Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sun, 30 Apr 2017 14:20:47
Message-Id: 1493561865.e65bf897dd026493e6fa44cfb05df48577654c40.perfinion@gentoo
1 commit: e65bf897dd026493e6fa44cfb05df48577654c40
2 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3 AuthorDate: Wed Apr 26 10:35:47 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Apr 30 14:17:45 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65bf897
7
8 Rename apm to acpi from Russell Coker.
9
10 This patch is slightly more involved than just running sed. It also adds
11 typealias rules and doesn't change the FC entries.
12
13 The /dev/apm_bios device doesn't exist on modern systems. I have left that
14 policy in for the moment on the principle of making one change per patch. But
15 I might send another patch to remove that as it won't exist with modern
16 kernels.
17
18 policy/modules/contrib/acpi.fc | 21 +++
19 policy/modules/contrib/{apm.if => acpi.if} | 70 ++++----
20 policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++
21 policy/modules/contrib/apm.fc | 21 ---
22 policy/modules/contrib/apm.te | 236 ---------------------------
23 policy/modules/contrib/cups.te | 2 +-
24 policy/modules/contrib/hal.te | 2 +-
25 7 files changed, 305 insertions(+), 294 deletions(-)
26
27 diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
28 new file mode 100644
29 index 00000000..bfbe255b
30 --- /dev/null
31 +++ b/policy/modules/contrib/acpi.fc
32 @@ -0,0 +1,21 @@
33 +/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
34 +
35 +/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
36 +
37 +/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
38 +
39 +/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
40 +/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
41 +/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
42 +
43 +/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
44 +
45 +/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
46 +
47 +/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
48 +/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
49 +/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
50 +/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
51 +/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
52 +
53 +/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
54
55 diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if
56 similarity index 65%
57 rename from policy/modules/contrib/apm.if
58 rename to policy/modules/contrib/acpi.if
59 index cbf60b55..109b644e 100644
60 --- a/policy/modules/contrib/apm.if
61 +++ b/policy/modules/contrib/acpi.if
62 @@ -10,13 +10,13 @@
63 ## </summary>
64 ## </param>
65 #
66 -interface(`apm_domtrans_client',`
67 +interface(`acpi_domtrans_client',`
68 gen_require(`
69 - type apm_t, apm_exec_t;
70 + type acpi_t, acpi_exec_t;
71 ')
72
73 corecmd_search_bin($1)
74 - domtrans_pattern($1, apm_exec_t, apm_t)
75 + domtrans_pattern($1, acpi_exec_t, acpi_t)
76 ')
77
78 ########################################
79 @@ -36,13 +36,13 @@ interface(`apm_domtrans_client',`
80 ## </summary>
81 ## </param>
82 #
83 -interface(`apm_run_client',`
84 +interface(`acpi_run_client',`
85 gen_require(`
86 - attribute_role apm_roles;
87 + attribute_role acpi_roles;
88 ')
89
90 - apm_domtrans_client($1)
91 - roleattribute $2 apm_roles;
92 + acpi_domtrans_client($1)
93 + roleattribute $2 acpi_roles;
94 ')
95
96 ########################################
97 @@ -55,12 +55,12 @@ interface(`apm_run_client',`
98 ## </summary>
99 ## </param>
100 #
101 -interface(`apm_use_fds',`
102 +interface(`acpi_use_fds',`
103 gen_require(`
104 - type apmd_t;
105 + type acpid_t;
106 ')
107
108 - allow $1 apmd_t:fd use;
109 + allow $1 acpid_t:fd use;
110 ')
111
112 ########################################
113 @@ -73,12 +73,12 @@ interface(`apm_use_fds',`
114 ## </summary>
115 ## </param>
116 #
117 -interface(`apm_write_pipes',`
118 +interface(`acpi_write_pipes',`
119 gen_require(`
120 - type apmd_t;
121 + type acpid_t;
122 ')
123
124 - allow $1 apmd_t:fifo_file write;
125 + allow $1 acpid_t:fifo_file write;
126 ')
127
128 ########################################
129 @@ -92,12 +92,12 @@ interface(`apm_write_pipes',`
130 ## </summary>
131 ## </param>
132 #
133 -interface(`apm_rw_stream_sockets',`
134 +interface(`acpi_rw_stream_sockets',`
135 gen_require(`
136 - type apmd_t;
137 + type acpid_t;
138 ')
139
140 - allow $1 apmd_t:unix_stream_socket { read write };
141 + allow $1 acpid_t:unix_stream_socket { read write };
142 ')
143
144 ########################################
145 @@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',`
146 ## </summary>
147 ## </param>
148 #
149 -interface(`apm_append_log',`
150 +interface(`acpi_append_log',`
151 gen_require(`
152 - type apmd_log_t;
153 + type acpid_log_t;
154 ')
155
156 logging_search_logs($1)
157 - allow $1 apmd_log_t:file append_file_perms;
158 + allow $1 acpid_log_t:file append_file_perms;
159 ')
160
161 ########################################
162 @@ -130,13 +130,13 @@ interface(`apm_append_log',`
163 ## </summary>
164 ## </param>
165 #
166 -interface(`apm_stream_connect',`
167 +interface(`acpi_stream_connect',`
168 gen_require(`
169 - type apmd_t, apmd_var_run_t;
170 + type acpid_t, acpid_var_run_t;
171 ')
172
173 files_search_pids($1)
174 - stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
175 + stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
176 ')
177
178 ########################################
179 @@ -156,32 +156,32 @@ interface(`apm_stream_connect',`
180 ## </param>
181 ## <rolecap/>
182 #
183 -interface(`apm_admin',`
184 +interface(`acpi_admin',`
185 gen_require(`
186 - type apmd_t, apmd_initrc_exec_t, apmd_log_t;
187 - type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
188 - type apmd_tmp_t;
189 + type acpid_t, acpid_initrc_exec_t, acpid_log_t;
190 + type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
191 + type acpid_tmp_t;
192 ')
193
194 - allow $1 apmd_t:process { ptrace signal_perms };
195 - ps_process_pattern($1, apmd_t)
196 + allow $1 acpid_t:process { ptrace signal_perms };
197 + ps_process_pattern($1, acpid_t)
198
199 - init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
200 + init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
201
202 logging_search_logs($1)
203 - admin_pattern($1, apmd_log_t)
204 + admin_pattern($1, acpid_log_t)
205
206 files_search_locks($1)
207 - admin_pattern($1, apmd_lock_t)
208 + admin_pattern($1, acpid_lock_t)
209
210 files_search_pids($1)
211 - admin_pattern($1, apmd_var_run_t)
212 + admin_pattern($1, acpid_var_run_t)
213
214 files_search_var_lib($1)
215 - admin_pattern($1, apmd_var_lib_t)
216 + admin_pattern($1, acpid_var_lib_t)
217
218 files_search_tmp($1)
219 - admin_pattern($1, apmd_tmp_t)
220 + admin_pattern($1, acpid_tmp_t)
221
222 - apm_run_client($1, $2)
223 + acpi_run_client($1, $2)
224 ')
225
226 diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
227 new file mode 100644
228 index 00000000..0cd3d884
229 --- /dev/null
230 +++ b/policy/modules/contrib/acpi.te
231 @@ -0,0 +1,247 @@
232 +policy_module(acpi, 1.0.0)
233 +
234 +########################################
235 +#
236 +# Declarations
237 +#
238 +
239 +attribute_role acpi_roles;
240 +roleattribute system_r acpi_roles;
241 +
242 +type acpid_t;
243 +type acpid_exec_t;
244 +typealias acpid_t alias apmd_t;
245 +typealias acpid_exec_t alias apmd_exec_t;
246 +init_daemon_domain(acpid_t, acpid_exec_t)
