From: russell@coker.com.au (Russell Coker)
Date: Mon, 24 Apr 2017 00:16:50 +1000
Subject: [refpolicy] [PATCH] s/apm/acpi/g
Message-ID: <20170423141650.jcgkc4smo4hihr34@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
diff -ruN pol-git/policy/modules/admin/consoletype.te pol-acpi/policy/modules/admin/consoletype.te
--- pol-git/policy/modules/admin/consoletype.te 2017-02-05 20:57:06.655564785 +1100
+++ pol-acpi/policy/modules/admin/consoletype.te 2017-04-23 23:51:17.088762849 +1000
@@ -61,8 +61,8 @@
')
optional_policy(`
- apm_use_fds(consoletype_t)
- apm_write_pipes(consoletype_t)
+ acpi_use_fds(consoletype_t)
+ acpi_write_pipes(consoletype_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/contrib/acpi.fc pol-acpi/policy/modules/contrib/acpi.fc
--- pol-git/policy/modules/contrib/acpi.fc 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.fc 2017-04-23 23:53:32.979594186 +1000
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff -ruN pol-git/policy/modules/contrib/acpi.if pol-acpi/policy/modules/contrib/acpi.if
--- pol-git/policy/modules/contrib/acpi.if 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.if 2017-04-23 23:53:32.983594274 +1000
@@ -0,0 +1,187 @@
+## Advanced power management.
+
+########################################
+##
+## Execute apm in the apm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`acpi_domtrans_client',`
+ gen_require(`
+ type acpi_t, acpi_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
+')
+
+########################################
+##
+## Execute apm in the apm domain
+## and allow the specified role
+## the apm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`acpi_run_client',`
+ gen_require(`
+ attribute_role acpi_roles;
+ ')
+
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
+')
+
+########################################
+##
+## Use apmd file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`acpi_use_fds',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:fd use;
+')
+
+########################################
+##
+## Write apmd unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`acpi_write_pipes',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:fifo_file write;
+')
+
+########################################
+##
+## Read and write to apmd unix
+## stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`acpi_rw_stream_sockets',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Append apmd log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`acpi_append_log',`
+ gen_require(`
+ type acpid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 acpid_log_t:file append_file_perms;
+')
+
+########################################
+##
+## Connect to apmd over an unix
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`acpi_stream_connect',`
+ gen_require(`
+ type acpid_t, acpid_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an apm environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`acpi_admin',`
+ gen_require(`
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
+ ')
+
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
+
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, acpid_log_t)
+
+ files_search_locks($1)
+ admin_pattern($1, acpid_lock_t)
+
+ files_search_pids($1)
+ admin_pattern($1, acpid_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, acpid_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, acpid_tmp_t)
+
+ acpi_run_client($1, $2)
+')
diff -ruN pol-git/policy/modules/contrib/acpi.te pol-acpi/policy/modules/contrib/acpi.te
--- pol-git/policy/modules/contrib/acpi.te 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.te 2017-04-24 00:10:28.602801632 +1000
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.16.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff -ruN pol-git/policy/modules/contrib/apm.fc pol-acpi/policy/modules/contrib/apm.fc
--- pol-git/policy/modules/contrib/apm.fc 2017-04-23 23:54:08.792384981 +1000
+++ pol-acpi/policy/modules/contrib/apm.fc 1970-01-01 10:00:00.000000000 +1000
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff -ruN pol-git/policy/modules/contrib/apm.if pol-acpi/policy/modules/contrib/apm.if
--- pol-git/policy/modules/contrib/apm.if 2017-04-23 23:54:08.800385160 +1000
+++ pol-acpi/policy/modules/contrib/apm.if 1970-01-01 10:00:00.000000000 +1000
@@ -1,187 +0,0 @@
-## Advanced power management.
