1 |
commit: e65bf897dd026493e6fa44cfb05df48577654c40 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Apr 26 10:35:47 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 14:17:45 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65bf897 |
7 |
|
8 |
Rename apm to acpi from Russell Coker. |
9 |
|
10 |
This patch is slightly more involved than just running sed. It also adds |
11 |
typealias rules and doesn't change the FC entries. |
12 |
|
13 |
The /dev/apm_bios device doesn't exist on modern systems. I have left that |
14 |
policy in for the moment on the principle of making one change per patch. But |
15 |
I might send another patch to remove that as it won't exist with modern |
16 |
kernels. |
17 |
|
18 |
policy/modules/contrib/acpi.fc | 21 +++ |
19 |
policy/modules/contrib/{apm.if => acpi.if} | 70 ++++---- |
20 |
policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++ |
21 |
policy/modules/contrib/apm.fc | 21 --- |
22 |
policy/modules/contrib/apm.te | 236 --------------------------- |
23 |
policy/modules/contrib/cups.te | 2 +- |
24 |
policy/modules/contrib/hal.te | 2 +- |
25 |
7 files changed, 305 insertions(+), 294 deletions(-) |
26 |
|
27 |
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc |
28 |
new file mode 100644 |
29 |
index 00000000..bfbe255b |
30 |
--- /dev/null |
31 |
+++ b/policy/modules/contrib/acpi.fc |
32 |
@@ -0,0 +1,21 @@ |
33 |
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0) |
34 |
+ |
35 |
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0) |
36 |
+ |
37 |
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0) |
38 |
+ |
39 |
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0) |
40 |
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0) |
41 |
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0) |
42 |
+ |
43 |
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0) |
44 |
+ |
45 |
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0) |
46 |
+ |
47 |
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) |
48 |
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) |
49 |
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) |
50 |
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) |
51 |
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) |
52 |
+ |
53 |
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0) |
54 |
|
55 |
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if |
56 |
similarity index 65% |
57 |
rename from policy/modules/contrib/apm.if |
58 |
rename to policy/modules/contrib/acpi.if |
59 |
index cbf60b55..109b644e 100644 |
60 |
--- a/policy/modules/contrib/apm.if |
61 |
+++ b/policy/modules/contrib/acpi.if |
62 |
@@ -10,13 +10,13 @@ |
63 |
## </summary> |
64 |
## </param> |
65 |
# |
66 |
-interface(`apm_domtrans_client',` |
67 |
+interface(`acpi_domtrans_client',` |
68 |
gen_require(` |
69 |
- type apm_t, apm_exec_t; |
70 |
+ type acpi_t, acpi_exec_t; |
71 |
') |
72 |
|
73 |
corecmd_search_bin($1) |
74 |
- domtrans_pattern($1, apm_exec_t, apm_t) |
75 |
+ domtrans_pattern($1, acpi_exec_t, acpi_t) |
76 |
') |
77 |
|
78 |
######################################## |
79 |
