Hardware abstraction layer

######################################## ##

## Execute hal in the hal domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`hal_domtrans',` gen_require(` type hald_t, hald_exec_t; ') domtrans_pattern($1, hald_exec_t, hald_t) ') ######################################## ##

## Get the attributes of a hal process. ##

## ##

## Domain allowed access. ##

## # interface(`hal_getattr',` gen_require(` type hald_t; ') allow $1 hald_t:process getattr; ') ######################################## ##

## Read hal system state ##

## ##

## Domain allowed access. ##

## # interface(`hal_read_state',` gen_require(` type hald_t; ') kernel_search_proc($1) ps_process_pattern($1, hald_t) ') ######################################## ##

## Allow ptrace of hal domain ##

## ##

## Domain allowed access. ##

## # interface(`hal_ptrace',` gen_require(` type hald_t; ') allow $1 hald_t:process ptrace; ') ######################################## ##

## Allow domain to use file descriptors from hal. ##

## ##

## Domain allowed access. ##

## # interface(`hal_use_fds',` gen_require(` type hald_t; ') allow $1 hald_t:fd use; ') ######################################## ##

## Do not audit attempts to use file descriptors from hal. ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_use_fds',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fd use; ') ######################################## ##

## Allow attempts to read and write to ## hald unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`hal_rw_pipes',` gen_require(` type hald_t; ') allow $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Do not audit attempts to read and write to ## hald unnamed pipes. ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_rw_pipes',` gen_require(` type hald_t; ') dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Send to hal over a unix domain ## datagram socket. ##

## ##

## Domain allowed access. ##

## # interface(`hal_dgram_send',` gen_require(` type hald_t; ') allow $1 hald_t:unix_dgram_socket sendto; ') ######################################## ##

## Send to hal over a unix domain ## stream socket. ##

## ##

## Domain allowed access. ##

## # interface(`hal_stream_connect',` gen_require(` type hald_t; ') allow $1 hald_t:unix_stream_socket connectto; ') ######################################## ##

## Dontaudit read/write to a hal unix datagram socket. ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_rw_dgram_sockets',` gen_require(` type hald_t; ') dontaudit $1 hald_t:unix_dgram_socket { read write }; ') ######################################## ##

## Send a dbus message to hal. ##

## ##

## Domain allowed access. ##

## # interface(`hal_dbus_send',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; ') ######################################## ##

## Send and receive messages from ## hal over dbus. ##

## ##

## Domain allowed access. ##

## # interface(`hal_dbus_chat',` gen_require(` type hald_t; class dbus send_msg; ') allow $1 hald_t:dbus send_msg; allow hald_t $1:dbus send_msg; ') ######################################## ##

## Execute hal mac in the hal mac domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`hal_domtrans_mac',` gen_require(` type hald_mac_t, hald_mac_exec_t; ') domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) ') ######################################## ##

## Allow attempts to write the hal ## log files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_write_log',` gen_require(` type hald_log_t; ') logging_search_logs($1) allow $1 hald_log_t:file write_file_perms; ') ######################################## ##

## Do not audit attempts to write the hal ## log files. ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_write_log',` gen_require(` type hald_log_t; ') dontaudit $1 hald_log_t:file { append write }; ') ######################################## ##

## Manage hald log files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_manage_log',` gen_require(` type hald_log_t; ') # log files for hald manage_files_pattern($1, hald_log_t, hald_log_t) logging_log_filetrans($1, hald_log_t, file) ') ######################################## ##

## Read hald tmp files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_read_tmp_files',` gen_require(` type hald_tmp_t; ') allow $1 hald_tmp_t:file read_file_perms; ') ######################################## ##

## Do not audit attempts to read or write ## HAL libraries files ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_append_lib_files',` gen_require(` type hald_var_lib_t; ') dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; ') ######################################## ##

## Read hald PID files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_read_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file read_file_perms; ') ######################################## ##

## Do not audit attempts to read ## hald PID files. ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_read_pid_files',` gen_require(` type hald_var_run_t; ') dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ') ######################################## ##

## Read/Write hald PID files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_rw_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ') ######################################## ##

## Manage hald PID dirs. ##

## ##

## Domain allowed access. ##

## # interface(`hal_manage_pid_dirs',` gen_require(` type hald_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) ') ######################################## ##

## Manage hald PID files. ##

## ##

## Domain allowed access. ##

## # interface(`hal_manage_pid_files',` gen_require(` type hald_var_run_t; ') files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') ######################################## ##

## dontaudit read and write an leaked file descriptors ##

## ##

## Domain to not audit. ##

## # interface(`hal_dontaudit_leaks',` gen_require(` type hald_log_t, hald_t, hald_var_run_t; ') dontaudit $1 hald_t:fd use; dontaudit $1 hald_log_t:file rw_inherited_file_perms; dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; dontaudit hald_t $1:socket_class_set { read write }; dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ')