move run_init to selinux, as it is part of policycoreutils

This commit is contained in:
Chris PeBenito 2005-05-18 16:03:54 +00:00
parent 914c9f78f0
commit 8623d5b854
10 changed files with 241 additions and 126 deletions

View File

@ -41,7 +41,6 @@ ifdef(`distro_gentoo', `
# #
# /usr # /usr
# #
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t /usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
# #

View File

@ -354,35 +354,3 @@ define(`init_script_ignore_modify_runtime_data_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file { getattr read write append }; class file { getattr read write append };
') ')
########################################
#
# init_run_init_transition(domain)
#
define(`init_run_init_transition',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:file run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
')
define(`init_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
########################################
#
# init_run_init_use_file_descriptors(domain)
#
define(`init_run_init_use_file_descriptors',`
requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use;
')
define(`init_run_init_use_file_descriptors_depend',`
type run_init_t;
class fd use;
')

View File

@ -58,12 +58,6 @@ files_make_file(initrc_state_t)
type initrc_tmp_t; type initrc_tmp_t;
files_make_temporary_file(initrc_tmp_t) files_make_temporary_file(initrc_tmp_t)
type run_init_t;
domain_make_domain(run_init_t)
type run_init_exec_t;
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
######################################## ########################################
# #
# Init local policy # Init local policy
@ -362,84 +356,3 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
# for lsof which is used by alsa shutdown # for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
') dnl end TODO ') dnl end TODO
#################################
#
# Run_init local policy
#
kernel_get_selinuxfs_mount_point(run_init_t)
kernel_validate_selinux_context(run_init_t)
kernel_compute_selinux_access_vector(run_init_t)
kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
tunable_policy(`targeted_policy',`
# targeted/unconfined stuff
',`
allow run_init_t initrc_t:process transition;
allow run_init_t initrc_exec_t:file { getattr read execute };
dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
# for utmp
allow run_init_t initrc_var_run_t:file { getattr read write };
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file { getattr read write };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
files_ignore_search_all_directories(run_init_t)
filesystem_get_persistent_filesystem_attributes(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
domain_use_widely_inheritable_file_descriptors(run_init_t)
corecommands_execute_general_programs(run_init_t)
corecommands_execute_shell(run_init_t)
files_read_general_system_config(run_init_t)
libraries_use_dynamic_loader(run_init_t)
libraries_use_shared_libraries(run_init_t)
selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
miscfiles_read_localization(run_init_t)
logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
tunable_policy(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
') dnl end TODO

View File

@ -33,6 +33,7 @@
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t /usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t /usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t /usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
ifdef(`distro_debian', ` ifdef(`distro_debian', `

View File

@ -80,7 +80,7 @@ class file { getattr read };
####################################### #######################################
# #
# newrole_transition(domain) # selinux_newrole_transition(domain)
# #
define(`selinux_newrole_transition',` define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
#
# selinux_run_init_transition(domain)
#
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:file run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
')
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
########################################
#
# selinux_run_init_use_file_descriptors(domain)
#
define(`selinux_run_init_use_file_descriptors',`
requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use;
')
define(`selinux_run_init_use_file_descriptors_depend',`
type run_init_t;
class fd use;
')
####################################### #######################################
# #
# selinux_setfiles_transition(domain) # selinux_setfiles_transition(domain)

View File

@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t) init_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t; role system_r types restorecon_t;
type run_init_t;
domain_make_domain(run_init_t)
type run_init_exec_t;
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
# #
# selinux_config_t is the type applied to # selinux_config_t is the type applied to
# /etc/selinux/config # /etc/selinux/config
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write }; allow restorecon_t kernel_t:fifo_file { read write };
') dnl endif TODO ') dnl endif TODO
#################################
#
# Run_init local policy
#
kernel_get_selinuxfs_mount_point(run_init_t)
kernel_validate_selinux_context(run_init_t)
kernel_compute_selinux_access_vector(run_init_t)
kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
tunable_policy(`targeted_policy',`
# targeted/unconfined stuff
',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file { getattr read write };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
filesystem_get_persistent_filesystem_attributes(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t)
corecommands_execute_shell(run_init_t)
domain_use_widely_inheritable_file_descriptors(run_init_t)
files_read_general_system_config(run_init_t)
files_ignore_search_all_directories(run_init_t)
init_script_transition(run_init_t)
# for utmp
init_script_modify_runtime_data(run_init_t)
libraries_use_dynamic_loader(run_init_t)
libraries_use_shared_libraries(run_init_t)
selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
tunable_policy(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
######################################## ########################################
# #
# Setfiles local policy # Setfiles local policy