@@ -36,13 +36,13 @@ interface(`apm_domtrans_client',` |
80 |
## </summary> |
81 |
## </param> |
82 |
# |
83 |
-interface(`apm_run_client',` |
84 |
+interface(`acpi_run_client',` |
85 |
gen_require(` |
86 |
- attribute_role apm_roles; |
87 |
+ attribute_role acpi_roles; |
88 |
') |
89 |
|
90 |
- apm_domtrans_client($1) |
91 |
- roleattribute $2 apm_roles; |
92 |
+ acpi_domtrans_client($1) |
93 |
+ roleattribute $2 acpi_roles; |
94 |
') |
95 |
|
96 |
######################################## |
97 |
@@ -55,12 +55,12 @@ interface(`apm_run_client',` |
98 |
## </summary> |
99 |
## </param> |
100 |
# |
101 |
-interface(`apm_use_fds',` |
102 |
+interface(`acpi_use_fds',` |
103 |
gen_require(` |
104 |
- type apmd_t; |
105 |
+ type acpid_t; |
106 |
') |
107 |
|
108 |
- allow $1 apmd_t:fd use; |
109 |
+ allow $1 acpid_t:fd use; |
110 |
') |
111 |
|
112 |
######################################## |
113 |
@@ -73,12 +73,12 @@ interface(`apm_use_fds',` |
114 |
## </summary> |
115 |
## </param> |
116 |
# |
117 |
-interface(`apm_write_pipes',` |
118 |
+interface(`acpi_write_pipes',` |
119 |
gen_require(` |
120 |
- type apmd_t; |
121 |
+ type acpid_t; |
122 |
') |
123 |
|
124 |
- allow $1 apmd_t:fifo_file write; |
125 |
+ allow $1 acpid_t:fifo_file write; |
126 |
') |
127 |
|
128 |
######################################## |
129 |
@@ -92,12 +92,12 @@ interface(`apm_write_pipes',` |
130 |
## </summary> |
131 |
## </param> |
132 |
# |
133 |
-interface(`apm_rw_stream_sockets',` |
134 |
+interface(`acpi_rw_stream_sockets',` |
135 |
gen_require(` |
136 |
- type apmd_t; |
137 |
+ type acpid_t; |
138 |
') |
139 |
|
140 |
- allow $1 apmd_t:unix_stream_socket { read write }; |
141 |
+ allow $1 acpid_t:unix_stream_socket { read write }; |
142 |
') |
143 |
|
144 |
######################################## |
145 |
@@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',` |
146 |
## </summary> |
147 |
## </param> |
148 |
# |
149 |
-interface(`apm_append_log',` |
150 |
+interface(`acpi_append_log',` |
151 |
gen_require(` |
152 |
- type apmd_log_t; |
153 |
+ type acpid_log_t; |
154 |
') |
155 |
|
156 |
logging_search_logs($1) |
157 |
- allow $1 apmd_log_t:file append_file_perms; |
158 |
+ allow $1 acpid_log_t:file append_file_perms; |
159 |
') |
160 |
|
161 |
######################################## |
162 |
@@ -130,13 +130,13 @@ interface(`apm_append_log',` |
163 |
## </summary> |
164 |
## </param> |
165 |
# |
166 |
-interface(`apm_stream_connect',` |
167 |
+interface(`acpi_stream_connect',` |
168 |
gen_require(` |
169 |
- type apmd_t, apmd_var_run_t; |
170 |
+ type acpid_t, acpid_var_run_t; |
171 |
') |
172 |
|
173 |
files_search_pids($1) |
174 |
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) |
175 |
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t) |
176 |
') |
177 |
|
178 |
######################################## |
179 |
@@ -156,32 +156,32 @@ interface(`apm_stream_connect',` |
180 |
## </param> |
181 |
## <rolecap/> |
182 |
# |
183 |
-interface(`apm_admin',` |
184 |
+interface(`acpi_admin',` |
185 |
gen_require(` |
186 |
- type apmd_t, apmd_initrc_exec_t, apmd_log_t; |
187 |
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t; |