247 +
248 +type acpid_initrc_exec_t;
249 +typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
250 +init_script_file(acpid_initrc_exec_t)
251 +
252 +type acpi_t;
253 +type acpi_exec_t;
254 +typealias acpi_t alias apm_t;
255 +typealias acpi_exec_t alias apm_exec_t;
256 +application_domain(acpi_t, acpi_exec_t)
257 +role acpi_roles types acpi_t;
258 +
259 +type acpid_lock_t;
260 +typealias acpid_lock_t alias apmd_lock_t;
261 +files_lock_file(acpid_lock_t)
262 +
263 +type acpid_log_t;
264 +typealias acpid_log_t alias apmd_log_t;
265 +logging_log_file(acpid_log_t)
266 +
267 +type acpid_tmp_t;
268 +typealias acpid_tmp_t alias apmd_tmp_t;
269 +files_tmp_file(acpid_tmp_t)
270 +
271 +type acpid_unit_t;
272 +typealias acpid_unit_t alias apmd_unit_t;
273 +init_unit_file(acpid_unit_t)
274 +
275 +type acpid_var_lib_t;
276 +typealias acpid_var_lib_t alias apmd_var_lib_t;
277 +files_type(acpid_var_lib_t)
278 +
279 +type acpid_var_run_t;
280 +typealias acpid_var_run_t alias apmd_var_run_t;
281 +files_pid_file(acpid_var_run_t)
282 +
283 +########################################
284 +#
285 +# Client local policy
286 +#
287 +
288 +allow acpi_t self:capability { dac_override sys_admin };
289 +
290 +kernel_read_system_state(acpi_t)
291 +
292 +dev_rw_acpi_bios(acpi_t)
293 +
294 +fs_getattr_xattr_fs(acpi_t)
295 +
296 +term_use_all_terms(acpi_t)
297 +
298 +domain_use_interactive_fds(acpi_t)
299 +
300 +logging_send_syslog_msg(acpi_t)
301 +
302 +########################################
303 +#
304 +# Server local policy
305 +#
306 +
307 +allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
308 +dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
309 +allow acpid_t self:process { signal_perms getsession };
310 +allow acpid_t self:fifo_file rw_fifo_file_perms;
311 +allow acpid_t self:netlink_socket create_socket_perms;
312 +allow acpid_t self:netlink_generic_socket create_socket_perms;
313 +allow acpid_t self:unix_stream_socket { accept listen };
314 +
315 +allow acpid_t acpid_lock_t:file manage_file_perms;
316 +files_lock_filetrans(acpid_t, acpid_lock_t, file)
317 +
318 +allow acpid_t acpid_log_t:file manage_file_perms;
319 +logging_log_filetrans(acpid_t, acpid_log_t, file)
320 +
321 +manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
322 +manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
323 +files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
324 +
325 +manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
326 +manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
327 +files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
328 +
329 +manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
330 +manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
331 +files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
332 +
333 +can_exec(acpid_t, acpid_var_run_t)
334 +
335 +kernel_read_kernel_sysctls(acpid_t)
336 +kernel_rw_all_sysctls(acpid_t)
337 +kernel_read_system_state(acpid_t)
338 +kernel_write_proc_files(acpid_t)
339 +kernel_request_load_module(acpid_t)
340 +
341 +dev_read_input(acpid_t)
342 +dev_read_mouse(acpid_t)
343 +dev_read_realtime_clock(acpid_t)
344 +dev_read_urand(acpid_t)
345 +dev_rw_acpi_bios(acpid_t)
346 +dev_rw_sysfs(acpid_t)
347 +dev_dontaudit_getattr_all_chr_files(acpid_t)
348 +dev_dontaudit_getattr_all_blk_files(acpid_t)
349 +
350 +files_exec_etc_files(acpid_t)
351 +files_read_etc_runtime_files(acpid_t)
352 +files_dontaudit_getattr_all_files(acpid_t)
353 +files_dontaudit_getattr_all_symlinks(acpid_t)
354 +files_dontaudit_getattr_all_pipes(acpid_t)
355 +files_dontaudit_getattr_all_sockets(acpid_t)
356 +
357 +fs_dontaudit_list_tmpfs(acpid_t)
358 +fs_getattr_all_fs(acpid_t)
359 +fs_search_auto_mountpoints(acpid_t)
