selinux_pols/hald.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

module hald-custom 1.2;

require {
	type fixed_disk_device_t;
	type mnt_t;
	type system_dbusd_t;
	class blk_file { read ioctl open };
	class dir { write remove_name add_name };
	class file { write rename create unlink };
}

#============= system_dbusd_t ==============
allow system_dbusd_t fixed_disk_device_t:blk_file { ioctl open };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_var_run_t, system_dbusd_tmp_t, user_home_t, tmp_t, var_run_t

allow system_dbusd_t mnt_t:dir { write remove_name add_name };
allow system_dbusd_t mnt_t:file { write rename create unlink };

require {
	type removable_device_t;
	type event_device_t;
	type system_dbusd_t;
	class blk_file { read ioctl open };
	class chr_file read;
}

#============= system_dbusd_t ==============
allow system_dbusd_t event_device_t:chr_file read;
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };

require {
	type removable_device_t;
	type system_dbusd_t;
	class blk_file { read ioctl open };
}

#============= system_dbusd_t ==============
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };