This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
diff -ruN pol-git/policy/modules/admin/consoletype.te pol-acpi/policy/modules/admin/consoletype.te
--- pol-git/policy/modules/admin/consoletype.te 2017-02-05 20:57:06.655564785 +1100
+++ pol-acpi/policy/modules/admin/consoletype.te 2017-04-23 23:51:17.088762849 +1000
@@ -61,8 +61,8 @@
')
optional_policy(`
- apm_use_fds(consoletype_t)
- apm_write_pipes(consoletype_t)
+ acpi_use_fds(consoletype_t)
+ acpi_write_pipes(consoletype_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/contrib/acpi.fc pol-acpi/policy/modules/contrib/acpi.fc
--- pol-git/policy/modules/contrib/acpi.fc 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.fc 2017-04-23 23:53:32.979594186 +1000
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff -ruN pol-git/policy/modules/contrib/acpi.if pol-acpi/policy/modules/contrib/acpi.if
--- pol-git/policy/modules/contrib/acpi.if 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.if 2017-04-23 23:53:32.983594274 +1000
@@ -0,0 +1,187 @@
+## <summary>Advanced power management.</summary>
+
+########################################
+## <summary>
+## Execute apm in the apm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`acpi_domtrans_client',`
+ gen_require(`
+ type acpi_t, acpi_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
+')
+
+########################################
+## <summary>
+## Execute apm in the apm domain
+## and allow the specified role
+## the apm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_run_client',`
+ gen_require(`
+ attribute_role acpi_roles;
+ ')
+
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
+')
+
+########################################
+## <summary>
+## Use apmd file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_use_fds',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:fd use;
+')
+
+########################################
+## <summary>
+## Write apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_write_pipes',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write to apmd unix
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_rw_stream_sockets',`
+ gen_require(`
+ type acpid_t;
+ ')
+
+ allow $1 acpid_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Append apmd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_append_log',`
+ gen_require(`
+ type acpid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 acpid_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to apmd over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acpi_stream_connect',`
+ gen_require(`
+ type acpid_t, acpid_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an apm environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`acpi_admin',`
+ gen_require(`
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
+ ')
+
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
+
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, acpid_log_t)
+
+ files_search_locks($1)
+ admin_pattern($1, acpid_lock_t)
+
+ files_search_pids($1)
+ admin_pattern($1, acpid_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, acpid_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, acpid_tmp_t)
+
+ acpi_run_client($1, $2)
+')
diff -ruN pol-git/policy/modules/contrib/acpi.te pol-acpi/policy/modules/contrib/acpi.te
--- pol-git/policy/modules/contrib/acpi.te 1970-01-01 10:00:00.000000000 +1000
+++ pol-acpi/policy/modules/contrib/acpi.te 2017-04-24 00:10:28.602801632 +1000
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.16.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff -ruN pol-git/policy/modules/contrib/apm.fc pol-acpi/policy/modules/contrib/apm.fc
--- pol-git/policy/modules/contrib/apm.fc 2017-04-23 23:54:08.792384981 +1000
+++ pol-acpi/policy/modules/contrib/apm.fc 1970-01-01 10:00:00.000000000 +1000
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff -ruN pol-git/policy/modules/contrib/apm.if pol-acpi/policy/modules/contrib/apm.if
--- pol-git/policy/modules/contrib/apm.if 2017-04-23 23:54:08.800385160 +1000
+++ pol-acpi/policy/modules/contrib/apm.if 1970-01-01 10:00:00.000000000 +1000
@@ -1,187 +0,0 @@
-## <summary>Advanced power management.</summary>
-
-########################################
-## <summary>
-## Execute apm in the apm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apm_domtrans_client',`
- gen_require(`
- type apm_t, apm_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
-')
-
-########################################
-## <summary>
-## Execute apm in the apm domain
-## and allow the specified role
-## the apm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_run_client',`
- gen_require(`
- attribute_role apm_roles;
- ')
-
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
-')
-
-########################################
-## <summary>
-## Use apmd file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_use_fds',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fd use;
-')
-
-########################################
-## <summary>
-## Write apmd unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_write_pipes',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Read and write to apmd unix
-## stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_rw_stream_sockets',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Append apmd log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_append_log',`
- gen_require(`
- type apmd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to apmd over an unix
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_stream_connect',`
- gen_require(`
- type apmd_t, apmd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an apm environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apm_admin',`
- gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
- ')
-
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
