## System initialization programs (init and init scripts). ######################################## ## ## Create a domain which can be started by init. ## ## ## Type to be used as a domain. ## ## ## Type of the program to be used as an entry point to this domain. ## # interface(`init_domain',` gen_require(` type init_t; role system_r; class fd use; class fifo_file rw_file_perms; class process sigchld; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domain_auto_trans(init_t,$2,$1) allow $1 init_t:fd use; allow init_t $1:fd use; allow $1 init_t:fifo_file rw_file_perms; allow $1 init_t:process sigchld; # Red Hat systems seem to have stray # fds open from the initrd ifdef(`hide_broken_symptoms',` # Red Hat systems seem to have a stray # fds open from the initrd ifdef(`distro_redhat',` kernel_dontaudit_use_fd($1) storage_dontaudit_read_fixed_disk($1) files_dontaudit_read_root_file($1) ') ') ') ######################################## ## ## Create a domain for long running processes ## (daemons) which can be started by init scripts. ## ## ## Type to be used as a domain. ## ## ## Type of the program to be used as an entry point to this domain. ## # interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; ifdef(`direct_sysadm_daemon',` domain_auto_trans(direct_run_init,$2,$1) allow direct_run_init $1:fd use; allow direct_run_init $1:process { noatsecure siginh rlimitinh }; allow $1 direct_run_init:fd use; allow $1 direct_run_init:fifo_file rw_file_perms; allow $1 direct_run_init:process sigchld; typeattribute $1 direct_init; typeattribute $2 direct_init_entry; ') ifdef(`hide_broken_symptoms',` # Red Hat systems seem to have a stray # fds open from the initrd ifdef(`distro_redhat',` kernel_dontaudit_use_fd($1) storage_dontaudit_read_fixed_disk($1) files_dontaudit_read_root_file($1) ') ') ifdef(`targeted_policy',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t # at the end of the type, it returns empty! ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',` bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans')) ') if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { can_exec(initrc_t,$2) can_exec(direct_run_init,$2) } else { domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; allow initrc_t $1:process { noatsecure siginh rlimitinh }; # make sediff happy allow $1 $2:file { rx_file_perms entrypoint }; } ',` domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; # make sediff happy allow $1 $2:file { rx_file_perms entrypoint }; ') optional_policy(`nscd',` nscd_use_socket($1) ') ') ######################################## ## ## Create a domain for short running processes ## which can be started by init scripts. ## ## ## Type to be used as a domain. ## ## ## Type of the program to be used as an entry point to this domain. ## # interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; class fd use; class fifo_file rw_file_perms; class process sigchld; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; ifdef(`hide_broken_symptoms',` # Red Hat systems seem to have a stray # fds open from the initrd ifdef(`distro_redhat',` kernel_dontaudit_use_fd($1) storage_dontaudit_read_fixed_disk($1) files_dontaudit_read_root_file($1) ') ') ') ######################################## # # init_domtrans(domain) # interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') domain_auto_trans($1,init_exec_t,init_t) allow $1 init_t:fd use; allow init_t $1:fd use; allow init_t $1:fifo_file rw_file_perms; allow init_t $1:process sigchld; ') ######################################## ## ## Execute the init program in the caller domain. ## ## ## Domain allowed access. ## # interface(`init_exec',` gen_require(` type init_exec_t; ') corecmd_search_sbin($1) can_exec($1,init_exec_t) ') ######################################## # # init_get_process_group(domain) # interface(`init_get_process_group',` gen_require(` type init_t; class process getpgid; ') allow $1 init_t:process getpgid; ') ######################################## # # init_getattr_initctl(domain) # interface(`init_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; ') allow $1 initctl_t:fifo_file getattr; ') ######################################## # # init_dontaudit_getattr_initctl(domain) # interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; ') dontaudit $1 initctl_t:fifo_file getattr; ') ######################################## # # init_write_initctl(domain) # interface(`init_write_initctl',` gen_require(` type initctl_t; class fifo_file write; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file write; ') ######################################## # # init_use_initctl(domain) # interface(`init_use_initctl',` gen_require(` type initctl_t; class fifo_file rw_file_perms; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_file_perms; ') ######################################## # # init_dontaudit_use_initctl(domain) # interface(`init_dontaudit_use_initctl',` gen_require(` type initctl_t; class fifo_file { read write }; ') dontaudit $1 initctl_t:fifo_file { read write }; ') ######################################## ## ## Send init a null signal. ## ## ## Domain allowed access. ## # interface(`init_signull',` gen_require(` type init_t; class process signull; ') allow $1 init_t:process signull; ') ######################################## ## ## Send init a SIGCHLD signal. ## ## ## Domain allowed access. ## # interface(`init_sigchld',` gen_require(` type init_t; class process sigchld; ') allow $1 init_t:process sigchld; ') ######################################## # # init_use_fd(domain) # interface(`init_use_fd',` gen_require(` type init_t; class fd use; ') allow $1 init_t:fd use; ') ######################################## # # init_dontaudit_use_fd(domain) # interface(`init_dontaudit_use_fd',` gen_require(` type init_t; class fd use; ') dontaudit $1 init_t:fd use; ') ######################################## ## ## Send UDP network traffic to init. ## ## ## Domain allowed access. ## # interface(`init_udp_sendto',` gen_require(` type init_t; class udp_socket { sendto recvfrom }; ') allow $1 init_t:udp_socket sendto; allow init_t $1:udp_socket recvfrom; ') ######################################## # # init_domtrans_script(domain) # interface(`init_domtrans_script',` gen_require(` type initrc_t, initrc_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') files_list_etc($1) domain_auto_trans($1,initrc_exec_t,initrc_t) allow $1 initrc_t:fd use; allow initrc_t $1:fd use; allow initrc_t $1:fifo_file rw_file_perms; allow initrc_t $1:process sigchld; ') ######################################## ## ## Start and stop daemon programs directly. ## ## ##

## Start and stop daemon programs directly ## in the traditional "/etc/init.d/daemon start" ## style, and do not require run_init. ##

##
## ## Domain allowed access. ## ## ## The role to be performing this action. ## ## ## The type of the terminal of the user. ## # interface(`init_run_daemon',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; role system_r; class chr_file rw_file_perms; ') typeattribute $1 direct_run_init; role_transition $2 direct_init_entry system_r; dontaudit direct_init $3:chr_file rw_file_perms; ') ######################################## ## ## Write an init script unnamed pipe. ## ## ## Domain allowed access. ## # interface(`init_write_script_pipe',` gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file write; ') ######################################## ## ## Allow the specified domain to connect to ## init scripts with a unix domain stream socket. ## ## ## Domain allowed access. ## # interface(`init_unix_connect_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket connectto; ') ######################################## ## ## Dont audit the specified domain connecting to ## init scripts with a unix domain stream socket. ## ## ## Domain allowed access. ## # interface(`init_dontaudit_unix_connect_script',` gen_require(` type initrc_t; class unix_stream_socket connectto; ') dontaudit $1 initrc_t:unix_stream_socket connectto; ') ######################################## ## ## Read init scripts. ## ## ## Domain allowed access. ## # interface(`init_read_script',` gen_require(` type initrc_exec_t; class file { getattr read }; ') files_list_etc($1) allow $1 initrc_exec_t:file { getattr read }; ') ######################################## # # init_exec_script(domain) # interface(`init_exec_script',` gen_require(` type initrc_exec_t; ') files_list_etc($1) can_exec($1,initrc_exec_t) ') ######################################## ## ## Read the process state (/proc/pid) of the init scripts. ## ## ## Domain allowed access. ## # interface(`init_read_script_process_state',` gen_require(` type initrc_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; class process { getattr ptrace }; ') #FIXME: search proc dir allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:{ file lnk_file } r_file_perms; allow $1 initrc_t:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 initrc_t:process ptrace; ') ######################################## # # init_use_script_fd(domain) # interface(`init_use_script_fd',` gen_require(` type initrc_t; class fd use; ') allow $1 initrc_t:fd use; ') ######################################## # # init_dontaudit_use_script_fd(domain) # interface(`init_dontaudit_use_script_fd',` gen_require(` type initrc_t; class fd use; ') dontaudit $1 initrc_t:fd use; ') ######################################## # # init_get_script_process_group(domain) # interface(`init_get_script_process_group',` gen_require(` type