Chris PeBenito 31b7c0
#DESC Cardmgr - PCMCIA control programs
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 31b7c0
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0
# X-Debian-Packages: pcmcia-cs
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the cardmgr_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
daemon_domain(cardmgr, `, privmodule')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for SSP
Chris PeBenito 31b7c0
allow cardmgr_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type cardctl_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `', `
Chris PeBenito 31b7c0
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
role sysadm_r types cardmgr_t;
Chris PeBenito 31b7c0
allow cardmgr_t admin_tty_type:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t sysfs_t:dir search;
Chris PeBenito 31b7c0
allow cardmgr_t home_root_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities (net_admin for route), setuid for cardctl
Chris PeBenito 31b7c0
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for /etc/resolv.conf
Chris PeBenito 31b7c0
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t modules_object_t:dir search;
Chris PeBenito 31b7c0
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow cardmgr_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
allow cardmgr_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Create stab file
Chris PeBenito 31b7c0
var_lib_domain(cardmgr)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for /var/lib/misc/pcmcia-scheme
Chris PeBenito 31b7c0
# would be better to have it in a different type if I knew how it was created..
Chris PeBenito 31b7c0
allow cardmgr_t var_lib_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Create device files in /tmp.
Chris PeBenito 31b7c0
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
Chris PeBenito 31b7c0
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Create symbolic links in /dev.
Chris PeBenito 31b7c0
type cardmgr_lnk_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Run a shell, normal commands, /etc/pcmcia scripts. 
Chris PeBenito 31b7c0
can_exec_any(cardmgr_t)
Chris PeBenito 31b7c0
allow cardmgr_t etc_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Run ifconfig.
Chris PeBenito 31b7c0
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 31b7c0
allow ifconfig_t cardmgr_t:fd use;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t proc_t:file { getattr read ioctl };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read /proc/PID directories for all domains (for fuser).
Chris PeBenito 31b7c0
can_ps(cardmgr_t, domain -unrestricted)
Chris PeBenito 31b7c0
dontaudit cardmgr_t unrestricted:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
Chris PeBenito 31b7c0
allow cardmgr_t ttyfile:chr_file getattr;
Chris PeBenito 31b7c0
dontaudit cardmgr_t ptyfile:chr_file getattr;
Chris PeBenito 31b7c0
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
Chris PeBenito 31b7c0
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
Chris PeBenito 31b7c0
dontaudit cardmgr_t proc_kmsg_t:file getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`apmd.te', `
Chris PeBenito 31b7c0
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`hide_broken_symptoms', `
Chris PeBenito 31b7c0
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
Chris PeBenito 31b7c0
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
ifdef(`hald.te', `
Chris PeBenito 31b7c0
rw_dir_file(hald_t, cardmgr_var_run_t)
Chris PeBenito 31b7c0
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow cardmgr_t device_t:lnk_file { getattr read };