-
-########################################
-##
-## Execute apm in the apm domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-#
-interface(`apm_domtrans_client',`
- gen_require(`
- type apm_t, apm_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
-')
-
-########################################
-##
-## Execute apm in the apm domain
-## and allow the specified role
-## the apm domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-#
-interface(`apm_run_client',`
- gen_require(`
- attribute_role apm_roles;
- ')
-
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
-')
-
-########################################
-##
-## Use apmd file descriptors.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apm_use_fds',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fd use;
-')
-
-########################################
-##
-## Write apmd unnamed pipes.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apm_write_pipes',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fifo_file write;
-')
-
-########################################
-##
-## Read and write to apmd unix
-## stream sockets.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apm_rw_stream_sockets',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:unix_stream_socket { read write };
-')
-
-########################################
-##
-## Append apmd log files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apm_append_log',`
- gen_require(`
- type apmd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
-')
-
-########################################
-##
-## Connect to apmd over an unix
-## stream socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apm_stream_connect',`
- gen_require(`
- type apmd_t, apmd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-')
-
-########################################
-##
-## All of the rules required to
-## administrate an apm environment.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`apm_admin',`
- gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
- ')
-
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
-
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
-
- logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
-
- files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
-
- files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
-
- files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
-
- apm_run_client($1, $2)
-')
diff -ruN pol-git/policy/modules/contrib/apm.te pol-acpi/policy/modules/contrib/apm.te
--- pol-git/policy/modules/contrib/apm.te 2017-04-23 23:54:08.804385249 +1000
+++ pol-acpi/policy/modules/contrib/apm.te 1970-01-01 10:00:00.000000000 +1000
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff -ruN pol-git/policy/modules/contrib/cups.te pol-acpi/policy/modules/contrib/cups.te
--- pol-git/policy/modules/contrib/cups.te 2017-02-16 12:08:22.302620139 +1100
+++ pol-acpi/policy/modules/contrib/cups.te 2017-04-23 23:51:17.096763006 +1000
@@ -273,7 +273,7 @@
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/contrib/hal.te pol-acpi/policy/modules/contrib/hal.te
--- pol-git/policy/modules/contrib/hal.te 2017-03-06 09:55:21.244914902 +1100
+++ pol-acpi/policy/modules/contrib/hal.te 2017-04-23 23:51:17.104763164 +1000
@@ -221,7 +221,7 @@
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/kernel/devices.fc pol-acpi/policy/modules/kernel/devices.fc
--- pol-git/policy/modules/kernel/devices.fc 2017-03-02 00:59:33.765978143 +1100
+++ pol-acpi/policy/modules/kernel/devices.fc 2017-04-23 23:52:16.749970457 +1000
@@ -11,7 +11,7 @@
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/apm_bios -c gen_context(system_u:object_r:acpi_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -103,7 +103,7 @@
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/snapshot -c gen_context(system_u:object_r:acpi_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
diff -ruN pol-git/policy/modules/kernel/devices.if pol-acpi/policy/modules/kernel/devices.if
--- pol-git/policy/modules/kernel/devices.if 2017-04-19 14:39:40.910289394 +1000
+++ pol-acpi/policy/modules/kernel/devices.if 2017-04-23 23:51:17.140763875 +1000
@@ -1441,12 +1441,12 @@
##
##
#
-interface(`dev_getattr_apm_bios_dev',`
+interface(`dev_getattr_acpi_bios_dev',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- getattr_chr_files_pattern($1, device_t, apm_bios_t)
+ getattr_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
@@ -1460,12 +1460,12 @@
##
##
#
-interface(`dev_dontaudit_getattr_apm_bios_dev',`
+interface(`dev_dontaudit_getattr_acpi_bios_dev',`
gen_require(`
- type apm_bios_t;
+ type acpi_bios_t;
')
- dontaudit $1 apm_bios_t:chr_file getattr;
+ dontaudit $1 acpi_bios_t:chr_file getattr;
')
########################################
@@ -1478,12 +1478,12 @@
##
##
#
-interface(`dev_setattr_apm_bios_dev',`
+interface(`dev_setattr_acpi_bios_dev',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- setattr_chr_files_pattern($1, device_t, apm_bios_t)
+ setattr_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
@@ -1497,12 +1497,12 @@
##
##
#
-interface(`dev_dontaudit_setattr_apm_bios_dev',`
+interface(`dev_dontaudit_setattr_acpi_bios_dev',`
gen_require(`
- type apm_bios_t;
+ type acpi_bios_t;
')
- dontaudit $1 apm_bios_t:chr_file setattr;
