1 files changed, 187 insertions, 0 deletions

diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if
new file mode 100644
index 000000000..109b644eb
--- /dev/null
+++ b/policy/modules/services/acpi.if
@@ -0,0 +1,187 @@
+## <summary>Advanced power management.</summary>
+
+########################################
+## <summary>
+##	Execute apm in the apm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`acpi_domtrans_client',`
+	gen_require(`
+		type acpi_t, acpi_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, acpi_exec_t, acpi_t)
+')
+
+########################################
+## <summary>
+##	Execute apm in the apm domain
+##	and allow the specified role
+##	the apm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_run_client',`
+	gen_require(`
+		attribute_role acpi_roles;
+	')
+
+	acpi_domtrans_client($1)
+	roleattribute $2 acpi_roles;
+')
+
+########################################
+## <summary>
+##	Use apmd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_use_fds',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_write_pipes',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Read and write to apmd unix
+##	stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_rw_stream_sockets',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Append apmd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_append_log',`
+	gen_require(`
+		type acpid_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 acpid_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to apmd over an unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_stream_connect',`
+	gen_require(`
+		type acpid_t, acpid_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an apm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`acpi_admin',`
+	gen_require(`
+		type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+		type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+		type acpid_tmp_t;
+	')
+
+	allow $1 acpid_t:process { ptrace signal_perms };
+	ps_process_pattern($1, acpid_t)
+
+	init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, acpid_log_t)
+
+	files_search_locks($1)
+	admin_pattern($1, acpid_lock_t)
+
+	files_search_pids($1)
+	admin_pattern($1, acpid_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, acpid_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, acpid_tmp_t)
+
+	acpi_run_client($1, $2)
+')