188 |
- type apmd_tmp_t; |
189 |
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t; |
190 |
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t; |
191 |
+ type acpid_tmp_t; |
192 |
') |
193 |
|
194 |
- allow $1 apmd_t:process { ptrace signal_perms }; |
195 |
- ps_process_pattern($1, apmd_t) |
196 |
+ allow $1 acpid_t:process { ptrace signal_perms }; |
197 |
+ ps_process_pattern($1, acpid_t) |
198 |
|
199 |
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t) |
200 |
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t) |
201 |
|
202 |
logging_search_logs($1) |
203 |
- admin_pattern($1, apmd_log_t) |
204 |
+ admin_pattern($1, acpid_log_t) |
205 |
|
206 |
files_search_locks($1) |
207 |
- admin_pattern($1, apmd_lock_t) |
208 |
+ admin_pattern($1, acpid_lock_t) |
209 |
|
210 |
files_search_pids($1) |
211 |
- admin_pattern($1, apmd_var_run_t) |
212 |
+ admin_pattern($1, acpid_var_run_t) |
213 |
|
214 |
files_search_var_lib($1) |
215 |
- admin_pattern($1, apmd_var_lib_t) |
216 |
+ admin_pattern($1, acpid_var_lib_t) |
217 |
|
218 |
files_search_tmp($1) |
219 |
- admin_pattern($1, apmd_tmp_t) |
220 |
+ admin_pattern($1, acpid_tmp_t) |
221 |
|
222 |
- apm_run_client($1, $2) |
223 |
+ acpi_run_client($1, $2) |
224 |
') |
225 |
|
226 |
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te |
227 |
new file mode 100644 |
228 |
index 00000000..0cd3d884 |
229 |
--- /dev/null |
230 |
+++ b/policy/modules/contrib/acpi.te |
231 |
@@ -0,0 +1,247 @@ |
232 |
+policy_module(acpi, 1.0.0) |
233 |
+ |
234 |
+######################################## |
235 |
+# |
236 |
+# Declarations |
237 |
+# |
238 |
+ |
239 |
+attribute_role acpi_roles; |
240 |
+roleattribute system_r acpi_roles; |
241 |
+ |
242 |
+type acpid_t; |
243 |
+type acpid_exec_t; |
244 |
+typealias acpid_t alias apmd_t; |
245 |
+typealias acpid_exec_t alias apmd_exec_t; |
246 |
+init_daemon_domain(acpid_t, acpid_exec_t) |
247 |
+ |
248 |
+type acpid_initrc_exec_t; |
249 |
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t; |
250 |
+init_script_file(acpid_initrc_exec_t) |
251 |
+ |
252 |
+type acpi_t; |
253 |
+type acpi_exec_t; |
254 |
+typealias acpi_t alias apm_t; |
255 |
+typealias acpi_exec_t alias apm_exec_t; |
256 |
+application_domain(acpi_t, acpi_exec_t) |
257 |
+role acpi_roles types acpi_t; |
258 |
+ |
259 |
+type acpid_lock_t; |
260 |
+typealias acpid_lock_t alias apmd_lock_t; |
261 |
+files_lock_file(acpid_lock_t) |
262 |
+ |
263 |
+type acpid_log_t; |
264 |
+typealias acpid_log_t alias apmd_log_t; |
265 |
+logging_log_file(acpid_log_t) |
266 |
+ |
267 |
+type acpid_tmp_t; |
268 |
+typealias acpid_tmp_t alias apmd_tmp_t; |
269 |
+files_tmp_file(acpid_tmp_t) |
270 |
+ |
271 |
+type acpid_unit_t; |
272 |
+typealias acpid_unit_t alias apmd_unit_t; |
273 |
+init_unit_file(acpid_unit_t) |
274 |
+ |
275 |
+type acpid_var_lib_t; |
276 |
+typealias acpid_var_lib_t alias apmd_var_lib_t; |
277 |
+files_type(acpid_var_lib_t) |
278 |
+ |
279 |
+type acpid_var_run_t; |
280 |
+typealias acpid_var_run_t alias apmd_var_run_t; |
281 |
+files_pid_file(acpid_var_run_t) |
282 |
+ |
283 |
+######################################## |