+ dontaudit $1 acpi_bios_t:chr_file setattr;
')
########################################
@@ -1515,12 +1515,12 @@
##
##
#
-interface(`dev_rw_apm_bios',`
+interface(`dev_rw_acpi_bios',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- rw_chr_files_pattern($1, device_t, apm_bios_t)
+ rw_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
diff -ruN pol-git/policy/modules/kernel/devices.te pol-acpi/policy/modules/kernel/devices.te
--- pol-git/policy/modules/kernel/devices.te 2017-04-19 14:39:40.910289394 +1000
+++ pol-acpi/policy/modules/kernel/devices.te 2017-04-23 23:55:23.926079992 +1000
@@ -35,8 +35,8 @@
#
# Type for /dev/apm_bios
#
-type apm_bios_t;
-dev_node(apm_bios_t)
+type acpi_bios_t;
+dev_node(acpi_bios_t)
#
# Type for /dev/autofs
diff -ruN pol-git/policy/modules/roles/sysadm.te pol-acpi/policy/modules/roles/sysadm.te
--- pol-git/policy/modules/roles/sysadm.te 2017-04-07 16:27:45.962131278 +1000
+++ pol-acpi/policy/modules/roles/sysadm.te 2017-04-23 23:51:17.156764190 +1000
@@ -123,8 +123,8 @@
')
optional_policy(`
- apm_admin(sysadm_t, sysadm_r)
- apm_run_client(sysadm_t, sysadm_r)
+ acpi_admin(sysadm_t, sysadm_r)
+ acpi_run_client(sysadm_t, sysadm_r)
')
optional_policy(`
diff -ruN pol-git/policy/modules/services/xserver.te pol-acpi/policy/modules/services/xserver.te
--- pol-git/policy/modules/services/xserver.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/services/xserver.te 2017-04-23 23:51:17.164764349 +1000
@@ -420,8 +420,8 @@
dev_setattr_framebuffer_dev(xdm_t)
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
-dev_rw_apm_bios(xdm_t)
-dev_setattr_apm_bios_dev(xdm_t)
+dev_rw_acpi_bios(xdm_t)
+dev_setattr_acpi_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
@@ -713,7 +713,7 @@
dev_rw_sysfs(xserver_t)
dev_rw_mouse(xserver_t)
dev_rw_mtrr(xserver_t)
-dev_rw_apm_bios(xserver_t)
+dev_rw_acpi_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -808,7 +808,7 @@
')
optional_policy(`
- apm_stream_connect(xserver_t)
+ acpi_stream_connect(xserver_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/authlogin.te pol-acpi/policy/modules/system/authlogin.te
--- pol-git/policy/modules/system/authlogin.te 2017-03-03 13:03:05.964980312 +1100
+++ pol-acpi/policy/modules/system/authlogin.te 2017-04-23 23:51:17.172764506 +1000
@@ -230,8 +230,8 @@
kernel_read_system_state(pam_console_t)
dev_read_sysfs(pam_console_t)
-dev_getattr_apm_bios_dev(pam_console_t)
-dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_acpi_bios_dev(pam_console_t)
+dev_setattr_acpi_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
diff -ruN pol-git/policy/modules/system/clock.te pol-acpi/policy/modules/system/clock.te
--- pol-git/policy/modules/system/clock.te 2017-02-05 20:57:06.663565003 +1100
+++ pol-acpi/policy/modules/system/clock.te 2017-04-23 23:51:17.168764428 +1000
@@ -60,8 +60,8 @@
miscfiles_read_localization(hwclock_t)
optional_policy(`
- apm_append_log(hwclock_t)
- apm_rw_stream_sockets(hwclock_t)
+ acpi_append_log(hwclock_t)
+ acpi_rw_stream_sockets(hwclock_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/init.te pol-acpi/policy/modules/system/init.te
--- pol-git/policy/modules/system/init.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/system/init.te 2017-04-23 23:51:17.188764822 +1000
@@ -990,7 +990,7 @@
')
optional_policy(`
- dev_rw_apm_bios(initrc_t)
+ dev_rw_acpi_bios(initrc_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/locallogin.te pol-acpi/policy/modules/system/locallogin.te
--- pol-git/policy/modules/system/locallogin.te 2017-04-07 16:27:45.966131379 +1000
+++ pol-acpi/policy/modules/system/locallogin.te 2017-04-23 23:51:17.176764585 +1000
@@ -71,8 +71,8 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
-dev_dontaudit_getattr_apm_bios_dev(local_login_t)
-dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+dev_dontaudit_getattr_acpi_bios_dev(local_login_t)
+dev_dontaudit_setattr_acpi_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
dev_dontaudit_setattr_framebuffer_dev(local_login_t)
dev_dontaudit_getattr_generic_blk_files(local_login_t)
diff -ruN pol-git/policy/modules/system/modutils.te pol-acpi/policy/modules/system/modutils.te
--- pol-git/policy/modules/system/modutils.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/system/modutils.te 2017-04-23 23:51:17.192764901 +1000
@@ -79,7 +79,7 @@
dev_rw_agp(kmod_t)
dev_read_sound(kmod_t)
dev_write_sound(kmod_t)
-dev_rw_apm_bios(kmod_t)
+dev_rw_acpi_bios(kmod_t)
domain_signal_all_domains(kmod_t)
domain_use_interactive_fds(kmod_t)
diff -ruN pol-git/policy/modules/system/mount.te pol-acpi/policy/modules/system/mount.te
--- pol-git/policy/modules/system/mount.te 2017-04-19 14:39:40.914289502 +1000
+++ pol-acpi/policy/modules/system/mount.te 2017-04-23 23:51:17.180764664 +1000
@@ -194,7 +194,7 @@
')
optional_policy(`
- apm_use_fds(mount_t)
+ acpi_use_fds(mount_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/userdomain.if pol-acpi/policy/modules/system/userdomain.if
--- pol-git/policy/modules/system/userdomain.if 2017-04-21 15:11:02.270447468 +1000
+++ pol-acpi/policy/modules/system/userdomain.if 2017-04-23 23:51:17.212765296 +1000
@@ -643,7 +643,7 @@
optional_policy(`
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ acpi_stream_connect($1_t)
')
optional_policy(`