-
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
-
- logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
-
- files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
-
- files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
-
- files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
-
- apm_run_client($1, $2)
-')
diff -ruN pol-git/policy/modules/contrib/apm.te pol-acpi/policy/modules/contrib/apm.te
--- pol-git/policy/modules/contrib/apm.te 2017-04-23 23:54:08.804385249 +1000
+++ pol-acpi/policy/modules/contrib/apm.te 1970-01-01 10:00:00.000000000 +1000
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff -ruN pol-git/policy/modules/contrib/cups.te pol-acpi/policy/modules/contrib/cups.te
--- pol-git/policy/modules/contrib/cups.te 2017-02-16 12:08:22.302620139 +1100
+++ pol-acpi/policy/modules/contrib/cups.te 2017-04-23 23:51:17.096763006 +1000
@@ -273,7 +273,7 @@
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/contrib/hal.te pol-acpi/policy/modules/contrib/hal.te
--- pol-git/policy/modules/contrib/hal.te 2017-03-06 09:55:21.244914902 +1100
+++ pol-acpi/policy/modules/contrib/hal.te 2017-04-23 23:51:17.104763164 +1000
@@ -221,7 +221,7 @@
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/kernel/devices.fc pol-acpi/policy/modules/kernel/devices.fc
--- pol-git/policy/modules/kernel/devices.fc 2017-03-02 00:59:33.765978143 +1100
+++ pol-acpi/policy/modules/kernel/devices.fc 2017-04-23 23:52:16.749970457 +1000
@@ -11,7 +11,7 @@
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/apm_bios -c gen_context(system_u:object_r:acpi_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -103,7 +103,7 @@
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/snapshot -c gen_context(system_u:object_r:acpi_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
diff -ruN pol-git/policy/modules/kernel/devices.if pol-acpi/policy/modules/kernel/devices.if
--- pol-git/policy/modules/kernel/devices.if 2017-04-19 14:39:40.910289394 +1000
+++ pol-acpi/policy/modules/kernel/devices.if 2017-04-23 23:51:17.140763875 +1000
@@ -1441,12 +1441,12 @@
## </summary>
## </param>
#
-interface(`dev_getattr_apm_bios_dev',`
+interface(`dev_getattr_acpi_bios_dev',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- getattr_chr_files_pattern($1, device_t, apm_bios_t)
+ getattr_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
@@ -1460,12 +1460,12 @@
## </summary>
## </param>
#
-interface(`dev_dontaudit_getattr_apm_bios_dev',`
+interface(`dev_dontaudit_getattr_acpi_bios_dev',`
gen_require(`
- type apm_bios_t;
+ type acpi_bios_t;
')
- dontaudit $1 apm_bios_t:chr_file getattr;
+ dontaudit $1 acpi_bios_t:chr_file getattr;
')
########################################
@@ -1478,12 +1478,12 @@
## </summary>
## </param>
#
-interface(`dev_setattr_apm_bios_dev',`
+interface(`dev_setattr_acpi_bios_dev',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- setattr_chr_files_pattern($1, device_t, apm_bios_t)
+ setattr_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
@@ -1497,12 +1497,12 @@
## </summary>
## </param>
#
-interface(`dev_dontaudit_setattr_apm_bios_dev',`
+interface(`dev_dontaudit_setattr_acpi_bios_dev',`
gen_require(`
- type apm_bios_t;
+ type acpi_bios_t;
')
- dontaudit $1 apm_bios_t:chr_file setattr;
+ dontaudit $1 acpi_bios_t:chr_file setattr;
')
########################################
@@ -1515,12 +1515,12 @@
## </summary>
## </param>
#
-interface(`dev_rw_apm_bios',`
+interface(`dev_rw_acpi_bios',`
gen_require(`
- type device_t, apm_bios_t;
+ type device_t, acpi_bios_t;
')
- rw_chr_files_pattern($1, device_t, apm_bios_t)
+ rw_chr_files_pattern($1, device_t, acpi_bios_t)
')
########################################
diff -ruN pol-git/policy/modules/kernel/devices.te pol-acpi/policy/modules/kernel/devices.te
--- pol-git/policy/modules/kernel/devices.te 2017-04-19 14:39:40.910289394 +1000
+++ pol-acpi/policy/modules/kernel/devices.te 2017-04-23 23:55:23.926079992 +1000
@@ -35,8 +35,8 @@
#
# Type for /dev/apm_bios
#
-type apm_bios_t;
-dev_node(apm_bios_t)
+type acpi_bios_t;
+dev_node(acpi_bios_t)
#
# Type for /dev/autofs
diff -ruN pol-git/policy/modules/roles/sysadm.te pol-acpi/policy/modules/roles/sysadm.te
--- pol-git/policy/modules/roles/sysadm.te 2017-04-07 16:27:45.962131278 +1000
+++ pol-acpi/policy/modules/roles/sysadm.te 2017-04-23 23:51:17.156764190 +1000
@@ -123,8 +123,8 @@
')
optional_policy(`
- apm_admin(sysadm_t, sysadm_r)
- apm_run_client(sysadm_t, sysadm_r)
+ acpi_admin(sysadm_t, sysadm_r)
+ acpi_run_client(sysadm_t, sysadm_r)
')
optional_policy(`
diff -ruN pol-git/policy/modules/services/xserver.te pol-acpi/policy/modules/services/xserver.te
--- pol-git/policy/modules/services/xserver.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/services/xserver.te 2017-04-23 23:51:17.164764349 +1000
@@ -420,8 +420,8 @@
dev_setattr_framebuffer_dev(xdm_t)
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
-dev_rw_apm_bios(xdm_t)
-dev_setattr_apm_bios_dev(xdm_t)
+dev_rw_acpi_bios(xdm_t)
+dev_setattr_acpi_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
@@ -713,7 +713,7 @@
dev_rw_sysfs(xserver_t)
dev_rw_mouse(xserver_t)
dev_rw_mtrr(xserver_t)
-dev_rw_apm_bios(xserver_t)
+dev_rw_acpi_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -808,7 +808,7 @@
')
optional_policy(`
- apm_stream_connect(xserver_t)
+ acpi_stream_connect(xserver_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/authlogin.te pol-acpi/policy/modules/system/authlogin.te
--- pol-git/policy/modules/system/authlogin.te 2017-03-03 13:03:05.964980312 +1100
+++ pol-acpi/policy/modules/system/authlogin.te 2017-04-23 23:51:17.172764506 +1000
@@ -230,8 +230,8 @@
kernel_read_system_state(pam_console_t)
dev_read_sysfs(pam_console_t)
-dev_getattr_apm_bios_dev(pam_console_t)
-dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_acpi_bios_dev(pam_console_t)
+dev_setattr_acpi_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
diff -ruN pol-git/policy/modules/system/clock.te pol-acpi/policy/modules/system/clock.te
--- pol-git/policy/modules/system/clock.te 2017-02-05 20:57:06.663565003 +1100
+++ pol-acpi/policy/modules/system/clock.te 2017-04-23 23:51:17.168764428 +1000
@@ -60,8 +60,8 @@
miscfiles_read_localization(hwclock_t)
optional_policy(`
- apm_append_log(hwclock_t)
- apm_rw_stream_sockets(hwclock_t)
+ acpi_append_log(hwclock_t)
+ acpi_rw_stream_sockets(hwclock_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/init.te pol-acpi/policy/modules/system/init.te
--- pol-git/policy/modules/system/init.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/system/init.te 2017-04-23 23:51:17.188764822 +1000
@@ -990,7 +990,7 @@
')
optional_policy(`
- dev_rw_apm_bios(initrc_t)
+ dev_rw_acpi_bios(initrc_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/locallogin.te pol-acpi/policy/modules/system/locallogin.te
--- pol-git/policy/modules/system/locallogin.te 2017-04-07 16:27:45.966131379 +1000
+++ pol-acpi/policy/modules/system/locallogin.te 2017-04-23 23:51:17.176764585 +1000
@@ -71,8 +71,8 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
-dev_dontaudit_getattr_apm_bios_dev(local_login_t)
-dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+dev_dontaudit_getattr_acpi_bios_dev(local_login_t)
+dev_dontaudit_setattr_acpi_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
dev_dontaudit_setattr_framebuffer_dev(local_login_t)
dev_dontaudit_getattr_generic_blk_files(local_login_t)
diff -ruN pol-git/policy/modules/system/modutils.te pol-acpi/policy/modules/system/modutils.te
--- pol-git/policy/modules/system/modutils.te 2017-04-21 15:11:02.266447363 +1000
+++ pol-acpi/policy/modules/system/modutils.te 2017-04-23 23:51:17.192764901 +1000
@@ -79,7 +79,7 @@
dev_rw_agp(kmod_t)
dev_read_sound(kmod_t)
dev_write_sound(kmod_t)
-dev_rw_apm_bios(kmod_t)
+dev_rw_acpi_bios(kmod_t)
domain_signal_all_domains(kmod_t)
domain_use_interactive_fds(kmod_t)
diff -ruN pol-git/policy/modules/system/mount.te pol-acpi/policy/modules/system/mount.te
--- pol-git/policy/modules/system/mount.te 2017-04-19 14:39:40.914289502 +1000
+++ pol-acpi/policy/modules/system/mount.te 2017-04-23 23:51:17.180764664 +1000
@@ -194,7 +194,7 @@
')
optional_policy(`
- apm_use_fds(mount_t)
+ acpi_use_fds(mount_t)
')
optional_policy(`
diff -ruN pol-git/policy/modules/system/userdomain.if pol-acpi/policy/modules/system/userdomain.if
--- pol-git/policy/modules/system/userdomain.if 2017-04-21 15:11:02.270447468 +1000
+++ pol-acpi/policy/modules/system/userdomain.if 2017-04-23 23:51:17.212765296 +1000
@@ -643,7 +643,7 @@
optional_policy(`
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ acpi_stream_connect($1_t)
')
optional_policy(`
On 04/23/2017 10:16 AM, Russell Coker via refpolicy wrote:
> This patch is slightly more involved than just running sed. It also adds
> typealias rules and doesn't change the FC entries.
>
> The /dev/apm_bios device doesn't exist on modern systems. I have left that
> policy in for the moment on the principle of making one change per patch. But
> I might send another patch to remove that as it won't exist with modern
> kernels.
Merged, though there is a remaining issue of properly maintaining the
compatibility for apm_* interfaces. I haven't decided the right way to
do that since the entire apm module is gone. Perhaps they should just
be added to the bottom of the acpi.if with comments that they break the
naming rules to maintain compatibility.
> diff -ruN pol-git/policy/modules/admin/consoletype.te pol-acpi/policy/modules/admin/consoletype.te
> --- pol-git/policy/modules/admin/consoletype.te 2017-02-05 20:57:06.655564785 +1100
> +++ pol-acpi/policy/modules/admin/consoletype.te 2017-04-23 23:51:17.088762849 +1000
> @@ -61,8 +61,8 @@
> ')
>
> optional_policy(`
> - apm_use_fds(consoletype_t)
> - apm_write_pipes(consoletype_t)
> + acpi_use_fds(consoletype_t)
> + acpi_write_pipes(consoletype_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/contrib/acpi.fc pol-acpi/policy/modules/contrib/acpi.fc
> --- pol-git/policy/modules/contrib/acpi.fc 1970-01-01 10:00:00.000000000 +1000
> +++ pol-acpi/policy/modules/contrib/acpi.fc 2017-04-23 23:53:32.979594186 +1000
> @@ -0,0 +1,21 @@
> +/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
> +
> +/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
> +
> +/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
> +
> +/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
> +/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
> +/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
> +
> +/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
> +
> +/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
> +
> +/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
> +/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
> +/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
> +/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
> +/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
> +
> +/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
> diff -ruN pol-git/policy/modules/contrib/acpi.if pol-acpi/policy/modules/contrib/acpi.if
> --- pol-git/policy/modules/contrib/acpi.if 1970-01-01 10:00:00.000000000 +1000
> +++ pol-acpi/policy/modules/contrib/acpi.if 2017-04-23 23:53:32.983594274 +1000
> @@ -0,0 +1,187 @@
> +## <summary>Advanced power management.</summary>
> +
> +########################################
> +## <summary>
> +## Execute apm in the apm domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_domtrans_client',`
> + gen_require(`
> + type acpi_t, acpi_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, acpi_exec_t, acpi_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute apm in the apm domain