360 +fs_dontaudit_getattr_all_files(acpid_t)
361 +fs_dontaudit_getattr_all_symlinks(acpid_t)
362 +fs_dontaudit_getattr_all_pipes(acpid_t)
363 +fs_dontaudit_getattr_all_sockets(acpid_t)
364 +
365 +selinux_search_fs(acpid_t)
366 +
367 +corecmd_exec_all_executables(acpid_t)
368 +
369 +domain_read_all_domains_state(acpid_t)
370 +domain_dontaudit_ptrace_all_domains(acpid_t)
371 +domain_use_interactive_fds(acpid_t)
372 +domain_dontaudit_getattr_all_sockets(acpid_t)
373 +domain_dontaudit_getattr_all_key_sockets(acpid_t)
374 +domain_dontaudit_list_all_domains_state(acpid_t)
375 +
376 +auth_use_nsswitch(acpid_t)
377 +
378 +init_domtrans_script(acpid_t)
379 +
380 +libs_exec_ld_so(acpid_t)
381 +libs_exec_lib_files(acpid_t)
382 +
383 +logging_send_audit_msgs(acpid_t)
384 +logging_send_syslog_msg(acpid_t)
385 +
386 +miscfiles_read_localization(acpid_t)
387 +miscfiles_read_hwdata(acpid_t)
388 +
389 +modutils_domtrans(acpid_t)
390 +modutils_read_module_config(acpid_t)
391 +
392 +seutil_dontaudit_read_config(acpid_t)
393 +
394 +userdom_dontaudit_use_unpriv_user_fds(acpid_t)
395 +userdom_dontaudit_search_user_home_dirs(acpid_t)
396 +userdom_dontaudit_search_user_home_content(acpid_t)
397 +
398 +optional_policy(`
399 + automount_domtrans(acpid_t)
400 +')
401 +
402 +optional_policy(`
403 + clock_domtrans(acpid_t)
404 + clock_rw_adjtime(acpid_t)
405 +')
406 +
407 +optional_policy(`
408 + cron_system_entry(acpid_t, acpid_exec_t)
409 + cron_anacron_domtrans_system_job(acpid_t)
410 +')
411 +
412 +optional_policy(`
413 + devicekit_manage_pid_files(acpid_t)
414 + devicekit_manage_log_files(acpid_t)
415 + devicekit_relabel_log_files(acpid_t)
416 +')
417 +
418 +optional_policy(`
419 + dbus_system_bus_client(acpid_t)
420 +
421 + optional_policy(`
422 + consolekit_dbus_chat(acpid_t)
423 + ')
424 +
425 + optional_policy(`
426 + networkmanager_dbus_chat(acpid_t)
427 + ')
428 +')
429 +
430 +optional_policy(`
431 + fstools_domtrans(acpid_t)
432 +')
433 +
434 +optional_policy(`
435 + iptables_domtrans(acpid_t)
436 +')
437 +
438 +optional_policy(`
439 + logrotate_use_fds(acpid_t)
440 +')
441 +
442 +optional_policy(`
443 + mta_send_mail(acpid_t)
444 +')
445 +
446 +optional_policy(`
447 + netutils_domtrans(acpid_t)
448 +')
449 +
450 +optional_policy(`
451 + pcmcia_domtrans_cardmgr(acpid_t)
452 + pcmcia_domtrans_cardctl(acpid_t)
453 +')
454 +
455 +optional_policy(`
456 + seutil_sigchld_newrole(acpid_t)
457 +')
458 +
459 +optional_policy(`
460 + shutdown_domtrans(acpid_t)
461 +')
462 +
463 +optional_policy(`
464 + sysnet_domtrans_ifconfig(acpid_t)
465 +')
466 +
467 +optional_policy(`
468 + udev_read_db(acpid_t)
469 + udev_read_state(acpid_t)
470 +')
471 +
472 +optional_policy(`
473 + vbetool_domtrans(acpid_t)
474 +')
475 +
476 +optional_policy(`
477 + xserver_domtrans(acpid_t)
478 +')
479
480 diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
481 deleted file mode 100644
482 index bfa60ae0..00000000
483 --- a/policy/modules/contrib/apm.fc
484 +++ /dev/null
485 @@ -1,21 +0,0 @@
486 -/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
487 -
488 -/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
489 -
490 -/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
491 -
492 -/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
493 -/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
494 -/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
495 -
496 -/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
497 -
498 -/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
499 -
500 -/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
501 -/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
502 -/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
