policy/modules/services/apm.te

   1
   2 policy_module(apm, 1.7.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8 type apmd_t;
   9 type apmd_exec_t;
  10 init_daemon_domain(apmd_t,apmd_exec_t)
  11
  12 type apm_t;
  13 type apm_exec_t;
  14 application_domain(apm_t,apm_exec_t)
  15 role system_r types apm_t;
  16
  17
  18 type apmd_log_t;
  19 logging_log_file(apmd_log_t)
  20
  21 type apmd_tmp_t;
  22 files_tmp_file(apmd_tmp_t)
  23
  24 type apmd_var_run_t;
  25 files_pid_file(apmd_var_run_t)
  26
  27 ifdef(`distro_redhat',`
  28         type apmd_lock_t;
  29         files_lock_file(apmd_lock_t)
  30 ')
  31
  32 ifdef(`distro_suse',`
  33         type apmd_var_lib_t;
  34         files_type(apmd_var_lib_t)
  35 ')
  36
  37 ########################################
  38 #
  39 # apm client Local policy
  40 #
  41
  42 allow apm_t self:capability { dac_override sys_admin };
  43
  44 kernel_read_system_state(apm_t)
  45
  46 dev_rw_apm_bios(apm_t)
  47
  48 fs_getattr_xattr_fs(apm_t)
  49
  50 term_use_all_terms(apm_t)
  51
  52 domain_use_interactive_fds(apm_t)
  53
  54 libs_use_ld_so(apm_t)
  55 libs_use_shared_libs(apm_t)
  56
  57 logging_send_syslog_msg(apm_t)
  58
  59 ########################################
  60 #
  61 # apm daemon Local policy
  62 #
  63
  64 # mknod: controlling an orderly resume of PCMCIA requires creating device
  65 # nodes 254,{0,1,2} for some reason.
  66 allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
  67 dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
  68 allow apmd_t self:process { signal_perms getsession };
  69 allow apmd_t self:fifo_file rw_fifo_file_perms;
  70 allow apmd_t self:unix_dgram_socket create_socket_perms;
  71 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
  72
  73 allow apmd_t apmd_log_t:file manage_file_perms;
  74 logging_log_filetrans(apmd_t,apmd_log_t,file)
  75
  76 manage_dirs_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t)
  77 manage_files_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t)
  78 files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
  79
  80 manage_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t)
  81 manage_sock_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t)
  82 files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
  83
  84 kernel_read_kernel_sysctls(apmd_t)
  85 kernel_rw_all_sysctls(apmd_t)
  86 kernel_read_system_state(apmd_t)
  87 kernel_write_proc_files(apmd_t)
  88
  89 dev_read_realtime_clock(apmd_t)
  90 dev_read_urand(apmd_t)
  91 dev_rw_apm_bios(apmd_t)
  92 dev_rw_sysfs(apmd_t)
  93 dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
  94 dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
  95
  96 fs_dontaudit_list_tmpfs(apmd_t)
  97 fs_getattr_all_fs(apmd_t)
  98 fs_search_auto_mountpoints(apmd_t)
  99 fs_dontaudit_getattr_all_files(apmd_t); # Excessive?
 100 fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
 101 fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
 102 fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
 103
 104 selinux_search_fs(apmd_t)
 105
 106 corecmd_exec_all_executables(apmd_t)
 107
 108 domain_read_all_domains_state(apmd_t)
 109 domain_dontaudit_ptrace_all_domains(apmd_t)
 110 domain_use_interactive_fds(apmd_t)
 111 domain_dontaudit_getattr_all_sockets(apmd_t)
 112 domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
 113 domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
 114
 115 files_exec_etc_files(apmd_t)
 116 files_read_etc_runtime_files(apmd_t)
 117 files_dontaudit_getattr_all_files(apmd_t) # Excessive?
 118 files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
 119 files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
 120 files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
 121
 122 init_domtrans_script(apmd_t)
 123 init_rw_utmp(apmd_t)
 124 init_telinit(apmd_t)
 125
 126 libs_exec_ld_so(apmd_t)
 127 libs_use_ld_so(apmd_t)
 128 libs_exec_lib_files(apmd_t)
 129 libs_use_shared_libs(apmd_t)
 130
 131 logging_send_syslog_msg(apmd_t)
 132
 133 miscfiles_read_localization(apmd_t)
 134 miscfiles_read_hwdata(apmd_t)
 135
 136 modutils_domtrans_insmod(apmd_t)
 137 modutils_read_module_config(apmd_t)
 138
 139 seutil_dontaudit_read_config(apmd_t)
 140
 141 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
 142 userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
 143
 144 sysadm_dontaudit_search_home_dirs(apmd_t)
 145
 146 ifdef(`distro_redhat',`
 147         allow apmd_t apmd_lock_t:file manage_file_perms;
 148         files_lock_filetrans(apmd_t,apmd_lock_t,file)
 149
 150         can_exec(apmd_t, apmd_var_run_t)
 151
 152         # ifconfig_exec_t needs to be run in its own domain for Red Hat
 153         optional_policy(`
 154                 sysnet_domtrans_ifconfig(apmd_t)
 155         ')
 156
 157         optional_policy(`
 158                 iptables_domtrans(apmd_t)
 159         ')
 160
 161         optional_policy(`
 162                 netutils_domtrans(apmd_t)
 163         ')
 164
 165 ',`
 166         # for ifconfig which is run all the time
 167         kernel_dontaudit_search_sysctl(apmd_t)
 168 ')
 169
 170 ifdef(`distro_suse',`
 171         manage_dirs_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t)
 172         manage_files_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t)
 173         files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
 174 ')
 175
 176 optional_policy(`
 177         automount_domtrans(apmd_t)
 178 ')
 179
 180 optional_policy(`
 181         clock_domtrans(apmd_t)
 182         clock_rw_adjtime(apmd_t)
 183 ')
 184
 185 optional_policy(`
 186         cron_system_entry(apmd_t, apmd_exec_t)
 187         cron_anacron_domtrans_system_job(apmd_t)
 188 ')
 189
 190 optional_policy(`
 191         dbus_stub(apmd_t)
 192
 193         optional_policy(`
 194                 networkmanager_dbus_chat(apmd_t)
 195         ')
 196 ')
 197
 198 optional_policy(`
 199         logrotate_use_fds(apmd_t)
 200 ')
 201
 202 optional_policy(`
 203         mta_send_mail(apmd_t)
 204 ')
 205
 206 optional_policy(`
 207         nscd_socket_use(apmd_t)
 208 ')
 209
 210 optional_policy(`
 211         pcmcia_domtrans_cardmgr(apmd_t)
 212         pcmcia_domtrans_cardctl(apmd_t)
 213 ')
 214
 215 optional_policy(`
 216         seutil_sigchld_newrole(apmd_t)
 217 ')
 218
 219 optional_policy(`
 220         udev_read_db(apmd_t)
 221         udev_read_state(apmd_t) #necessary?
 222 ')
 223
 224 optional_policy(`
 225         unconfined_domain(apmd_t)
 226 ')
 227
 228 # cjp: related to sleep/resume (?)
 229 optional_policy(`
 230         xserver_domtrans_xdm_xserver(apmd_t)
 231 ')