284 |
+# |
285 |
+# Client local policy |
286 |
+# |
287 |
+ |
288 |
+allow acpi_t self:capability { dac_override sys_admin }; |
289 |
+ |
290 |
+kernel_read_system_state(acpi_t) |
291 |
+ |
292 |
+dev_rw_acpi_bios(acpi_t) |
293 |
+ |
294 |
+fs_getattr_xattr_fs(acpi_t) |
295 |
+ |
296 |
+term_use_all_terms(acpi_t) |
297 |
+ |
298 |
+domain_use_interactive_fds(acpi_t) |
299 |
+ |
300 |
+logging_send_syslog_msg(acpi_t) |
301 |
+ |
302 |
+######################################## |
303 |
+# |
304 |
+# Server local policy |
305 |
+# |
306 |
+ |
307 |
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time }; |
308 |
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; |
309 |
+allow acpid_t self:process { signal_perms getsession }; |
310 |
+allow acpid_t self:fifo_file rw_fifo_file_perms; |
311 |
+allow acpid_t self:netlink_socket create_socket_perms; |
312 |
+allow acpid_t self:netlink_generic_socket create_socket_perms; |
313 |
+allow acpid_t self:unix_stream_socket { accept listen }; |
314 |
+ |
315 |
+allow acpid_t acpid_lock_t:file manage_file_perms; |
316 |
+files_lock_filetrans(acpid_t, acpid_lock_t, file) |
317 |
+ |
318 |
+allow acpid_t acpid_log_t:file manage_file_perms; |
319 |
+logging_log_filetrans(acpid_t, acpid_log_t, file) |
320 |
+ |
321 |
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t) |
322 |
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t) |
323 |
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir }) |
324 |
+ |
325 |
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) |
326 |
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) |
327 |
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir) |
328 |
+ |
329 |
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) |
330 |
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) |
331 |
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file }) |
332 |
+ |
333 |
+can_exec(acpid_t, acpid_var_run_t) |
334 |
+ |
335 |
+kernel_read_kernel_sysctls(acpid_t) |
336 |
+kernel_rw_all_sysctls(acpid_t) |
337 |
+kernel_read_system_state(acpid_t) |
338 |
+kernel_write_proc_files(acpid_t) |
339 |
+kernel_request_load_module(acpid_t) |
340 |
+ |
341 |
+dev_read_input(acpid_t) |
342 |
+dev_read_mouse(acpid_t) |
343 |
+dev_read_realtime_clock(acpid_t) |
344 |
+dev_read_urand(acpid_t) |
345 |
+dev_rw_acpi_bios(acpid_t) |
346 |
+dev_rw_sysfs(acpid_t) |
347 |
+dev_dontaudit_getattr_all_chr_files(acpid_t) |
348 |
+dev_dontaudit_getattr_all_blk_files(acpid_t) |
349 |
+ |
350 |
+files_exec_etc_files(acpid_t) |
351 |
+files_read_etc_runtime_files(acpid_t) |
352 |
+files_dontaudit_getattr_all_files(acpid_t) |
353 |
+files_dontaudit_getattr_all_symlinks(acpid_t) |
354 |
+files_dontaudit_getattr_all_pipes(acpid_t) |
355 |
+files_dontaudit_getattr_all_sockets(acpid_t) |
356 |
+ |
357 |
+fs_dontaudit_list_tmpfs(acpid_t) |
358 |
+fs_getattr_all_fs(acpid_t) |
359 |
+fs_search_auto_mountpoints(acpid_t) |
360 |
+fs_dontaudit_getattr_all_files(acpid_t) |
361 |
+fs_dontaudit_getattr_all_symlinks(acpid_t) |
362 |
+fs_dontaudit_getattr_all_pipes(acpid_t) |
363 |
+fs_dontaudit_getattr_all_sockets(acpid_t) |
364 |
