move run_init to selinux, as it is part of policycoreutils
This commit is contained in:
Chris PeBenito
parent
914c9f78f0
commit
8623d5b854
@ -41,7 +41,6 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
||||
/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
|
||||
|
||||
#
|
||||
|
||||
@ -354,35 +354,3 @@ define(`init_script_ignore_modify_runtime_data_depend',`
|
||||
type initrc_var_run_t;
|
||||
class file { getattr read write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_run_init_transition(domain)
|
||||
#
|
||||
define(`init_run_init_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:file run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`init_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_run_init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_run_init_use_file_descriptors',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`init_run_init_use_file_descriptors_depend',`
|
||||
type run_init_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
@ -58,12 +58,6 @@ files_make_file(initrc_state_t)
|
||||
type initrc_tmp_t;
|
||||
files_make_temporary_file(initrc_tmp_t)
|
||||
|
||||
type run_init_t;
|
||||
domain_make_domain(run_init_t)
|
||||
|
||||
type run_init_exec_t;
|
||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init local policy
|
||||
@ -362,84 +356,3 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
|
||||
# for lsof which is used by alsa shutdown
|
||||
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
|
||||
') dnl end TODO
|
||||
|
||||
#################################
|
||||
#
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
# targeted/unconfined stuff
|
||||
',`
|
||||
allow run_init_t initrc_t:process transition;
|
||||
allow run_init_t initrc_exec_t:file { getattr read execute };
|
||||
dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
|
||||
|
||||
# for utmp
|
||||
allow run_init_t initrc_var_run_t:file { getattr read write };
|
||||
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
|
||||
allow run_init_t self:fifo_file { getattr read write };
|
||||
|
||||
# often the administrator runs such programs from a directory that is owned
|
||||
# by a different user or has restrictive SE permissions, do not want to audit
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
files_ignore_search_all_directories(run_init_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||
|
||||
devices_ignore_list_device_nodes(run_init_t)
|
||||
|
||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||
|
||||
corecommands_execute_general_programs(run_init_t)
|
||||
corecommands_execute_shell(run_init_t)
|
||||
|
||||
files_read_general_system_config(run_init_t)
|
||||
|
||||
libraries_use_dynamic_loader(run_init_t)
|
||||
libraries_use_shared_libraries(run_init_t)
|
||||
|
||||
selinux_read_config(run_init_t)
|
||||
selinux_read_default_contexts(run_init_t)
|
||||
|
||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
|
||||
logging_send_system_log_message(run_init_t)
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
', `
|
||||
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
||||
role sysadm_r types run_init_t;
|
||||
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
||||
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
||||
') dnl endif targeted policy
|
||||
|
||||
tunable_policy(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -33,6 +33,7 @@
|
||||
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
||||
|
||||
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
||||
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
||||
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
|
||||
@ -80,7 +80,7 @@ class file { getattr read };
|
||||
|
||||
#######################################
|
||||
#
|
||||
# newrole_transition(domain)
|
||||
# selinux_newrole_transition(domain)
|
||||
#
|
||||
define(`selinux_newrole_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_run_init_transition(domain)
|
||||
#
|
||||
define(`selinux_run_init_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:file run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`selinux_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_run_init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`selinux_run_init_use_file_descriptors',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||
type run_init_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_setfiles_transition(domain)
|
||||
|
||||
@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
type run_init_t;
|
||||
domain_make_domain(run_init_t)
|
||||
|
||||
type run_init_exec_t;
|
||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
# /etc/selinux/config
|
||||
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
#
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
# targeted/unconfined stuff
|
||||
',`
|
||||
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
|
||||
allow run_init_t self:fifo_file { getattr read write };
|
||||
|
||||
# often the administrator runs such programs from a directory that is owned
|
||||
# by a different user or has restrictive SE permissions, do not want to audit
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||
|
||||
devices_ignore_list_device_nodes(run_init_t)
|
||||
|