initrc_t; class process getpgid; ') allow $1 initrc_t:process getpgid; ') ######################################## ## ## Send SIGCHLD signals to init scripts. ## ## ## Domain allowed access. ## # interface(`init_sigchld_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process sigchld; ') ######################################## ## ## Send generic signals to init scripts. ## ## ## Domain allowed access. ## # interface(`init_signal_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signal; ') ######################################## ## ## Send null signals to init scripts. ## ## ## Domain allowed access. ## # interface(`init_signull_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signull; ') ######################################## ## ## Read and write init script unnamed pipes. ## ## ## Domain allowed access. ## # interface(`init_rw_script_pipe',` gen_require(` type initrc_t; class chr_file { read write }; ') allow $1 initrc_t:fifo_file { read write }; ') ######################################## ## ## Send UDP network traffic to init scripts. ## ## ## Domain allowed access. ## # interface(`init_udp_sendto_script',` gen_require(` type initrc_t; class udp_socket { sendto recvfrom }; ') allow $1 initrc_t:udp_socket sendto; allow initrc_t $1:udp_socket recvfrom; ') ######################################## ## ## Allow the specified domain to connect to ## init scripts with a unix socket. ## ## ## Domain allowed access. ## # interface(`init_unix_connect_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket connectto; ') ######################################## ## ## Read and write the init script pty. ## ## ##

## Read and write the init script pty. This ## pty is generally opened by the open_init_pty ## portion of the run_init program so that the ## daemon does not require direct access to ## the administrator terminal. ##

##
## ## Domain allowed access. ## # interface(`init_use_script_pty',` gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Do not audit attempts to read and ## write the init script pty. ## ## ## Domain to not audit. ## # interface(`init_dontaudit_use_script_pty',` gen_require(` type initrc_devpts_t; ') dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Read init scripts. ## ## ## Domain allowed access. ## # interface(`init_read_script_file',` gen_require(` type initrc_exec_t; class file r_file_perms; ') files_search_etc($1) allow $1 initrc_exec_t:file r_file_perms; ') ######################################## ## ## Read and write init script temporary data. ## ## ## Domain allowed access. ## # interface(`init_rw_script_tmp_files',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) allow $1 initrc_tmp_t:file rw_file_perms; ') ######################################## ## ## Create files in a init script ## temporary data directory. ## ## ## Domain allowed access. ## ## ## The type of the object to be created ## ## ## The object class. If not specified, file is used. ## # interface(`init_create_script_tmp',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) allow $1 initrc_tmp_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 initrc_tmp_t:file $2; ',` type_transition $1 initrc_tmp_t:$3 $2; ') ') ######################################## ## ## Get the attributes of init script process id files. ## ## ## Domain allowed access. ## # interface(`init_getattr_script_pids',` gen_require(` type initrc_var_run_t; class file getattr; ') allow $1 initrc_var_run_t:file getattr; ') ######################################## ## ## List the contents of an init script ## process id directory. ## ## ## Domain allowed access. ## # interface(`init_list_script_pids',` gen_require(` type initrc_var_run_t; class dir r_dir_perms; ') files_search_pids($1) allow $1 initrc_var_run_t:dir r_dir_perms; ') ######################################## # # init_read_script_pid(domain) # interface(`init_read_script_pid',` gen_require(` type initrc_var_run_t; class file r_file_perms; ') files_list_pids($1) allow $1 initrc_var_run_t:file r_file_perms; ') ######################################## # # init_dontaudit_write_script_pid(domain) # interface(`init_dontaudit_write_script_pid',` gen_require(` type initrc_var_run_t; class file { write lock }; ') dontaudit $1 initrc_var_run_t:file { write lock }; ') ######################################## # # init_rw_script_pid(domain) # interface(`init_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; ') files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; ') ######################################## # # init_dontaudit_rw_script_pid(domain) # interface(`init_dontaudit_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; ') dontaudit $1 initrc_var_run_t:file { getattr read write append }; ')