selinux-policy/strict/domains/program/cardmgr.te

91 lines
2.9 KiB
Plaintext

#DESC Cardmgr - PCMCIA control programs
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pcmcia-cs
#
#################################
#
# Rules for the cardmgr_t domain.
#
daemon_domain(cardmgr, `, privmodule')
# for SSP
allow cardmgr_t urandom_device_t:chr_file read;
type cardctl_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
')
role sysadm_r types cardmgr_t;
allow cardmgr_t admin_tty_type:chr_file { read write };
allow cardmgr_t sysfs_t:dir search;
allow cardmgr_t home_root_t:dir search;
# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
allow cardmgr_t etc_runtime_t:file { getattr read };
allow cardmgr_t modules_object_t:dir search;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
allow cardmgr_t self:fifo_file rw_file_perms;
# Create stab file
var_lib_domain(cardmgr)
# for /var/lib/misc/pcmcia-scheme
# would be better to have it in a different type if I knew how it was created..
allow cardmgr_t var_lib_t:file { getattr read };
# Create device files in /tmp.
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Create symbolic links in /dev.
type cardmgr_lnk_t, file_type, sysadmfile;
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
# Run a shell, normal commands, /etc/pcmcia scripts.
can_exec_any(cardmgr_t)
allow cardmgr_t etc_t:lnk_file read;
# Run ifconfig.
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
allow ifconfig_t cardmgr_t:fd use;
allow cardmgr_t proc_t:file { getattr read ioctl };
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain -unrestricted)
dontaudit cardmgr_t unrestricted:dir search;
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')
ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
')
allow cardmgr_t device_t:lnk_file { getattr read };