diff options
Diffstat (limited to 'policy/modules/services/acpi.if')
-rw-r--r-- | policy/modules/services/acpi.if | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if new file mode 100644 index 000000000..109b644eb --- /dev/null +++ b/policy/modules/services/acpi.if @@ -0,0 +1,187 @@ +## <summary>Advanced power management.</summary> + +######################################## +## <summary> +## Execute apm in the apm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`acpi_domtrans_client',` + gen_require(` + type acpi_t, acpi_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, acpi_exec_t, acpi_t) +') + +######################################## +## <summary> +## Execute apm in the apm domain +## and allow the specified role +## the apm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`acpi_run_client',` + gen_require(` + attribute_role acpi_roles; + ') + + acpi_domtrans_client($1) + roleattribute $2 acpi_roles; +') + +######################################## +## <summary> +## Use apmd file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_use_fds',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:fd use; +') + +######################################## +## <summary> +## Write apmd unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_write_pipes',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write to apmd unix +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_rw_stream_sockets',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Append apmd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_append_log',` + gen_require(` + type acpid_log_t; + ') + + logging_search_logs($1) + allow $1 acpid_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Connect to apmd over an unix +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_stream_connect',` + gen_require(` + type acpid_t, acpid_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an apm environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`acpi_admin',` + gen_require(` + type acpid_t, acpid_initrc_exec_t, acpid_log_t; + type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t; + type acpid_tmp_t; + ') + + allow $1 acpid_t:process { ptrace signal_perms }; + ps_process_pattern($1, acpid_t) + + init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, acpid_log_t) + + files_search_locks($1) + admin_pattern($1, acpid_lock_t) + + files_search_pids($1) + admin_pattern($1, acpid_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, acpid_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, acpid_tmp_t) + + acpi_run_client($1, $2) +') |