> +## and allow the specified role
> +## the apm domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_run_client',`
> + gen_require(`
> + attribute_role acpi_roles;
> + ')
> +
> + acpi_domtrans_client($1)
> + roleattribute $2 acpi_roles;
> +')
> +
> +########################################
> +## <summary>
> +## Use apmd file descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_use_fds',`
> + gen_require(`
> + type acpid_t;
> + ')
> +
> + allow $1 acpid_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Write apmd unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_write_pipes',`
> + gen_require(`
> + type acpid_t;
> + ')
> +
> + allow $1 acpid_t:fifo_file write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write to apmd unix
> +## stream sockets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_rw_stream_sockets',`
> + gen_require(`
> + type acpid_t;
> + ')
> +
> + allow $1 acpid_t:unix_stream_socket { read write };
> +')
> +
> +########################################
> +## <summary>
> +## Append apmd log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_append_log',`
> + gen_require(`
> + type acpid_log_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 acpid_log_t:file append_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to apmd over an unix
> +## stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`acpi_stream_connect',`
> + gen_require(`
> + type acpid_t, acpid_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
> +')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate an apm environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`acpi_admin',`
> + gen_require(`
> + type acpid_t, acpid_initrc_exec_t, acpid_log_t;
> + type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
> + type acpid_tmp_t;
> + ')
> +
> + allow $1 acpid_t:process { ptrace signal_perms };
> + ps_process_pattern($1, acpid_t)
> +
> + init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
> +
> + logging_search_logs($1)
> + admin_pattern($1, acpid_log_t)
> +
> + files_search_locks($1)
> + admin_pattern($1, acpid_lock_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, acpid_var_run_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, acpid_var_lib_t)
> +
> + files_search_tmp($1)
> + admin_pattern($1, acpid_tmp_t)
> +
> + acpi_run_client($1, $2)
> +')
> diff -ruN pol-git/policy/modules/contrib/acpi.te pol-acpi/policy/modules/contrib/acpi.te
> --- pol-git/policy/modules/contrib/acpi.te 1970-01-01 10:00:00.000000000 +1000
> +++ pol-acpi/policy/modules/contrib/acpi.te 2017-04-24 00:10:28.602801632 +1000
> @@ -0,0 +1,247 @@
> +policy_module(acpi, 1.16.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role acpi_roles;
> +roleattribute system_r acpi_roles;
> +
> +type acpid_t;
> +type acpid_exec_t;
> +typealias acpid_t alias apmd_t;
> +typealias acpid_exec_t alias apmd_exec_t;
> +init_daemon_domain(acpid_t, acpid_exec_t)
> +
> +type acpid_initrc_exec_t;
> +typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
> +init_script_file(acpid_initrc_exec_t)
> +
> +type acpi_t;
> +type acpi_exec_t;
> +typealias acpi_t alias apm_t;
> +typealias acpi_exec_t alias apm_exec_t;
> +application_domain(acpi_t, acpi_exec_t)
> +role acpi_roles types acpi_t;
> +
> +type acpid_lock_t;
> +typealias acpid_lock_t alias apmd_lock_t;
> +files_lock_file(acpid_lock_t)
> +
> +type acpid_log_t;
> +typealias acpid_log_t alias apmd_log_t;
> +logging_log_file(acpid_log_t)
> +
> +type acpid_tmp_t;
> +typealias acpid_tmp_t alias apmd_tmp_t;
> +files_tmp_file(acpid_tmp_t)
> +
> +type acpid_unit_t;
> +typealias acpid_unit_t alias apmd_unit_t;
> +init_unit_file(acpid_unit_t)
> +
> +type acpid_var_lib_t;
> +typealias acpid_var_lib_t alias apmd_var_lib_t;
> +files_type(acpid_var_lib_t)
> +
> +type acpid_var_run_t;
> +typealias acpid_var_run_t alias apmd_var_run_t;
> +files_pid_file(acpid_var_run_t)
> +
> +########################################
> +#
> +# Client local policy
> +#
> +
> +allow acpi_t self:capability { dac_override sys_admin };
> +
> +kernel_read_system_state(acpi_t)
> +
> +dev_rw_acpi_bios(acpi_t)
> +
> +fs_getattr_xattr_fs(acpi_t)
> +
> +term_use_all_terms(acpi_t)
> +
> +domain_use_interactive_fds(acpi_t)
> +
> +logging_send_syslog_msg(acpi_t)
> +
> +########################################
> +#
> +# Server local policy
> +#
> +
> +allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
> +dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
> +allow acpid_t self:process { signal_perms getsession };
> +allow acpid_t self:fifo_file rw_fifo_file_perms;
> +allow acpid_t self:netlink_socket create_socket_perms;
> +allow acpid_t self:netlink_generic_socket create_socket_perms;
> +allow acpid_t self:unix_stream_socket { accept listen };
> +
> +allow acpid_t acpid_lock_t:file manage_file_perms;
> +files_lock_filetrans(acpid_t, acpid_lock_t, file)
> +
> +allow acpid_t acpid_log_t:file manage_file_perms;
> +logging_log_filetrans(acpid_t, acpid_log_t, file)
> +
> +manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
> +manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
> +files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
> +
> +manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
> +manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
> +files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
> +
> +manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
> +manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
> +files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
> +
> +can_exec(acpid_t, acpid_var_run_t)
> +
> +kernel_read_kernel_sysctls(acpid_t)
> +kernel_rw_all_sysctls(acpid_t)
> +kernel_read_system_state(acpid_t)
> +kernel_write_proc_files(acpid_t)
> +kernel_request_load_module(acpid_t)
> +
> +dev_read_input(acpid_t)
> +dev_read_mouse(acpid_t)
