Chris PeBenito 0fbfa5
#DESC Apmd - Automatic Power Management daemon
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 0fbfa5
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: apmd
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the apmd_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_domain(apmd, `, privmodule, nscd_client_domain')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for SSP
Chris PeBenito 0fbfa5
allow apmd_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type apm_t, domain, privlog;
Chris PeBenito 0fbfa5
type apm_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
Chris PeBenito 0fbfa5
uses_shlib(apm_t)
Chris PeBenito 0fbfa5
allow apm_t privfd:fd use;
Chris PeBenito 0fbfa5
allow apm_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow apm_t device_t:dir search;
Chris PeBenito 2705f9
allow apm_t self:capability { dac_override sys_admin };
Chris PeBenito 0fbfa5
allow apm_t proc_t:dir search;
Chris PeBenito 2705f9
allow apm_t proc_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow apm_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow apm_t apm_bios_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
role sysadm_r types apm_t;
Chris PeBenito 0fbfa5
role system_r types apm_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow apmd_t device_t:lnk_file read;
Chris PeBenito 2705f9
allow apmd_t proc_t:file { getattr read write };
Chris PeBenito 2705f9
can_sysctl(apmd_t)
Chris PeBenito 2705f9
allow apmd_t sysfs_t:file write;
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
allow apmd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow apmd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow apmd_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# acpid wants a socket
Chris PeBenito 0fbfa5
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# acpid also has a logfile
Chris PeBenito 0fbfa5
log_domain(apmd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_suse', `
Chris PeBenito 0fbfa5
var_lib_domain(apmd)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow apmd_t self:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow apmd_t self:process getsession;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 2705f9
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# controlling an orderly resume of PCMCIA requires creating device
Chris PeBenito 0fbfa5
# nodes 254,{0,1,2} for some reason.
Chris PeBenito 0fbfa5
allow apmd_t self:capability mknod;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /dev/apm_bios.
Chris PeBenito 0fbfa5
allow apmd_t apm_bios_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run helper programs.
Chris PeBenito 0fbfa5
can_exec_any(apmd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# apmd calls hwclock.sh on suspend and resume
Chris PeBenito 0fbfa5
allow apmd_t clock_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
ifdef(`hwclock.te', `
Chris PeBenito 2705f9
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
Chris PeBenito 0fbfa5
allow apmd_t adjtime_t:file rw_file_perms;
Chris PeBenito 2705f9
allow hwclock_t apmd_log_t:file append;
Chris PeBenito 2705f9
allow hwclock_t apmd_t:unix_stream_socket { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# to quiet fuser and ps
Chris PeBenito 0fbfa5
# setuid for fuser, dac* for ps
Chris PeBenito 0fbfa5
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
Chris PeBenito 0fbfa5
dontaudit apmd_t domain:socket_class_set getattr;
Chris PeBenito 0fbfa5
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
Chris PeBenito 0fbfa5
dontaudit apmd_t device_type:devfile_class_set getattr;
Chris PeBenito 0fbfa5
dontaudit apmd_t home_type:dir { search getattr };
Chris PeBenito 0fbfa5
dontaudit apmd_t domain:key_socket getattr;
Chris PeBenito 0fbfa5
dontaudit apmd_t domain:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
can_exec(apmd_t, apmd_var_run_t)
Chris PeBenito 0fbfa5
# for /var/lock/subsys/network
Chris PeBenito 2705f9
lock_domain(apmd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ifconfig_exec_t needs to be run in its own domain for Red Hat
Chris PeBenito 0fbfa5
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
Chris PeBenito 0fbfa5
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
Chris PeBenito 0fbfa5
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
# for ifconfig which is run all the time
Chris PeBenito 0fbfa5
dontaudit apmd_t sysctl_t:dir search;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`udev.te', `
Chris PeBenito 0fbfa5
allow apmd_t udev_t:file { getattr read };
Chris PeBenito 0fbfa5
allow apmd_t udev_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# apmd tells the machine to shutdown requires the following
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow apmd_t initctl_t:fifo_file write;
Chris PeBenito 0fbfa5
allow apmd_t initrc_var_run_t:file { read write lock };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow it to run killof5 and pidof
Chris PeBenito 0fbfa5
#
Chris PeBenito 2705f9
typeattribute apmd_t unrestricted;
Chris PeBenito 0fbfa5
r_dir_file(apmd_t, domain)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Same for apm/acpid scripts
Chris PeBenito 0fbfa5
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
allow consoletype_t apmd_t:fd use;
Chris PeBenito 0fbfa5
allow consoletype_t apmd_t:fifo_file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
Chris PeBenito 0fbfa5
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) 
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for a find /dev operation that gets /dev/shm
Chris PeBenito 0fbfa5
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
dontaudit apmd_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
allow apmd_t user_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
# Access /dev/apm_bios.
Chris PeBenito 0fbfa5
allow initrc_t apm_bios_t:chr_file { setattr getattr read };