rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   5e98eaa9889e0b8a8af5736d00b2b1a9f57a00e0
  2.   strict
  3.   domains
  4.   program
  5.   apmd.te
Blob Blame History Raw 
#DESC Apmd - Automatic Power Management daemon
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: apmd
#

#################################
#
# Rules for the apmd_t domain.
#
daemon_domain(apmd, `, privmodule, nscd_client_domain')

# for SSP
allow apmd_t urandom_device_t:chr_file read;

type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
')
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
allow apm_t proc_t:file r_file_perms;
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;

allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read write };
can_sysctl(apmd_t)
allow apmd_t sysfs_t:file write;

allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;

# acpid wants a socket
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)

# acpid also has a logfile
log_domain(apmd)
tmp_domain(apmd)

ifdef(`distro_suse', `
var_lib_domain(apmd)
')

allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;

# Use capabilities.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };

# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability mknod;

# Access /dev/apm_bios.
allow apmd_t apm_bios_t:chr_file rw_file_perms;

# Run helper programs.
can_exec_any(apmd_t)

# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
allow apmd_t adjtime_t:file rw_file_perms;
allow hwclock_t apmd_log_t:file append;
allow hwclock_t apmd_t:unix_stream_socket { read write };
')


# to quiet fuser and ps
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:socket_class_set getattr;
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;

ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
lock_domain(apmd)

# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
', `
# for ifconfig which is run all the time
dontaudit apmd_t sysctl_t:dir search;
')

ifdef(`udev.te', `
allow apmd_t udev_t:file { getattr read };
allow apmd_t udev_t:lnk_file { getattr read };
')
#
# apmd tells the machine to shutdown requires the following
#
allow apmd_t initctl_t:fifo_file write;
allow apmd_t initrc_var_run_t:file { read write lock };

#
# Allow it to run killof5 and pidof
#
typeattribute apmd_t unrestricted;
r_dir_file(apmd_t, domain)

# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
ifdef(`consoletype.te', `
allow consoletype_t apmd_t:fd use;
allow consoletype_t apmd_t:fifo_file write;
')
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
ifdef(`crond.te', `
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')

ifdef(`mta.te', `
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) 
')

# for a find /dev operation that gets /dev/shm
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };

ifdef(`logrotate.te', `
allow apmd_t logrotate_t:fd use;
')dnl end if logrotate.te
allow apmd_t devpts_t:dir { getattr search };
allow apmd_t security_t:dir search;
allow apmd_t usr_t:dir search;
r_dir_file(apmd_t, hwdata_t)
ifdef(`targeted_policy', `
unconfined_domain(apmd_t)
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation