_rw_vm_sysctls(devicekit_power_t) kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) kernel_dontaudit_setsched(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) dev_read_input(devicekit_power_t) dev_read_urand(devicekit_power_t) dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) dev_read_rand(devicekit_power_t) dev_getattr_all_blk_files(devicekit_power_t) dev_getattr_all_chr_files(devicekit_power_t) domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) files_dontaudit_list_mnt(devicekit_power_t) fs_getattr_all_fs(devicekit_power_t) term_use_all_inherited_terms(devicekit_power_t) auth_use_nsswitch(devicekit_power_t) init_all_labeled_script_domtrans(devicekit_power_t) init_read_utmp(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) userdom_read_all_users_state(devicekit_power_t) optional_policy(` bootloader_domtrans(devicekit_power_t) ') optional_policy(` consoletype_exec(devicekit_power_t) ') optional_policy(` cron_initrc_domtrans(devicekit_power_t) cron_systemctl(devicekit_power_t) ') optional_policy(` dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` consolekit_dbus_chat(devicekit_power_t) ') optional_policy(` networkmanager_dbus_chat(devicekit_power_t) ') optional_policy(` policykit_dbus_chat(devicekit_power_t) ') optional_policy(` rpm_dbus_chat(devicekit_power_t) ') ') optional_policy(` fstools_domtrans(devicekit_power_t) ') optional_policy(` gnome_manage_home_config(devicekit_power_t) ') optional_policy(` logging_send_syslog_msg(devicekit_power_t) ') optional_policy(` modutils_domtrans_kmod(devicekit_power_t) ') optional_policy(` mount_domtrans(devicekit_power_t) ') optional_policy(` networkmanager_domtrans(devicekit_power_t) ') optional_policy(` policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) policykit_read_reload(devicekit_power_t) ') optional_policy(` readahead_domtrans(devicekit_power_t) ') optional_policy(` systemd_write_inhibit_pipes(devicekit_power_t) ') optional_policy(` udev_read_db(devicekit_power_t) udev_manage_pid_files(devicekit_power_t) ') optional_policy(` usbmuxd_stream_connect(devicekit_power_t) ') optional_policy(` vbetool_domtrans(devicekit_power_t) ') optional_policy(` corenet_tcp_connect_xserver_port(devicekit_power_t) xserver_stream_connect(devicekit_power_t) ')