View File

@ -33,6 +33,7 @@
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t /usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t /usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t /usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
ifdef(`distro_debian', ` ifdef(`distro_debian', `

View File

@ -80,7 +80,7 @@ class file { getattr read };
####################################### #######################################
# #
# newrole_transition(domain) # selinux_newrole_transition(domain)
# #
define(`selinux_newrole_transition',` define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
########################################
#
# selinux_run_init_transition(domain)
#
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:file run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
')
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
########################################
#
# selinux_run_init_use_file_descriptors(domain)
#
define(`selinux_run_init_use_file_descriptors',`
requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use;
')
define(`selinux_run_init_use_file_descriptors_depend',`
type run_init_t;
class fd use;
')
####################################### #######################################
# #
# selinux_setfiles_transition(domain) # selinux_setfiles_transition(domain)

View File

@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t) init_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t; role system_r types restorecon_t;
type run_init_t;
domain_make_domain(run_init_t)
type run_init_exec_t;
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
# #
# selinux_config_t is the type applied to # selinux_config_t is the type applied to
# /etc/selinux/config # /etc/selinux/config
@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write }; allow restorecon_t kernel_t:fifo_file { read write };
') dnl endif TODO ') dnl endif TODO
#################################
#
# Run_init local policy
#
kernel_get_selinuxfs_mount_point(run_init_t)
kernel_validate_selinux_context(run_init_t)
kernel_compute_selinux_access_vector(run_init_t)
kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
tunable_policy(`targeted_policy',`
# targeted/unconfined stuff
',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file { getattr read write };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
filesystem_get_persistent_filesystem_attributes(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
corecommands_execute_general_programs(run_init_t)
corecommands_execute_shell(run_init_t)
domain_use_widely_inheritable_file_descriptors(run_init_t)
files_read_general_system_config(run_init_t)
files_ignore_search_all_directories(run_init_t)
init_script_transition(run_init_t)
# for utmp
init_script_modify_runtime_data(run_init_t)
libraries_use_dynamic_loader(run_init_t)
libraries_use_shared_libraries(run_init_t)
selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
logging_send_system_log_message(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
tunable_policy(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
allow run_init_t admin_tty_type:chr_file rw_file_perms;
') dnl endif targeted policy
tunable_policy(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
######################################## ########################################
# #
# Setfiles local policy # Setfiles local policy

View File

@ -257,14 +257,13 @@ filesystem_get_persistent_filesystem_attributes(ifconfig_t)
terminal_ignore_use_all_private_physical_terminals(ifconfig_t) terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t) terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
init_use_file_descriptors(ifconfig_t)
init_script_use_pseudoterminal(ifconfig_t)
init_run_init_use_file_descriptors(ifconfig_t)
domain_use_widely_inheritable_file_descriptors(ifconfig_t) domain_use_widely_inheritable_file_descriptors(ifconfig_t)
files_ignore_read_rootfs_file(ifconfig_t) files_ignore_read_rootfs_file(ifconfig_t)
init_use_file_descriptors(ifconfig_t)
init_script_use_pseudoterminal(ifconfig_t)
libraries_use_dynamic_loader(ifconfig_t) libraries_use_dynamic_loader(ifconfig_t)
libraries_use_shared_libraries(ifconfig_t) libraries_use_shared_libraries(ifconfig_t)
@ -272,6 +271,8 @@ logging_send_system_log_message(ifconfig_t)
miscfiles_read_localization(ifconfig_t) miscfiles_read_localization(ifconfig_t)
selinux_run_init_use_file_descriptors(ifconfig_t)
ifdef(`TODO',` ifdef(`TODO',`
can_ypbind(ifconfig_t) can_ypbind(ifconfig_t)