> +dev_read_realtime_clock(acpid_t)
> +dev_read_urand(acpid_t)
> +dev_rw_acpi_bios(acpid_t)
> +dev_rw_sysfs(acpid_t)
> +dev_dontaudit_getattr_all_chr_files(acpid_t)
> +dev_dontaudit_getattr_all_blk_files(acpid_t)
> +
> +files_exec_etc_files(acpid_t)
> +files_read_etc_runtime_files(acpid_t)
> +files_dontaudit_getattr_all_files(acpid_t)
> +files_dontaudit_getattr_all_symlinks(acpid_t)
> +files_dontaudit_getattr_all_pipes(acpid_t)
> +files_dontaudit_getattr_all_sockets(acpid_t)
> +
> +fs_dontaudit_list_tmpfs(acpid_t)
> +fs_getattr_all_fs(acpid_t)
> +fs_search_auto_mountpoints(acpid_t)
> +fs_dontaudit_getattr_all_files(acpid_t)
> +fs_dontaudit_getattr_all_symlinks(acpid_t)
> +fs_dontaudit_getattr_all_pipes(acpid_t)
> +fs_dontaudit_getattr_all_sockets(acpid_t)
> +
> +selinux_search_fs(acpid_t)
> +
> +corecmd_exec_all_executables(acpid_t)
> +
> +domain_read_all_domains_state(acpid_t)
> +domain_dontaudit_ptrace_all_domains(acpid_t)
> +domain_use_interactive_fds(acpid_t)
> +domain_dontaudit_getattr_all_sockets(acpid_t)
> +domain_dontaudit_getattr_all_key_sockets(acpid_t)
> +domain_dontaudit_list_all_domains_state(acpid_t)
> +
> +auth_use_nsswitch(acpid_t)
> +
> +init_domtrans_script(acpid_t)
> +
> +libs_exec_ld_so(acpid_t)
> +libs_exec_lib_files(acpid_t)
> +
> +logging_send_audit_msgs(acpid_t)
> +logging_send_syslog_msg(acpid_t)
> +
> +miscfiles_read_localization(acpid_t)
> +miscfiles_read_hwdata(acpid_t)
> +
> +modutils_domtrans(acpid_t)
> +modutils_read_module_config(acpid_t)
> +
> +seutil_dontaudit_read_config(acpid_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(acpid_t)
> +userdom_dontaudit_search_user_home_dirs(acpid_t)
> +userdom_dontaudit_search_user_home_content(acpid_t)
> +
> +optional_policy(`
> + automount_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + clock_domtrans(acpid_t)
> + clock_rw_adjtime(acpid_t)
> +')
> +
> +optional_policy(`
> + cron_system_entry(acpid_t, acpid_exec_t)
> + cron_anacron_domtrans_system_job(acpid_t)
> +')
> +
> +optional_policy(`
> + devicekit_manage_pid_files(acpid_t)
> + devicekit_manage_log_files(acpid_t)
> + devicekit_relabel_log_files(acpid_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(acpid_t)
> +
> + optional_policy(`
> + consolekit_dbus_chat(acpid_t)
> + ')
> +
> + optional_policy(`
> + networkmanager_dbus_chat(acpid_t)
> + ')
> +')
> +
> +optional_policy(`
> + fstools_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + iptables_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + logrotate_use_fds(acpid_t)
> +')
> +
> +optional_policy(`
> + mta_send_mail(acpid_t)
> +')
> +
> +optional_policy(`
> + netutils_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + pcmcia_domtrans_cardmgr(acpid_t)
> + pcmcia_domtrans_cardctl(acpid_t)
> +')
> +
> +optional_policy(`
> + seutil_sigchld_newrole(acpid_t)
> +')
> +
> +optional_policy(`
> + shutdown_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + sysnet_domtrans_ifconfig(acpid_t)
> +')
> +
> +optional_policy(`
> + udev_read_db(acpid_t)
> + udev_read_state(acpid_t)
> +')
> +
> +optional_policy(`
> + vbetool_domtrans(acpid_t)
> +')
> +
> +optional_policy(`
> + xserver_domtrans(acpid_t)
> +')
> diff -ruN pol-git/policy/modules/contrib/apm.fc pol-acpi/policy/modules/contrib/apm.fc
> --- pol-git/policy/modules/contrib/apm.fc 2017-04-23 23:54:08.792384981 +1000
> +++ pol-acpi/policy/modules/contrib/apm.fc 1970-01-01 10:00:00.000000000 +1000
> @@ -1,21 +0,0 @@
> -/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
> -
> -/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
> -
> -/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
> -
> -/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
> -/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
> -/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
> -
> -/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
> -
> -/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
> -
> -/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
> -/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
> -/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
> -/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
> -/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
> -
> -/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
> diff -ruN pol-git/policy/modules/contrib/apm.if pol-acpi/policy/modules/contrib/apm.if
> --- pol-git/policy/modules/contrib/apm.if 2017-04-23 23:54:08.800385160 +1000
> +++ pol-acpi/policy/modules/contrib/apm.if 1970-01-01 10:00:00.000000000 +1000
> @@ -1,187 +0,0 @@
> -## <summary>Advanced power management.</summary>
> -
> -########################################
> -## <summary>
> -## Execute apm in the apm domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_domtrans_client',`
> - gen_require(`
> - type apm_t, apm_exec_t;
> - ')
> -
> - corecmd_search_bin($1)
> - domtrans_pattern($1, apm_exec_t, apm_t)
> -')
> -
> -########################################
> -## <summary>
> -## Execute apm in the apm domain
> -## and allow the specified role
> -## the apm domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_run_client',`
> - gen_require(`
> - attribute_role apm_roles;
> - ')
> -
> - apm_domtrans_client($1)
> - roleattribute $2 apm_roles;
> -')
> -
> -########################################
> -## <summary>
> -## Use apmd file descriptors.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_use_fds',`
> - gen_require(`
> - type apmd_t;
> - ')
> -
> - allow $1 apmd_t:fd use;
> -')
> -
> -########################################
> -## <summary>
> -## Write apmd unnamed pipes.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_write_pipes',`
> - gen_require(`
> - type apmd_t;
> - ')
> -
> - allow $1 apmd_t:fifo_file write;
> -')
> -
> -########################################
> -## <summary>
> -## Read and write to apmd unix
