Blob Blame History Raw
#DESC Cardmgr - PCMCIA control programs
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pcmcia-cs
#

#################################
#
# Rules for the cardmgr_t domain.
#
daemon_domain(cardmgr, `, privmodule')

# for SSP
allow cardmgr_t urandom_device_t:chr_file read;

type cardctl_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
role sysadm_r types cardmgr_t;
allow cardmgr_t admin_tty_type:chr_file { read write };

allow cardmgr_t sysfs_t:dir search;
allow cardmgr_t home_root_t:dir search;

# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };

# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)

allow cardmgr_t etc_runtime_t:file { getattr read };

allow cardmgr_t modules_object_t:dir search;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
allow cardmgr_t self:fifo_file rw_file_perms;

# Create stab file
var_lib_domain(cardmgr)

# for /var/lib/misc/pcmcia-scheme
# would be better to have it in a different type if I knew how it was created..
allow cardmgr_t var_lib_t:file { getattr read };

# Create device files in /tmp.
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })

# Create symbolic links in /dev.
type cardmgr_lnk_t, file_type, sysadmfile;
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)

# Run a shell, normal commands, /etc/pcmcia scripts. 
can_exec_any(cardmgr_t)
allow cardmgr_t etc_t:lnk_file read;

# Run ifconfig.
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
allow ifconfig_t cardmgr_t:fd use;

allow cardmgr_t proc_t:file { getattr read ioctl };

# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain -unrestricted)
dontaudit cardmgr_t unrestricted:dir search;

allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;

allow cardmgr_t tty_device_t:chr_file rw_file_perms;

ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')

ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
')