+ |
365 |
+selinux_search_fs(acpid_t) |
366 |
+ |
367 |
+corecmd_exec_all_executables(acpid_t) |
368 |
+ |
369 |
+domain_read_all_domains_state(acpid_t) |
370 |
+domain_dontaudit_ptrace_all_domains(acpid_t) |
371 |
+domain_use_interactive_fds(acpid_t) |
372 |
+domain_dontaudit_getattr_all_sockets(acpid_t) |
373 |
+domain_dontaudit_getattr_all_key_sockets(acpid_t) |
374 |
+domain_dontaudit_list_all_domains_state(acpid_t) |
375 |
+ |
376 |
+auth_use_nsswitch(acpid_t) |
377 |
+ |
378 |
+init_domtrans_script(acpid_t) |
379 |
+ |
380 |
+libs_exec_ld_so(acpid_t) |
381 |
+libs_exec_lib_files(acpid_t) |
382 |
+ |
383 |
+logging_send_audit_msgs(acpid_t) |
384 |
+logging_send_syslog_msg(acpid_t) |
385 |
+ |
386 |
+miscfiles_read_localization(acpid_t) |
387 |
+miscfiles_read_hwdata(acpid_t) |
388 |
+ |
389 |
+modutils_domtrans(acpid_t) |
390 |
+modutils_read_module_config(acpid_t) |
391 |
+ |
392 |
+seutil_dontaudit_read_config(acpid_t) |
393 |
+ |
394 |
+userdom_dontaudit_use_unpriv_user_fds(acpid_t) |
395 |
+userdom_dontaudit_search_user_home_dirs(acpid_t) |
396 |
+userdom_dontaudit_search_user_home_content(acpid_t) |
397 |
+ |
398 |
+optional_policy(` |
399 |
+ automount_domtrans(acpid_t) |
400 |
+') |
401 |
+ |
402 |
+optional_policy(` |
403 |
+ clock_domtrans(acpid_t) |
404 |
+ clock_rw_adjtime(acpid_t) |
405 |
+') |
406 |
+ |
407 |
+optional_policy(` |
408 |
+ cron_system_entry(acpid_t, acpid_exec_t) |
409 |
+ cron_anacron_domtrans_system_job(acpid_t) |
410 |
+') |
411 |
+ |
412 |
+optional_policy(` |
413 |
+ devicekit_manage_pid_files(acpid_t) |
414 |
+ devicekit_manage_log_files(acpid_t) |
415 |
+ devicekit_relabel_log_files(acpid_t) |
416 |
+') |
417 |
+ |
418 |
+optional_policy(` |
419 |
+ dbus_system_bus_client(acpid_t) |
420 |
+ |
421 |
+ optional_policy(` |
422 |
+ consolekit_dbus_chat(acpid_t) |
423 |
+ ') |
424 |
+ |
425 |
+ optional_policy(` |
426 |
+ networkmanager_dbus_chat(acpid_t) |
427 |
+ ') |
428 |
+') |
429 |
+ |
430 |
+optional_policy(` |
431 |
+ fstools_domtrans(acpid_t) |
432 |
+') |
433 |
+ |
434 |
+optional_policy(` |
435 |
+ iptables_domtrans(acpid_t) |
436 |
+') |
437 |
+ |
438 |
+optional_policy(` |
439 |
+ logrotate_use_fds(acpid_t) |
440 |
+') |
441 |
+ |
442 |
+optional_policy(` |
443 |
+ mta_send_mail(acpid_t) |
444 |
+') |
445 |
+ |
446 |
+optional_policy(` |
447 |
+ netutils_domtrans(acpid_t) |
448 |
+') |
449 |
+ |
450 |
+optional_policy(` |
451 |
+ pcmcia_domtrans_cardmgr(acpid_t) |
452 |
+ pcmcia_domtrans_cardctl(acpid_t) |
453 |
+') |
454 |
+ |
455 |
+optional_policy(` |
456 |
+ seutil_sigchld_newrole(acpid_t) |
457 |
+') |
458 |
+ |
459 |
+optional_policy(` |
460 |
+ shutdown_domtrans(acpid_t) |
461 |
+') |
462 |
+ |
463 |
+optional_policy(` |
464 |
+ sysnet_domtrans_ifconfig(acpid_t) |
465 |
+') |
466 |
+ |
467 |
+optional_policy(` |
468 |
+ udev_read_db(acpid_t) |
469 |
+ udev_read_state(acpid_t) |
470 |
+') |
471 |
+ |
472 |
+optional_policy(` |
473 |
+ vbetool_domtrans(acpid_t) |
474 |
+') |
475 |
+ |
476 |
+optional_policy(` |
477 |
+ xserver_domtrans(acpid_t) |
478 |
+') |
479 |
|
480 |
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc |
481 |
deleted file mode 100644 |
482 |
index bfa60ae0..00000000 |
483 |
--- a/policy/modules/contrib/apm.fc |
484 |
+++ /dev/null |
485 |
@@ -1,21 +0,0 @@ |
486 |
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) |
487 |
- |
488 |
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) |
489 |
- |
490 |
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0) |
491 |
- |
492 |
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0) |
493 |
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0) |
494 |
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) |
495 |
- |
496 |
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0) |
497 |
- |
498 |
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) |
499 |
- |
500 |
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) |
501 |
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) |
502 |
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) |
503 |
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) |
504 |
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) |
505 |
- |
506 |
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) |
507 |
|
508 |
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te |
509 |
deleted file mode 100644 |
510 |
index 7f41a450..00000000 |
511 |
--- a/policy/modules/contrib/apm.te |
512 |
+++ /dev/null |
513 |
@@ -1,236 +0,0 @@ |
514 |
-policy_module(apm, 1.16.1) |
515 |
- |
516 |
-######################################## |
517 |
-# |
518 |
-# Declarations |
519 |
-# |
520 |
- |
521 |
-attribute_role apm_roles; |
522 |
-roleattribute system_r apm_roles; |
523 |
- |
524 |
-type apmd_t; |
525 |
-type apmd_exec_t; |
526 |
-init_daemon_domain(apmd_t, apmd_exec_t) |
527 |
- |
528 |
-type apmd_initrc_exec_t; |
529 |
-init_script_file(apmd_initrc_exec_t) |
530 |
- |
531 |
-type apm_t; |
532 |
-type apm_exec_t; |
533 |
-application_domain(apm_t, apm_exec_t) |
534 |
-role apm_roles types apm_t; |
535 |
- |
536 |
-type apmd_lock_t; |
537 |
-files_lock_file(apmd_lock_t) |
538 |
- |
539 |
-type apmd_log_t; |
540 |
-logging_log_file(apmd_log_t) |
541 |
- |
542 |
-type apmd_tmp_t; |
543 |
-files_tmp_file(apmd_tmp_t) |
544 |
- |
545 |
-type apmd_unit_t; |
546 |
-init_unit_file(apmd_unit_t) |
547 |
- |
548 |
-type apmd_var_lib_t; |
549 |
-files_type(apmd_var_lib_t) |
550 |
- |
551 |
-type apmd_var_run_t; |
552 |
-files_pid_file(apmd_var_run_t) |
553 |
- |
554 |
-######################################## |
555 |
-# |
556 |
-# Client local policy |
557 |
-# |
558 |
- |
559 |
-allow apm_t self:capability { dac_override sys_admin }; |
560 |
- |
561 |
-kernel_read_system_state(apm_t) |
562 |
- |
563 |
-dev_rw_apm_bios(apm_t) |
564 |
- |
565 |
-fs_getattr_xattr_fs(apm_t) |
566 |
- |
567 |
-term_use_all_terms(apm_t) |
568 |
- |
569 |
-domain_use_interactive_fds(apm_t) |
570 |
- |
571 |
-logging_send_syslog_msg(apm_t) |
572 |
- |
573 |
-######################################## |
574 |
-# |
575 |
-# Server local policy |
576 |
-# |
577 |
- |
578 |
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time }; |
579 |
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; |
580 |
-allow apmd_t self:process { signal_perms getsession }; |