> -## stream sockets.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_rw_stream_sockets',`
> - gen_require(`
> - type apmd_t;
> - ')
> -
> - allow $1 apmd_t:unix_stream_socket { read write };
> -')
> -
> -########################################
> -## <summary>
> -## Append apmd log files.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_append_log',`
> - gen_require(`
> - type apmd_log_t;
> - ')
> -
> - logging_search_logs($1)
> - allow $1 apmd_log_t:file append_file_perms;
> -')
> -
> -########################################
> -## <summary>
> -## Connect to apmd over an unix
> -## stream socket.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`apm_stream_connect',`
> - gen_require(`
> - type apmd_t, apmd_var_run_t;
> - ')
> -
> - files_search_pids($1)
> - stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
> -')
> -
> -########################################
> -## <summary>
> -## All of the rules required to
> -## administrate an apm environment.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`apm_admin',`
> - gen_require(`
> - type apmd_t, apmd_initrc_exec_t, apmd_log_t;
> - type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
> - type apmd_tmp_t;
> - ')
> -
> - allow $1 apmd_t:process { ptrace signal_perms };
> - ps_process_pattern($1, apmd_t)
> -
> - init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
> -
> - logging_search_logs($1)
> - admin_pattern($1, apmd_log_t)
> -
> - files_search_locks($1)
> - admin_pattern($1, apmd_lock_t)
> -
> - files_search_pids($1)
> - admin_pattern($1, apmd_var_run_t)
> -
> - files_search_var_lib($1)
> - admin_pattern($1, apmd_var_lib_t)
> -
> - files_search_tmp($1)
> - admin_pattern($1, apmd_tmp_t)
> -
> - apm_run_client($1, $2)
> -')
> diff -ruN pol-git/policy/modules/contrib/apm.te pol-acpi/policy/modules/contrib/apm.te
> --- pol-git/policy/modules/contrib/apm.te 2017-04-23 23:54:08.804385249 +1000
> +++ pol-acpi/policy/modules/contrib/apm.te 1970-01-01 10:00:00.000000000 +1000
> @@ -1,236 +0,0 @@
> -policy_module(apm, 1.16.1)
> -
> -########################################
> -#
> -# Declarations
> -#
> -
> -attribute_role apm_roles;
> -roleattribute system_r apm_roles;
> -
> -type apmd_t;
> -type apmd_exec_t;
> -init_daemon_domain(apmd_t, apmd_exec_t)
> -
> -type apmd_initrc_exec_t;
> -init_script_file(apmd_initrc_exec_t)
> -
> -type apm_t;
> -type apm_exec_t;
> -application_domain(apm_t, apm_exec_t)
> -role apm_roles types apm_t;
> -
> -type apmd_lock_t;
> -files_lock_file(apmd_lock_t)
> -
> -type apmd_log_t;
> -logging_log_file(apmd_log_t)
> -
> -type apmd_tmp_t;
> -files_tmp_file(apmd_tmp_t)
> -
> -type apmd_unit_t;
> -init_unit_file(apmd_unit_t)
> -
> -type apmd_var_lib_t;
> -files_type(apmd_var_lib_t)
> -
> -type apmd_var_run_t;
> -files_pid_file(apmd_var_run_t)
> -
> -########################################
> -#
> -# Client local policy
> -#
> -
> -allow apm_t self:capability { dac_override sys_admin };
> -
> -kernel_read_system_state(apm_t)
> -
> -dev_rw_apm_bios(apm_t)
> -
> -fs_getattr_xattr_fs(apm_t)
> -
> -term_use_all_terms(apm_t)
> -
> -domain_use_interactive_fds(apm_t)
> -
> -logging_send_syslog_msg(apm_t)
> -
> -########################################
> -#
> -# Server local policy
> -#
> -
> -allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
> -dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
> -allow apmd_t self:process { signal_perms getsession };
> -allow apmd_t self:fifo_file rw_fifo_file_perms;
> -allow apmd_t self:netlink_socket create_socket_perms;
> -allow apmd_t self:netlink_generic_socket create_socket_perms;
> -allow apmd_t self:unix_stream_socket { accept listen };
> -
> -allow apmd_t apmd_lock_t:file manage_file_perms;
> -files_lock_filetrans(apmd_t, apmd_lock_t, file)
> -
> -allow apmd_t apmd_log_t:file manage_file_perms;
> -logging_log_filetrans(apmd_t, apmd_log_t, file)
> -
> -manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
> -manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
> -files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
> -
> -manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
> -manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
> -files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
> -
> -manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
> -manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
> -files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
> -
> -can_exec(apmd_t, apmd_var_run_t)
> -
> -kernel_read_kernel_sysctls(apmd_t)
> -kernel_rw_all_sysctls(apmd_t)
> -kernel_read_system_state(apmd_t)
> -kernel_write_proc_files(apmd_t)
> -kernel_request_load_module(apmd_t)
> -
> -dev_read_input(apmd_t)
> -dev_read_mouse(apmd_t)
> -dev_read_realtime_clock(apmd_t)
> -dev_read_urand(apmd_t)
> -dev_rw_apm_bios(apmd_t)
> -dev_rw_sysfs(apmd_t)
> -dev_dontaudit_getattr_all_chr_files(apmd_t)
> -dev_dontaudit_getattr_all_blk_files(apmd_t)
> -
> -files_exec_etc_files(apmd_t)
> -files_read_etc_runtime_files(apmd_t)
> -files_dontaudit_getattr_all_files(apmd_t)
> -files_dontaudit_getattr_all_symlinks(apmd_t)
> -files_dontaudit_getattr_all_pipes(apmd_t)
> -files_dontaudit_getattr_all_sockets(apmd_t)
> -
> -fs_dontaudit_list_tmpfs(apmd_t)
> -fs_getattr_all_fs(apmd_t)
> -fs_search_auto_mountpoints(apmd_t)
> -fs_dontaudit_getattr_all_files(apmd_t)
> -fs_dontaudit_getattr_all_symlinks(apmd_t)
> -fs_dontaudit_getattr_all_pipes(apmd_t)
> -fs_dontaudit_getattr_all_sockets(apmd_t)
> -
> -selinux_search_fs(apmd_t)
> -
> -corecmd_exec_all_executables(apmd_t)
> -
> -domain_read_all_domains_state(apmd_t)
> -domain_dontaudit_ptrace_all_domains(apmd_t)
> -domain_use_interactive_fds(apmd_t)
> -domain_dontaudit_getattr_all_sockets(apmd_t)
> -domain_dontaudit_getattr_all_key_sockets(apmd_t)
> -domain_dontaudit_list_all_domains_state(apmd_t)
> -
> -auth_use_nsswitch(apmd_t)
> -