503 -/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
504 -/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
505 -
506 -/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
507
508 diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
509 deleted file mode 100644
510 index 7f41a450..00000000
511 --- a/policy/modules/contrib/apm.te
512 +++ /dev/null
513 @@ -1,236 +0,0 @@
514 -policy_module(apm, 1.16.1)
515 -
516 -########################################
517 -#
518 -# Declarations
519 -#
520 -
521 -attribute_role apm_roles;
522 -roleattribute system_r apm_roles;
523 -
524 -type apmd_t;
525 -type apmd_exec_t;
526 -init_daemon_domain(apmd_t, apmd_exec_t)
527 -
528 -type apmd_initrc_exec_t;
529 -init_script_file(apmd_initrc_exec_t)
530 -
531 -type apm_t;
532 -type apm_exec_t;
533 -application_domain(apm_t, apm_exec_t)
534 -role apm_roles types apm_t;
535 -
536 -type apmd_lock_t;
537 -files_lock_file(apmd_lock_t)
538 -
539 -type apmd_log_t;
540 -logging_log_file(apmd_log_t)
541 -
542 -type apmd_tmp_t;
543 -files_tmp_file(apmd_tmp_t)
544 -
545 -type apmd_unit_t;
546 -init_unit_file(apmd_unit_t)
547 -
548 -type apmd_var_lib_t;
549 -files_type(apmd_var_lib_t)
550 -
551 -type apmd_var_run_t;
552 -files_pid_file(apmd_var_run_t)
553 -
554 -########################################
555 -#
556 -# Client local policy
557 -#
558 -
559 -allow apm_t self:capability { dac_override sys_admin };
560 -
561 -kernel_read_system_state(apm_t)
562 -
563 -dev_rw_apm_bios(apm_t)
564 -
565 -fs_getattr_xattr_fs(apm_t)
566 -
567 -term_use_all_terms(apm_t)
568 -
569 -domain_use_interactive_fds(apm_t)
570 -
571 -logging_send_syslog_msg(apm_t)
572 -
573 -########################################
574 -#
575 -# Server local policy
576 -#
577 -
578 -allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
579 -dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
580 -allow apmd_t self:process { signal_perms getsession };
581 -allow apmd_t self:fifo_file rw_fifo_file_perms;
582 -allow apmd_t self:netlink_socket create_socket_perms;
583 -allow apmd_t self:netlink_generic_socket create_socket_perms;
584 -allow apmd_t self:unix_stream_socket { accept listen };
585 -
586 -allow apmd_t apmd_lock_t:file manage_file_perms;
587 -files_lock_filetrans(apmd_t, apmd_lock_t, file)
588 -
589 -allow apmd_t apmd_log_t:file manage_file_perms;
590 -logging_log_filetrans(apmd_t, apmd_log_t, file)
591 -
592 -manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
593 -manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
594 -files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
595 -
596 -manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
597 -manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
598 -files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
599 -
600 -manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
601 -manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
602 -files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
603 -
604 -can_exec(apmd_t, apmd_var_run_t)
605 -
606 -kernel_read_kernel_sysctls(apmd_t)
607 -kernel_rw_all_sysctls(apmd_t)
608 -kernel_read_system_state(apmd_t)
609 -kernel_write_proc_files(apmd_t)
610 -kernel_request_load_module(apmd_t)
611 -
612 -dev_read_input(apmd_t)
613 -dev_read_mouse(apmd_t)
614 -dev_read_realtime_clock(apmd_t)
615 -dev_read_urand(apmd_t)
616 -dev_rw_apm_bios(apmd_t)
617 -dev_rw_sysfs(apmd_t)
618 -dev_dontaudit_getattr_all_chr_files(apmd_t)
619 -dev_dontaudit_getattr_all_blk_files(apmd_t)
620 -
621 -files_exec_etc_files(apmd_t)
622 -files_read_etc_runtime_files(apmd_t)
623 -files_dontaudit_getattr_all_files(apmd_t)
624 -files_dontaudit_getattr_all_symlinks(apmd_t)
625 -files_dontaudit_getattr_all_pipes(apmd_t)
