#DESC Cardmgr - PCMCIA control programs # # Authors: Stephen Smalley and Timothy Fraser # Russell Coker # X-Debian-Packages: pcmcia-cs # ################################# # # Rules for the cardmgr_t domain. # daemon_domain(cardmgr, `, privmodule') # for SSP allow cardmgr_t urandom_device_t:chr_file read; type cardctl_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) role sysadm_r types cardmgr_t; allow cardmgr_t admin_tty_type:chr_file { read write }; allow cardmgr_t sysfs_t:dir search; allow cardmgr_t home_root_t:dir search; # Use capabilities (net_admin for route), setuid for cardctl allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; # for /etc/resolv.conf file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) allow cardmgr_t etc_runtime_t:file { getattr read }; allow cardmgr_t modules_object_t:dir search; allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; allow cardmgr_t self:fifo_file rw_file_perms; # Create stab file var_lib_domain(cardmgr) # for /var/lib/misc/pcmcia-scheme # would be better to have it in a different type if I knew how it was created.. allow cardmgr_t var_lib_t:file { getattr read }; # Create device files in /tmp. type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) # Create symbolic links in /dev. type cardmgr_lnk_t, file_type, sysadmfile; file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) # Run a shell, normal commands, /etc/pcmcia scripts. can_exec_any(cardmgr_t) allow cardmgr_t etc_t:lnk_file read; # Run ifconfig. domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) allow ifconfig_t cardmgr_t:fd use; allow cardmgr_t proc_t:file { getattr read ioctl }; # Read /proc/PID directories for all domains (for fuser). can_ps(cardmgr_t, domain) allow cardmgr_t device_type:{ chr_file blk_file } getattr; allow cardmgr_t ttyfile:chr_file getattr; dontaudit cardmgr_t ptyfile:chr_file getattr; dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; dontaudit cardmgr_t proc_kmsg_t:file getattr; allow cardmgr_t tty_device_t:chr_file rw_file_perms; ifdef(`apmd.te', ` domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) ') ifdef(`hide_broken_symptoms', ` dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; ') ifdef(`hald.te', ` rw_dir_file(hald_t, cardmgr_var_run_t) allow hald_t cardmgr_var_run_t:chr_file create_file_perms; ')