> -init_domtrans_script(apmd_t)
> -
> -libs_exec_ld_so(apmd_t)
> -libs_exec_lib_files(apmd_t)
> -
> -logging_send_audit_msgs(apmd_t)
> -logging_send_syslog_msg(apmd_t)
> -
> -miscfiles_read_localization(apmd_t)
> -miscfiles_read_hwdata(apmd_t)
> -
> -modutils_domtrans(apmd_t)
> -modutils_read_module_config(apmd_t)
> -
> -seutil_dontaudit_read_config(apmd_t)
> -
> -userdom_dontaudit_use_unpriv_user_fds(apmd_t)
> -userdom_dontaudit_search_user_home_dirs(apmd_t)
> -userdom_dontaudit_search_user_home_content(apmd_t)
> -
> -optional_policy(`
> - automount_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - clock_domtrans(apmd_t)
> - clock_rw_adjtime(apmd_t)
> -')
> -
> -optional_policy(`
> - cron_system_entry(apmd_t, apmd_exec_t)
> - cron_anacron_domtrans_system_job(apmd_t)
> -')
> -
> -optional_policy(`
> - devicekit_manage_pid_files(apmd_t)
> - devicekit_manage_log_files(apmd_t)
> - devicekit_relabel_log_files(apmd_t)
> -')
> -
> -optional_policy(`
> - dbus_system_bus_client(apmd_t)
> -
> - optional_policy(`
> - consolekit_dbus_chat(apmd_t)
> - ')
> -
> - optional_policy(`
> - networkmanager_dbus_chat(apmd_t)
> - ')
> -')
> -
> -optional_policy(`
> - fstools_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - iptables_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - logrotate_use_fds(apmd_t)
> -')
> -
> -optional_policy(`
> - mta_send_mail(apmd_t)
> -')
> -
> -optional_policy(`
> - netutils_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - pcmcia_domtrans_cardmgr(apmd_t)
> - pcmcia_domtrans_cardctl(apmd_t)
> -')
> -
> -optional_policy(`
> - seutil_sigchld_newrole(apmd_t)
> -')
> -
> -optional_policy(`
> - shutdown_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - sysnet_domtrans_ifconfig(apmd_t)
> -')
> -
> -optional_policy(`
> - udev_read_db(apmd_t)
> - udev_read_state(apmd_t)
> -')
> -
> -optional_policy(`
> - vbetool_domtrans(apmd_t)
> -')
> -
> -optional_policy(`
> - xserver_domtrans(apmd_t)
> -')
> diff -ruN pol-git/policy/modules/contrib/cups.te pol-acpi/policy/modules/contrib/cups.te
> --- pol-git/policy/modules/contrib/cups.te 2017-02-16 12:08:22.302620139 +1100
> +++ pol-acpi/policy/modules/contrib/cups.te 2017-04-23 23:51:17.096763006 +1000
> @@ -273,7 +273,7 @@
> userdom_dontaudit_search_user_home_content(cupsd_t)
>
> optional_policy(`
> - apm_domtrans_client(cupsd_t)
> + acpi_domtrans_client(cupsd_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/contrib/hal.te pol-acpi/policy/modules/contrib/hal.te
> --- pol-git/policy/modules/contrib/hal.te 2017-03-06 09:55:21.244914902 +1100
> +++ pol-acpi/policy/modules/contrib/hal.te 2017-04-23 23:51:17.104763164 +1000
> @@ -221,7 +221,7 @@
> ')
>
> optional_policy(`
> - apm_stream_connect(hald_t)
> + acpi_stream_connect(hald_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/kernel/devices.fc pol-acpi/policy/modules/kernel/devices.fc
> --- pol-git/policy/modules/kernel/devices.fc 2017-03-02 00:59:33.765978143 +1100
> +++ pol-acpi/policy/modules/kernel/devices.fc 2017-04-23 23:52:16.749970457 +1000
> @@ -11,7 +11,7 @@
> /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
> /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
> /dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
> -/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
> +/dev/apm_bios -c gen_context(system_u:object_r:acpi_bios_t,s0)
> /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
> /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
> /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
> @@ -103,7 +103,7 @@
> /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
> /dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
> /dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
> -/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
> +/dev/snapshot -c gen_context(system_u:object_r:acpi_bios_t,s0)
> /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
> /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
> diff -ruN pol-git/policy/modules/kernel/devices.if pol-acpi/policy/modules/kernel/devices.if
> --- pol-git/policy/modules/kernel/devices.if 2017-04-19 14:39:40.910289394 +1000
> +++ pol-acpi/policy/modules/kernel/devices.if 2017-04-23 23:51:17.140763875 +1000
> @@ -1441,12 +1441,12 @@
> ## </summary>
> ## </param>
> #
> -interface(`dev_getattr_apm_bios_dev',`
> +interface(`dev_getattr_acpi_bios_dev',`
> gen_require(`
> - type device_t, apm_bios_t;
> + type device_t, acpi_bios_t;
> ')
>
> - getattr_chr_files_pattern($1, device_t, apm_bios_t)
> + getattr_chr_files_pattern($1, device_t, acpi_bios_t)
> ')
>
> ########################################
> @@ -1460,12 +1460,12 @@
> ## </summary>
> ## </param>
> #
> -interface(`dev_dontaudit_getattr_apm_bios_dev',`
> +interface(`dev_dontaudit_getattr_acpi_bios_dev',`
> gen_require(`
> - type apm_bios_t;
> + type acpi_bios_t;
> ')
>
> - dontaudit $1 apm_bios_t:chr_file getattr;
> + dontaudit $1 acpi_bios_t:chr_file getattr;
> ')
>
> ########################################
> @@ -1478,12 +1478,12 @@
> ## </summary>
> ## </param>
> #
> -interface(`dev_setattr_apm_bios_dev',`
> +interface(`dev_setattr_acpi_bios_dev',`
> gen_require(`
> - type device_t, apm_bios_t;
> + type device_t, acpi_bios_t;
> ')
>
> - setattr_chr_files_pattern($1, device_t, apm_bios_t)
> + setattr_chr_files_pattern($1, device_t, acpi_bios_t)
> ')
>
> ########################################
> @@ -1497,12 +1497,12 @@
> ## </summary>
> ## </param>
> #
> -interface(`dev_dontaudit_setattr_apm_bios_dev',`
> +interface(`dev_dontaudit_setattr_acpi_bios_dev',`
> gen_require(`
> - type apm_bios_t;
> + type acpi_bios_t;
> ')
>
> - dontaudit $1 apm_bios_t:chr_file setattr;
> + dontaudit $1 acpi_bios_t:chr_file setattr;
> ')
>
> ########################################
> @@ -1515,12 +1515,12 @@
> ## </summary>
> ## </param>
> #
