#DESC Apmd - Automatic Power Management daemon # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # Russell Coker <russell@coker.com.au> # X-Debian-Packages: apmd # ################################# # # Rules for the apmd_t domain. # daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain') # for SSP allow apmd_t urandom_device_t:chr_file read; type apm_t, domain, privlog; type apm_exec_t, file_type, sysadmfile, exec_type; ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, apm_exec_t, apm_t) ') uses_shlib(apm_t) allow apm_t privfd:fd use; allow apm_t admin_tty_type:chr_file rw_file_perms; allow apm_t device_t:dir search; allow apm_t self:capability { dac_override sys_admin }; allow apm_t proc_t:dir search; allow apm_t proc_t:file r_file_perms; allow apm_t fs_t:filesystem getattr; allow apm_t apm_bios_t:chr_file rw_file_perms; role sysadm_r types apm_t; role system_r types apm_t; allow apmd_t device_t:lnk_file read; allow apmd_t proc_t:file { getattr read write }; can_sysctl(apmd_t) allow apmd_t sysfs_t:file write; allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t self:fifo_file rw_file_perms; allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; allow apmd_t etc_t:lnk_file read; # acpid wants a socket file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) # acpid also has a logfile log_domain(apmd) tmp_domain(apmd) ifdef(`distro_suse', ` var_lib_domain(apmd) ') allow apmd_t self:file { getattr read ioctl }; allow apmd_t self:process getsession; # Use capabilities. allow apmd_t self:capability { sys_admin sys_nice sys_time kill }; # controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. allow apmd_t self:capability mknod; # Access /dev/apm_bios. allow apmd_t apm_bios_t:chr_file rw_file_perms; # Run helper programs. can_exec_any(apmd_t) # apmd calls hwclock.sh on suspend and resume allow apmd_t clock_device_t:chr_file r_file_perms; ifdef(`hwclock.te', ` domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) allow apmd_t adjtime_t:file rw_file_perms; allow hwclock_t apmd_log_t:file append; allow hwclock_t apmd_t:unix_stream_socket { read write }; ') # to quiet fuser and ps # setuid for fuser, dac* for ps dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; dontaudit apmd_t domain:socket_class_set getattr; dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; dontaudit apmd_t device_type:devfile_class_set getattr; dontaudit apmd_t home_type:dir { search getattr }; dontaudit apmd_t domain:key_socket getattr; dontaudit apmd_t domain:dir search; ifdef(`distro_redhat', ` can_exec(apmd_t, apmd_var_run_t) # for /var/lock/subsys/network lock_domain(apmd) # ifconfig_exec_t needs to be run in its own domain for Red Hat ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') ', ` # for ifconfig which is run all the time dontaudit apmd_t sysctl_t:dir search; ') ifdef(`udev.te', ` allow apmd_t udev_t:file { getattr read }; allow apmd_t udev_t:lnk_file { getattr read }; ') # # apmd tells the machine to shutdown requires the following # allow apmd_t initctl_t:fifo_file write; allow apmd_t initrc_var_run_t:file { read write lock }; # # Allow it to run killof5 and pidof # typeattribute apmd_t unrestricted; r_dir_file(apmd_t, domain) # Same for apm/acpid scripts domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) ifdef(`consoletype.te', ` allow consoletype_t apmd_t:fd use; allow consoletype_t apmd_t:fifo_file write; ') ifdef(`mount.te', `allow mount_t apmd_t:fd use;') ifdef(`crond.te', ` domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) allow apmd_t crond_t:fifo_file { getattr read write ioctl }; ') # for a find /dev operation that gets /dev/shm dontaudit apmd_t tmpfs_t:dir r_dir_perms; dontaudit apmd_t selinux_config_t:dir search; allow apmd_t user_tty_type:chr_file rw_file_perms; # Access /dev/apm_bios. allow initrc_t apm_bios_t:chr_file { setattr getattr read }; ifdef(`logrotate.te', ` allow apmd_t logrotate_t:fd use; ')dnl end if logrotate.te allow apmd_t devpts_t:dir { getattr search }; allow apmd_t security_t:dir search; allow apmd_t usr_t:dir search; r_dir_file(apmd_t, hwdata_t) ifdef(`targeted_policy', ` unconfined_domain(apmd_t) ') ifdef(`NetworkManager.te', ` ifdef(`dbusd.te', ` allow apmd_t NetworkManager_t:dbus send_msg; allow NetworkManager_t apmd_t:dbus send_msg; ') ')