|
Chris PeBenito |
31b7c0 |
#DESC Cardmgr - PCMCIA control programs
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
31b7c0 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: pcmcia-cs
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the cardmgr_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(cardmgr, `, privmodule')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for SSP
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t urandom_device_t:chr_file read;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
type cardctl_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
role sysadm_r types cardmgr_t;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t admin_tty_type:chr_file { read write };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t sysfs_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t home_root_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Use capabilities (net_admin for route), setuid for cardctl
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for /etc/resolv.conf
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t modules_object_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create stab file
|
|
Chris PeBenito |
31b7c0 |
var_lib_domain(cardmgr)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for /var/lib/misc/pcmcia-scheme
|
|
Chris PeBenito |
31b7c0 |
# would be better to have it in a different type if I knew how it was created..
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t var_lib_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create device files in /tmp.
|
|
Chris PeBenito |
31b7c0 |
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create symbolic links in /dev.
|
|
Chris PeBenito |
31b7c0 |
type cardmgr_lnk_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Run a shell, normal commands, /etc/pcmcia scripts.
|
|
Chris PeBenito |
31b7c0 |
can_exec_any(cardmgr_t)
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t etc_t:lnk_file read;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Run ifconfig.
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
31b7c0 |
allow ifconfig_t cardmgr_t:fd use;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t proc_t:file { getattr read ioctl };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Read /proc/PID directories for all domains (for fuser).
|
|
Chris PeBenito |
31b7c0 |
can_ps(cardmgr_t, domain -unrestricted)
|
|
Chris PeBenito |
31b7c0 |
dontaudit cardmgr_t unrestricted:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t ttyfile:chr_file getattr;
|
|
Chris PeBenito |
31b7c0 |
dontaudit cardmgr_t ptyfile:chr_file getattr;
|
|
Chris PeBenito |
31b7c0 |
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
|
|
Chris PeBenito |
31b7c0 |
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
|
|
Chris PeBenito |
31b7c0 |
dontaudit cardmgr_t proc_kmsg_t:file getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`apmd.te', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hide_broken_symptoms', `
|
|
Chris PeBenito |
31b7c0 |
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
|
|
Chris PeBenito |
31b7c0 |
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hald.te', `
|
|
Chris PeBenito |
31b7c0 |
rw_dir_file(hald_t, cardmgr_var_run_t)
|
|
Chris PeBenito |
31b7c0 |
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
allow cardmgr_t device_t:lnk_file { getattr read };
|