581 |
-allow apmd_t self:fifo_file rw_fifo_file_perms; |
582 |
-allow apmd_t self:netlink_socket create_socket_perms; |
583 |
-allow apmd_t self:netlink_generic_socket create_socket_perms; |
584 |
-allow apmd_t self:unix_stream_socket { accept listen }; |
585 |
- |
586 |
-allow apmd_t apmd_lock_t:file manage_file_perms; |
587 |
-files_lock_filetrans(apmd_t, apmd_lock_t, file) |
588 |
- |
589 |
-allow apmd_t apmd_log_t:file manage_file_perms; |
590 |
-logging_log_filetrans(apmd_t, apmd_log_t, file) |
591 |
- |
592 |
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) |
593 |
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) |
594 |
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) |
595 |
- |
596 |
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) |
597 |
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) |
598 |
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir) |
599 |
- |
600 |
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) |
601 |
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) |
602 |
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) |
603 |
- |
604 |
-can_exec(apmd_t, apmd_var_run_t) |
605 |
- |
606 |
-kernel_read_kernel_sysctls(apmd_t) |
607 |
-kernel_rw_all_sysctls(apmd_t) |
608 |
-kernel_read_system_state(apmd_t) |
609 |
-kernel_write_proc_files(apmd_t) |
610 |
-kernel_request_load_module(apmd_t) |
611 |
- |
612 |
-dev_read_input(apmd_t) |
613 |
-dev_read_mouse(apmd_t) |
614 |
-dev_read_realtime_clock(apmd_t) |
615 |
-dev_read_urand(apmd_t) |
616 |
-dev_rw_apm_bios(apmd_t) |
617 |
-dev_rw_sysfs(apmd_t) |
618 |
-dev_dontaudit_getattr_all_chr_files(apmd_t) |
619 |
-dev_dontaudit_getattr_all_blk_files(apmd_t) |
620 |
- |
621 |
-files_exec_etc_files(apmd_t) |
622 |
-files_read_etc_runtime_files(apmd_t) |
623 |
-files_dontaudit_getattr_all_files(apmd_t) |
624 |
-files_dontaudit_getattr_all_symlinks(apmd_t) |
625 |
-files_dontaudit_getattr_all_pipes(apmd_t) |
626 |
-files_dontaudit_getattr_all_sockets(apmd_t) |
627 |
- |
628 |
-fs_dontaudit_list_tmpfs(apmd_t) |
629 |
-fs_getattr_all_fs(apmd_t) |
630 |
-fs_search_auto_mountpoints(apmd_t) |
631 |
-fs_dontaudit_getattr_all_files(apmd_t) |
632 |
-fs_dontaudit_getattr_all_symlinks(apmd_t) |
633 |
-fs_dontaudit_getattr_all_pipes(apmd_t) |
634 |
-fs_dontaudit_getattr_all_sockets(apmd_t) |
635 |
- |
636 |
-selinux_search_fs(apmd_t) |
637 |
- |
638 |
-corecmd_exec_all_executables(apmd_t) |
639 |
- |
640 |
-domain_read_all_domains_state(apmd_t) |
641 |
-domain_dontaudit_ptrace_all_domains(apmd_t) |
642 |
-domain_use_interactive_fds(apmd_t) |
643 |
-domain_dontaudit_getattr_all_sockets(apmd_t) |
644 |
-domain_dontaudit_getattr_all_key_sockets(apmd_t) |
645 |
-domain_dontaudit_list_all_domains_state(apmd_t) |
646 |
- |
647 |
-auth_use_nsswitch(apmd_t) |
648 |
- |
649 |
-init_domtrans_script(apmd_t) |
650 |
- |
651 |
-libs_exec_ld_so(apmd_t) |
652 |
-libs_exec_lib_files(apmd_t) |
653 |
- |
654 |
-logging_send_audit_msgs(apmd_t) |
655 |
-logging_send_syslog_msg(apmd_t) |
656 |
- |
657 |
-miscfiles_read_localization(apmd_t) |
658 |
-miscfiles_read_hwdata(apmd_t) |