||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||
|
||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||
|
||||
corecommands_execute_general_programs(run_init_t)
|
||||
corecommands_execute_shell(run_init_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||
|
||||
files_read_general_system_config(run_init_t)
|
||||
files_ignore_search_all_directories(run_init_t)
|
||||
|
||||
init_script_transition(run_init_t)
|
||||
# for utmp
|
||||
init_script_modify_runtime_data(run_init_t)
|
||||
|
||||
libraries_use_dynamic_loader(run_init_t)
|
||||
libraries_use_shared_libraries(run_init_t)
|
||||
|
||||
selinux_read_config(run_init_t)
|
||||
selinux_read_default_contexts(run_init_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
|
||||
logging_send_system_log_message(run_init_t)
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
', `
|
||||
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
||||
role sysadm_r types run_init_t;
|
||||
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
||||
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
||||
') dnl endif targeted policy
|
||||
|
||||
tunable_policy(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
|
||||
@ -33,6 +33,7 @@
|
||||
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
|
||||
|
||||
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
|
||||
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
|
||||
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
|
||||
@ -80,7 +80,7 @@ class file { getattr read };
|
||||
|
||||
#######################################
|
||||
#
|
||||
# newrole_transition(domain)
|
||||
# selinux_newrole_transition(domain)
|
||||
#
|
||||
define(`selinux_newrole_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_run_init_transition(domain)
|
||||
#
|
||||
define(`selinux_run_init_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:file run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`selinux_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_run_init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`selinux_run_init_use_file_descriptors',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||
type run_init_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_setfiles_transition(domain)
|
||||
|
||||
@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
type run_init_t;
|
||||
domain_make_domain(run_init_t)
|
||||
|
||||
type run_init_exec_t;
|
||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
# /etc/selinux/config
|
||||
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
#
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
# targeted/unconfined stuff
|
||||
',`
|
||||
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
|
||||
allow run_init_t self:fifo_file { getattr read write };
|
||||
|
||||
# often the administrator runs such programs from a directory that is owned
|
||||
# by a different user or has restrictive SE permissions, do not want to audit
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||
|
||||
devices_ignore_list_device_nodes(run_init_t)
|
||||
|
||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||
|
||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||
|
||||
corecommands_execute_general_programs(run_init_t)
|
||||
corecommands_execute_shell(run_init_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||
|
||||
files_read_general_system_config(run_init_t)
|
||||
files_ignore_search_all_directories(run_init_t)
|
||||
|
||||
init_script_transition(run_init_t)
|
||||
# for utmp
|
||||
init_script_modify_runtime_data(run_init_t)
|
||||
|
||||
libraries_use_dynamic_loader(run_init_t)
|
||||
libraries_use_shared_libraries(run_init_t)
|
||||
|
||||
selinux_read_config(run_init_t)
|
||||
selinux_read_default_contexts(run_init_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
|
||||
logging_send_system_log_message(run_init_t)
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
', `
|
||||
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
|
||||
role sysadm_r types run_init_t;
|
||||
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
|
||||
allow run_init_t admin_tty_type:chr_file rw_file_perms;
|
||||
') dnl endif targeted policy
|
||||
|
||||
tunable_policy(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
|
||||
@ -257,14 +257,13 @@ filesystem_get_persistent_filesystem_attributes(ifconfig_t)
|
||||
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
|
||||
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
|
||||
|
||||
init_use_file_descriptors(ifconfig_t)
|
||||
init_script_use_pseudoterminal(ifconfig_t)
|
||||
init_run_init_use_file_descriptors(ifconfig_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
|
||||
|
||||
files_ignore_read_rootfs_file(ifconfig_t)
|
||||
|
||||
init_use_file_descriptors(ifconfig_t)
|
||||
init_script_use_pseudoterminal(ifconfig_t)
|
||||
|
||||
libraries_use_dynamic_loader(ifconfig_t)
|
||||
libraries_use_shared_libraries(ifconfig_t)
|
||||
|
||||
@ -272,6 +271,8 @@ logging_send_system_log_message(ifconfig_t)
|
||||
|
||||
miscfiles_read_localization(ifconfig_t)
|
||||
|
||||
selinux_run_init_use_file_descriptors(ifconfig_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(ifconfig_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user