> -interface(`dev_rw_apm_bios',`
> +interface(`dev_rw_acpi_bios',`
> gen_require(`
> - type device_t, apm_bios_t;
> + type device_t, acpi_bios_t;
> ')
>
> - rw_chr_files_pattern($1, device_t, apm_bios_t)
> + rw_chr_files_pattern($1, device_t, acpi_bios_t)
> ')
>
> ########################################
> diff -ruN pol-git/policy/modules/kernel/devices.te pol-acpi/policy/modules/kernel/devices.te
> --- pol-git/policy/modules/kernel/devices.te 2017-04-19 14:39:40.910289394 +1000
> +++ pol-acpi/policy/modules/kernel/devices.te 2017-04-23 23:55:23.926079992 +1000
> @@ -35,8 +35,8 @@
> #
> # Type for /dev/apm_bios
> #
> -type apm_bios_t;
> -dev_node(apm_bios_t)
> +type acpi_bios_t;
> +dev_node(acpi_bios_t)
>
> #
> # Type for /dev/autofs
> diff -ruN pol-git/policy/modules/roles/sysadm.te pol-acpi/policy/modules/roles/sysadm.te
> --- pol-git/policy/modules/roles/sysadm.te 2017-04-07 16:27:45.962131278 +1000
> +++ pol-acpi/policy/modules/roles/sysadm.te 2017-04-23 23:51:17.156764190 +1000
> @@ -123,8 +123,8 @@
> ')
>
> optional_policy(`
> - apm_admin(sysadm_t, sysadm_r)
> - apm_run_client(sysadm_t, sysadm_r)
> + acpi_admin(sysadm_t, sysadm_r)
> + acpi_run_client(sysadm_t, sysadm_r)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/services/xserver.te pol-acpi/policy/modules/services/xserver.te
> --- pol-git/policy/modules/services/xserver.te 2017-04-21 15:11:02.266447363 +1000
> +++ pol-acpi/policy/modules/services/xserver.te 2017-04-23 23:51:17.164764349 +1000
> @@ -420,8 +420,8 @@
> dev_setattr_framebuffer_dev(xdm_t)
> dev_getattr_mouse_dev(xdm_t)
> dev_setattr_mouse_dev(xdm_t)
> -dev_rw_apm_bios(xdm_t)
> -dev_setattr_apm_bios_dev(xdm_t)
> +dev_rw_acpi_bios(xdm_t)
> +dev_setattr_acpi_bios_dev(xdm_t)
> dev_rw_dri(xdm_t)
> dev_rw_agp(xdm_t)
> dev_getattr_xserver_misc_dev(xdm_t)
> @@ -713,7 +713,7 @@
> dev_rw_sysfs(xserver_t)
> dev_rw_mouse(xserver_t)
> dev_rw_mtrr(xserver_t)
> -dev_rw_apm_bios(xserver_t)
> +dev_rw_acpi_bios(xserver_t)
> dev_rw_agp(xserver_t)
> dev_rw_framebuffer(xserver_t)
> dev_manage_dri_dev(xserver_t)
> @@ -808,7 +808,7 @@
> ')
>
> optional_policy(`
> - apm_stream_connect(xserver_t)
> + acpi_stream_connect(xserver_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/system/authlogin.te pol-acpi/policy/modules/system/authlogin.te
> --- pol-git/policy/modules/system/authlogin.te 2017-03-03 13:03:05.964980312 +1100
> +++ pol-acpi/policy/modules/system/authlogin.te 2017-04-23 23:51:17.172764506 +1000
> @@ -230,8 +230,8 @@
> kernel_read_system_state(pam_console_t)
>
> dev_read_sysfs(pam_console_t)
> -dev_getattr_apm_bios_dev(pam_console_t)
> -dev_setattr_apm_bios_dev(pam_console_t)
> +dev_getattr_acpi_bios_dev(pam_console_t)
> +dev_setattr_acpi_bios_dev(pam_console_t)
> dev_getattr_dri_dev(pam_console_t)
> dev_setattr_dri_dev(pam_console_t)
> dev_getattr_input_dev(pam_console_t)
> diff -ruN pol-git/policy/modules/system/clock.te pol-acpi/policy/modules/system/clock.te
> --- pol-git/policy/modules/system/clock.te 2017-02-05 20:57:06.663565003 +1100
> +++ pol-acpi/policy/modules/system/clock.te 2017-04-23 23:51:17.168764428 +1000
> @@ -60,8 +60,8 @@
> miscfiles_read_localization(hwclock_t)
>
> optional_policy(`
> - apm_append_log(hwclock_t)
> - apm_rw_stream_sockets(hwclock_t)
> + acpi_append_log(hwclock_t)
> + acpi_rw_stream_sockets(hwclock_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/system/init.te pol-acpi/policy/modules/system/init.te
> --- pol-git/policy/modules/system/init.te 2017-04-21 15:11:02.266447363 +1000
> +++ pol-acpi/policy/modules/system/init.te 2017-04-23 23:51:17.188764822 +1000
> @@ -990,7 +990,7 @@
> ')
>
> optional_policy(`
> - dev_rw_apm_bios(initrc_t)
> + dev_rw_acpi_bios(initrc_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/system/locallogin.te pol-acpi/policy/modules/system/locallogin.te
> --- pol-git/policy/modules/system/locallogin.te 2017-04-07 16:27:45.966131379 +1000
> +++ pol-acpi/policy/modules/system/locallogin.te 2017-04-23 23:51:17.176764585 +1000
> @@ -71,8 +71,8 @@
> dev_setattr_power_mgmt_dev(local_login_t)
> dev_getattr_sound_dev(local_login_t)
> dev_setattr_sound_dev(local_login_t)
> -dev_dontaudit_getattr_apm_bios_dev(local_login_t)
> -dev_dontaudit_setattr_apm_bios_dev(local_login_t)
> +dev_dontaudit_getattr_acpi_bios_dev(local_login_t)
> +dev_dontaudit_setattr_acpi_bios_dev(local_login_t)
> dev_dontaudit_read_framebuffer(local_login_t)
> dev_dontaudit_setattr_framebuffer_dev(local_login_t)
> dev_dontaudit_getattr_generic_blk_files(local_login_t)
> diff -ruN pol-git/policy/modules/system/modutils.te pol-acpi/policy/modules/system/modutils.te
> --- pol-git/policy/modules/system/modutils.te 2017-04-21 15:11:02.266447363 +1000
> +++ pol-acpi/policy/modules/system/modutils.te 2017-04-23 23:51:17.192764901 +1000
> @@ -79,7 +79,7 @@
> dev_rw_agp(kmod_t)
> dev_read_sound(kmod_t)
> dev_write_sound(kmod_t)
> -dev_rw_apm_bios(kmod_t)
> +dev_rw_acpi_bios(kmod_t)
>
> domain_signal_all_domains(kmod_t)
> domain_use_interactive_fds(kmod_t)
> diff -ruN pol-git/policy/modules/system/mount.te pol-acpi/policy/modules/system/mount.te
> --- pol-git/policy/modules/system/mount.te 2017-04-19 14:39:40.914289502 +1000
> +++ pol-acpi/policy/modules/system/mount.te 2017-04-23 23:51:17.180764664 +1000
> @@ -194,7 +194,7 @@
> ')
>
> optional_policy(`
> - apm_use_fds(mount_t)
> + acpi_use_fds(mount_t)
> ')
>
> optional_policy(`
> diff -ruN pol-git/policy/modules/system/userdomain.if pol-acpi/policy/modules/system/userdomain.if
> --- pol-git/policy/modules/system/userdomain.if 2017-04-21 15:11:02.270447468 +1000
> +++ pol-acpi/policy/modules/system/userdomain.if 2017-04-23 23:51:17.212765296 +1000
> @@ -643,7 +643,7 @@
>
> optional_policy(`
> # Allow graphical boot to check battery lifespan
> - apm_stream_connect($1_t)
> + acpi_stream_connect($1_t)
> ')
>
> optional_policy(`
--
Chris PeBenito