selinux-policy/targeted/domains/program/apmd.te

162 lines
4.7 KiB
Plaintext
Raw Normal View History

2005-10-21 18:05:21 +00:00
#DESC Apmd - Automatic Power Management daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: apmd
#
#################################
#
# Rules for the apmd_t domain.
#
daemon_domain(apmd, `, privmodule, nscd_client_domain')
# for SSP
allow apmd_t urandom_device_t:chr_file read;
type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
')
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
allow apm_t proc_t:file r_file_perms;
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read write };
can_sysctl(apmd_t)
allow apmd_t sysfs_t:file write;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;
# acpid wants a socket
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
# acpid also has a logfile
log_domain(apmd)
tmp_domain(apmd)
ifdef(`distro_suse', `
var_lib_domain(apmd)
')
allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;
# Use capabilities.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability mknod;
# Access /dev/apm_bios.
allow apmd_t apm_bios_t:chr_file rw_file_perms;
# Run helper programs.
can_exec_any(apmd_t)
# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
allow apmd_t adjtime_t:file rw_file_perms;
allow hwclock_t apmd_log_t:file append;
allow hwclock_t apmd_t:unix_stream_socket { read write };
')
# to quiet fuser and ps
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:socket_class_set getattr;
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;
ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
lock_domain(apmd)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
', `
# for ifconfig which is run all the time
dontaudit apmd_t sysctl_t:dir search;
')
ifdef(`udev.te', `
allow apmd_t udev_t:file { getattr read };
allow apmd_t udev_t:lnk_file { getattr read };
')
#
# apmd tells the machine to shutdown requires the following
#
allow apmd_t initctl_t:fifo_file write;
allow apmd_t initrc_var_run_t:file { read write lock };
#
# Allow it to run killof5 and pidof
#
typeattribute apmd_t unrestricted;
r_dir_file(apmd_t, domain)
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
ifdef(`consoletype.te', `
allow consoletype_t apmd_t:fd use;
allow consoletype_t apmd_t:fifo_file write;
')
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
ifdef(`crond.te', `
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
ifdef(`mta.te', `
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
')
# for a find /dev operation that gets /dev/shm
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
ifdef(`logrotate.te', `
allow apmd_t logrotate_t:fd use;
')dnl end if logrotate.te
allow apmd_t devpts_t:dir { getattr search };
allow apmd_t security_t:dir search;
allow apmd_t usr_t:dir search;
r_dir_file(apmd_t, hwdata_t)
ifdef(`targeted_policy', `
unconfined_domain(apmd_t)
')
ifdef(`NetworkManager.te', `
ifdef(`dbusd.te', `
allow apmd_t NetworkManager_t:dbus send_msg;
allow NetworkManager_t apmd_t:dbus send_msg;
')
')