626 -files_dontaudit_getattr_all_sockets(apmd_t)
627 -
628 -fs_dontaudit_list_tmpfs(apmd_t)
629 -fs_getattr_all_fs(apmd_t)
630 -fs_search_auto_mountpoints(apmd_t)
631 -fs_dontaudit_getattr_all_files(apmd_t)
632 -fs_dontaudit_getattr_all_symlinks(apmd_t)
633 -fs_dontaudit_getattr_all_pipes(apmd_t)
634 -fs_dontaudit_getattr_all_sockets(apmd_t)
635 -
636 -selinux_search_fs(apmd_t)
637 -
638 -corecmd_exec_all_executables(apmd_t)
639 -
640 -domain_read_all_domains_state(apmd_t)
641 -domain_dontaudit_ptrace_all_domains(apmd_t)
642 -domain_use_interactive_fds(apmd_t)
643 -domain_dontaudit_getattr_all_sockets(apmd_t)
644 -domain_dontaudit_getattr_all_key_sockets(apmd_t)
645 -domain_dontaudit_list_all_domains_state(apmd_t)
646 -
647 -auth_use_nsswitch(apmd_t)
648 -
649 -init_domtrans_script(apmd_t)
650 -
651 -libs_exec_ld_so(apmd_t)
652 -libs_exec_lib_files(apmd_t)
653 -
654 -logging_send_audit_msgs(apmd_t)
655 -logging_send_syslog_msg(apmd_t)
656 -
657 -miscfiles_read_localization(apmd_t)
658 -miscfiles_read_hwdata(apmd_t)
659 -
660 -modutils_domtrans(apmd_t)
661 -modutils_read_module_config(apmd_t)
662 -
663 -seutil_dontaudit_read_config(apmd_t)
664 -
665 -userdom_dontaudit_use_unpriv_user_fds(apmd_t)
666 -userdom_dontaudit_search_user_home_dirs(apmd_t)
667 -userdom_dontaudit_search_user_home_content(apmd_t)
668 -
669 -optional_policy(`
670 - automount_domtrans(apmd_t)
671 -')
672 -
673 -optional_policy(`
674 - clock_domtrans(apmd_t)
675 - clock_rw_adjtime(apmd_t)
676 -')
677 -
678 -optional_policy(`
679 - cron_system_entry(apmd_t, apmd_exec_t)
680 - cron_anacron_domtrans_system_job(apmd_t)
681 -')
682 -
683 -optional_policy(`
684 - devicekit_manage_pid_files(apmd_t)
685 - devicekit_manage_log_files(apmd_t)
686 - devicekit_relabel_log_files(apmd_t)
687 -')
688 -
689 -optional_policy(`
690 - dbus_system_bus_client(apmd_t)
691 -
692 - optional_policy(`
693 - consolekit_dbus_chat(apmd_t)
694 - ')
695 -
696 - optional_policy(`
697 - networkmanager_dbus_chat(apmd_t)
698 - ')
699 -')
700 -
701 -optional_policy(`
702 - fstools_domtrans(apmd_t)
703 -')
704 -
705 -optional_policy(`
706 - iptables_domtrans(apmd_t)
707 -')
708 -
709 -optional_policy(`
710 - logrotate_use_fds(apmd_t)
711 -')
712 -
713 -optional_policy(`
714 - mta_send_mail(apmd_t)
715 -')
716 -
717 -optional_policy(`
718 - netutils_domtrans(apmd_t)
719 -')
720 -
721 -optional_policy(`
722 - pcmcia_domtrans_cardmgr(apmd_t)
723 - pcmcia_domtrans_cardctl(apmd_t)
724 -')
725 -
726 -optional_policy(`
727 - seutil_sigchld_newrole(apmd_t)
728 -')
729 -
730 -optional_policy(`
731 - shutdown_domtrans(apmd_t)
732 -')
733 -
734 -optional_policy(`
735 - sysnet_domtrans_ifconfig(apmd_t)
736 -')
737 -
738 -optional_policy(`
739 - udev_read_db(apmd_t)
740 - udev_read_state(apmd_t)
741 -')
742 -
743 -optional_policy(`
744 - vbetool_domtrans(apmd_t)
745 -')
746 -
747 -optional_policy(`
748 - xserver_domtrans(apmd_t)
749 -')
750
751 diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
752 index 8fdd713f..3a6c0b92 100644
753 --- a/policy/modules/contrib/cups.te
754 +++ b/policy/modules/contrib/cups.te
755 @@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
756 userdom_dontaudit_search_user_home_content(cupsd_t)
757
758 optional_policy(`
759 - apm_domtrans_client(cupsd_t)
760 + acpi_domtrans_client(cupsd_t)
761 ')
762
763 optional_policy(`
764
765 diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
766 index d260d697..29b473e7 100644
767 --- a/policy/modules/contrib/hal.te
768 +++ b/policy/modules/contrib/hal.te
769 @@ -221,7 +221,7 @@ optional_policy(`
770 ')
771
772 optional_policy(`
773 - apm_stream_connect(hald_t)
774 + acpi_stream_connect(hald_t)
775 ')
776
777 optional_policy(`