659 |
- |
660 |
-modutils_domtrans(apmd_t) |
661 |
-modutils_read_module_config(apmd_t) |
662 |
- |
663 |
-seutil_dontaudit_read_config(apmd_t) |
664 |
- |
665 |
-userdom_dontaudit_use_unpriv_user_fds(apmd_t) |
666 |
-userdom_dontaudit_search_user_home_dirs(apmd_t) |
667 |
-userdom_dontaudit_search_user_home_content(apmd_t) |
668 |
- |
669 |
-optional_policy(` |
670 |
- automount_domtrans(apmd_t) |
671 |
-') |
672 |
- |
673 |
-optional_policy(` |
674 |
- clock_domtrans(apmd_t) |
675 |
- clock_rw_adjtime(apmd_t) |
676 |
-') |
677 |
- |
678 |
-optional_policy(` |
679 |
- cron_system_entry(apmd_t, apmd_exec_t) |
680 |
- cron_anacron_domtrans_system_job(apmd_t) |
681 |
-') |
682 |
- |
683 |
-optional_policy(` |
684 |
- devicekit_manage_pid_files(apmd_t) |
685 |
- devicekit_manage_log_files(apmd_t) |
686 |
- devicekit_relabel_log_files(apmd_t) |
687 |
-') |
688 |
- |
689 |
-optional_policy(` |
690 |
- dbus_system_bus_client(apmd_t) |
691 |
- |
692 |
- optional_policy(` |
693 |
- consolekit_dbus_chat(apmd_t) |
694 |
- ') |
695 |
- |
696 |
- optional_policy(` |
697 |
- networkmanager_dbus_chat(apmd_t) |
698 |
- ') |
699 |
-') |
700 |
- |
701 |
-optional_policy(` |
702 |
- fstools_domtrans(apmd_t) |
703 |
-') |
704 |
- |
705 |
-optional_policy(` |
706 |
- iptables_domtrans(apmd_t) |
707 |
-') |
708 |
- |
709 |
-optional_policy(` |
710 |
- logrotate_use_fds(apmd_t) |
711 |
-') |
712 |
- |
713 |
-optional_policy(` |
714 |
- mta_send_mail(apmd_t) |
715 |
-') |
716 |
- |
717 |
-optional_policy(` |
718 |
- netutils_domtrans(apmd_t) |
719 |
-') |
720 |
- |
721 |
-optional_policy(` |
722 |
- pcmcia_domtrans_cardmgr(apmd_t) |
723 |
- pcmcia_domtrans_cardctl(apmd_t) |
724 |
-') |
725 |
- |
726 |
-optional_policy(` |
727 |
- seutil_sigchld_newrole(apmd_t) |
728 |
-') |
729 |
- |
730 |
-optional_policy(` |
731 |
- shutdown_domtrans(apmd_t) |
732 |
-') |
733 |
- |
734 |
-optional_policy(` |
735 |
- sysnet_domtrans_ifconfig(apmd_t) |
736 |
-') |
737 |
- |
738 |
-optional_policy(` |
739 |
- udev_read_db(apmd_t) |
740 |
- udev_read_state(apmd_t) |
741 |
-') |
742 |
- |
743 |
-optional_policy(` |
744 |
- vbetool_domtrans(apmd_t) |
745 |
-') |
746 |
- |
747 |
-optional_policy(` |
748 |
- xserver_domtrans(apmd_t) |
749 |
-') |
750 |
|
751 |
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te |
752 |
index 8fdd713f..3a6c0b92 100644 |
753 |
--- a/policy/modules/contrib/cups.te |
754 |
+++ b/policy/modules/contrib/cups.te |
755 |
@@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t) |
756 |
userdom_dontaudit_search_user_home_content(cupsd_t) |
757 |
|
758 |
optional_policy(` |
759 |
- apm_domtrans_client(cupsd_t) |
760 |
+ acpi_domtrans_client(cupsd_t) |
761 |
') |
762 |
|
763 |
optional_policy(` |
764 |
|
765 |
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te |
766 |
index d260d697..29b473e7 100644 |
767 |
--- a/policy/modules/contrib/hal.te |
768 |
+++ b/policy/modules/contrib/hal.te |
769 |
@@ -221,7 +221,7 @@ optional_policy(` |
770 |
') |
771 |
|
772 |
optional_policy(` |
773 |
- apm_stream_connect(hald_t) |
774 |
+ acpi_stream_connect(hald_t) |
775 |
') |
776 |
|
777 |
optional_policy(` |