162 lines
4.7 KiB
Plaintext
162 lines
4.7 KiB
Plaintext
|
#DESC Apmd - Automatic Power Management daemon
|
||
|
#
|
||
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||
|
# Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: apmd
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the apmd_t domain.
|
||
|
#
|
||
|
daemon_domain(apmd, `, privmodule, nscd_client_domain')
|
||
|
|
||
|
# for SSP
|
||
|
allow apmd_t urandom_device_t:chr_file read;
|
||
|
|
||
|
type apm_t, domain, privlog;
|
||
|
type apm_exec_t, file_type, sysadmfile, exec_type;
|
||
|
ifdef(`targeted_policy', `', `
|
||
|
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
|
||
|
')
|
||
|
uses_shlib(apm_t)
|
||
|
allow apm_t privfd:fd use;
|
||
|
allow apm_t admin_tty_type:chr_file rw_file_perms;
|
||
|
allow apm_t device_t:dir search;
|
||
|
allow apm_t self:capability { dac_override sys_admin };
|
||
|
allow apm_t proc_t:dir search;
|
||
|
allow apm_t proc_t:file r_file_perms;
|
||
|
allow apm_t fs_t:filesystem getattr;
|
||
|
allow apm_t apm_bios_t:chr_file rw_file_perms;
|
||
|
role sysadm_r types apm_t;
|
||
|
role system_r types apm_t;
|
||
|
|
||
|
allow apmd_t device_t:lnk_file read;
|
||
|
allow apmd_t proc_t:file { getattr read write };
|
||
|
can_sysctl(apmd_t)
|
||
|
allow apmd_t sysfs_t:file write;
|
||
|
|
||
|
allow apmd_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow apmd_t self:fifo_file rw_file_perms;
|
||
|
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
|
||
|
allow apmd_t etc_t:lnk_file read;
|
||
|
|
||
|
# acpid wants a socket
|
||
|
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
|
||
|
|
||
|
# acpid also has a logfile
|
||
|
log_domain(apmd)
|
||
|
tmp_domain(apmd)
|
||
|
|
||
|
ifdef(`distro_suse', `
|
||
|
var_lib_domain(apmd)
|
||
|
')
|
||
|
|
||
|
allow apmd_t self:file { getattr read ioctl };
|
||
|
allow apmd_t self:process getsession;
|
||
|
|
||
|
# Use capabilities.
|
||
|
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
|
||
|
|
||
|
# controlling an orderly resume of PCMCIA requires creating device
|
||
|
# nodes 254,{0,1,2} for some reason.
|
||
|
allow apmd_t self:capability mknod;
|
||
|
|
||
|
# Access /dev/apm_bios.
|
||
|
allow apmd_t apm_bios_t:chr_file rw_file_perms;
|
||
|
|
||
|
# Run helper programs.
|
||
|
can_exec_any(apmd_t)
|
||
|
|
||
|
# apmd calls hwclock.sh on suspend and resume
|
||
|
allow apmd_t clock_device_t:chr_file r_file_perms;
|
||
|
ifdef(`hwclock.te', `
|
||
|
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
|
||
|
allow apmd_t adjtime_t:file rw_file_perms;
|
||
|
allow hwclock_t apmd_log_t:file append;
|
||
|
allow hwclock_t apmd_t:unix_stream_socket { read write };
|
||
|
')
|
||
|
|
||
|
|
||
|
# to quiet fuser and ps
|
||
|
# setuid for fuser, dac* for ps
|
||
|
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
|
||
|
dontaudit apmd_t domain:socket_class_set getattr;
|
||
|
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
|
||
|
dontaudit apmd_t device_type:devfile_class_set getattr;
|
||
|
dontaudit apmd_t home_type:dir { search getattr };
|
||
|
dontaudit apmd_t domain:key_socket getattr;
|
||
|
dontaudit apmd_t domain:dir search;
|
||
|
|
||
|
ifdef(`distro_redhat', `
|
||
|
can_exec(apmd_t, apmd_var_run_t)
|
||
|
# for /var/lock/subsys/network
|
||
|
lock_domain(apmd)
|
||
|
|
||
|
# ifconfig_exec_t needs to be run in its own domain for Red Hat
|
||
|
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
|
||
|
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
|
||
|
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
|
||
|
', `
|
||
|
# for ifconfig which is run all the time
|
||
|
dontaudit apmd_t sysctl_t:dir search;
|
||
|
')
|
||
|
|
||
|
ifdef(`udev.te', `
|
||
|
allow apmd_t udev_t:file { getattr read };
|
||
|
allow apmd_t udev_t:lnk_file { getattr read };
|
||
|
')
|
||
|
#
|
||
|
# apmd tells the machine to shutdown requires the following
|
||
|
#
|
||
|
allow apmd_t initctl_t:fifo_file write;
|
||
|
allow apmd_t initrc_var_run_t:file { read write lock };
|
||
|
|
||
|
#
|
||
|
# Allow it to run killof5 and pidof
|
||
|
#
|
||
|
typeattribute apmd_t unrestricted;
|
||
|
r_dir_file(apmd_t, domain)
|
||
|
|
||
|
# Same for apm/acpid scripts
|
||
|
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
|
||
|
ifdef(`consoletype.te', `
|
||
|
allow consoletype_t apmd_t:fd use;
|
||
|
allow consoletype_t apmd_t:fifo_file write;
|
||
|
')
|
||
|
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
|
||
|
ifdef(`crond.te', `
|
||
|
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
|
||
|
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
|
||
|
')
|
||
|
|
||
|
ifdef(`mta.te', `
|
||
|
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
|
||
|
')
|
||
|
|
||
|
# for a find /dev operation that gets /dev/shm
|
||
|
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
|
||
|
dontaudit apmd_t selinux_config_t:dir search;
|
||
|
allow apmd_t user_tty_type:chr_file rw_file_perms;
|
||
|
# Access /dev/apm_bios.
|
||
|
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
|
||
|
|
||
|
ifdef(`logrotate.te', `
|
||
|
allow apmd_t logrotate_t:fd use;
|
||
|
')dnl end if logrotate.te
|
||
|
allow apmd_t devpts_t:dir { getattr search };
|
||
|
allow apmd_t security_t:dir search;
|
||
|
allow apmd_t usr_t:dir search;
|
||
|
r_dir_file(apmd_t, hwdata_t)
|
||
|
ifdef(`targeted_policy', `
|
||
|
unconfined_domain(apmd_t)
|
||
|
')
|
||
|
|
||
|
ifdef(`NetworkManager.te', `
|
||
|
ifdef(`dbusd.te', `
|
||
|
allow apmd_t NetworkManager_t:dbus send_msg;
|
||
|
allow NetworkManager_t apmd_t:dbus send_msg;
|
||
|
')
|
||
|
')
|