Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/system/modutils.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/system/modutils.if')
-rw-r--r--policy/modules/system/modutils.if355
1 files changed, 355 insertions, 0 deletions
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
new file mode 100644
index 000000000..19d328a78
--- /dev/null
+++ b/policy/modules/system/modutils.if
@@ -0,0 +1,355 @@
+## <summary>Policy for kernel module utilities</summary>
+
+######################################
+## <summary>
+## Getattr the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_getattr_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ getattr_files_pattern($1, modules_object_t, modules_dep_t)
+')
+
+########################################
+## <summary>
+## Read the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_dep_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## List the module configuration option files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+
+
+########################################
+## <summary>
+## Read the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_read_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ # This file type can be in /etc or
+ # /lib(64)?/modules
+ files_search_etc($1)
+ files_search_boot($1)
+
+ read_files_pattern($1, modules_conf_t, modules_conf_t)
+ read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Rename a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_rename_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ rename_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Unlink a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_delete_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Manage files with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ manage_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Unconditionally execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
+ gen_require(`
+ type insmod_t, insmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, insmod_exec_t, insmod_t)
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_insmod',`
+ gen_require(`
+ type insmod_t, insmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, insmod_exec_t, insmod_t)
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain, and
+## allow the specified role the insmod domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_insmod',`
+ gen_require(`
+ type insmod_t;
+ ')
+
+ modutils_domtrans_insmod($1)
+ role $2 types insmod_t;
+')
+
+########################################
+## <summary>
+## Execute insmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_insmod',`
+ gen_require(`
+ type insmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, insmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_depmod',`
+ gen_require(`
+ type depmod_t, depmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, depmod_exec_t, depmod_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_depmod',`
+ gen_require(`
+ type depmod_t, insmod_t;
+ ')
+
+ modutils_domtrans_depmod($1)
+ role $2 types depmod_t;
+')
+
+########################################
+## <summary>
+## Execute depmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_depmod',`
+ gen_require(`
+ type depmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, depmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_update_mods',`
+ gen_require(`
+ type update_modules_t, update_modules_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, update_modules_exec_t, update_modules_t)
+')
+
+########################################
+## <summary>
+## Execute update_modules in the update_modules domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_update_mods',`
+ gen_require(`
+ attribute_role update_modules_roles;
+ ')
+
+ modutils_domtrans_update_mods($1)
+ roleattribute $2 update_modules_roles;
+')
+
+########################################
+## <summary>
+## Execute update_modules in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_update_mods',`
+ gen_require(`
+ type update_modules_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, update_modules_exec_t)
+')