## System initialization programs (init and init scripts). ######################################## # # init_domain(domain,entrypointfile) # interface(`init_domain',` gen_require(` type init_t; role system_r; class fd use; class fifo_file rw_file_perms; class process sigchld; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domain_auto_trans(init_t,$2,$1) allow $1 init_t:fd use; allow init_t $1:fd use; allow $1 init_t:fifo_file rw_file_perms; allow $1 init_t:process sigchld; # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) files_dontaudit_read_root_file($1) ') ') ######################################## # # init_daemon_domain(domain,entrypointfile) # interface(`init_daemon_domain',` gen_require(` type initrc_t; role system_r; class fifo_file rw_file_perms; class fd use; class process sigchld; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) files_dontaudit_read_root_file($1) ') ') ######################################## # # init_system_domain(domain,entrypointfile) # interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; class fd use; class fifo_file rw_file_perms; class process sigchld; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; # Red Hat systems seem to have a stray # fd open from the initrd optional_policy(`distro_redhat',` kernel_dontaudit_use_fd($1) files_dontaudit_read_root_file($1) ') ') ######################################## # # init_domtrans(domain) # interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') domain_auto_trans($1,init_exec_t,init_t) allow $1 init_t:fd use; allow init_t $1:fd use; allow init_t $1:fifo_file rw_file_perms; allow init_t $1:process sigchld; ') ######################################## # # init_get_process_group(domain) # interface(`init_get_process_group',` gen_require(` type init_t; class process getpgid; ') allow $1 init_t:process getpgid; ') ######################################## # # init_getattr_initctl(domain) # interface(`init_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; ') allow $1 initctl_t:fifo_file getattr; ') ######################################## # # init_dontaudit_getattr_initctl(domain) # interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; class fifo_file getattr; ') dontaudit $1 initctl_t:fifo_file getattr; ') ######################################## # # init_write_initctl(domain) # interface(`init_write_initctl',` gen_require(` type initctl_t; class fifo_file write; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file write; ') ######################################## # # init_use_initctl(domain) # interface(`init_use_initctl',` gen_require(` type initctl_t; class fifo_file rw_file_perms; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_file_perms; ') ######################################## # # init_dontaudit_use_initctl(domain) # interface(`init_dontaudit_use_initctl',` gen_require(` type initctl_t; class fifo_file { read write }; ') dontaudit $1 initctl_t:fifo_file { read write }; ') ######################################## # # init_sigchld(domain) # interface(`init_sigchld',` gen_require(` type init_t; class process sigchld; ') allow $1 init_t:process sigchld; ') ######################################## # # init_use_fd(domain) # interface(`init_use_fd',` gen_require(` type init_t; class fd use; ') allow $1 init_t:fd use; ') ######################################## # # init_dontaudit_use_fd(domain) # interface(`init_dontaudit_use_fd',` gen_require(` type init_t; class fd use; ') dontaudit $1 init_t:fd use; ') ######################################## # # init_domtrans_script(domain) # interface(`init_domtrans_script',` gen_require(` type initrc_t, initrc_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') files_list_etc($1) domain_auto_trans($1,initrc_exec_t,initrc_t) allow $1 initrc_t:fd use; allow initrc_t $1:fd use; allow initrc_t $1:fifo_file rw_file_perms; allow initrc_t $1:process sigchld; ') ######################################## # # init_exec_script(domain) # interface(`init_exec_script',` gen_require(` type initrc_exec_t; ') files_list_etc($1) can_exec($1,initrc_exec_t) ') ######################################## ## ## Read the process state (/proc/pid) of the init scripts. ## ## ## The type of the process performing this action. ## # interface(`init_read_script_process_state',` gen_require(` type initrc_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; class process { getattr ptrace }; ') #FIXME: search proc dir allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:{ file lnk_file } r_file_perms; allow $1 initrc_t:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 initrc_t:process ptrace; ') ######################################## # # init_use_script_fd(domain) # interface(`init_use_script_fd',` gen_require(` type initrc_t; class fd use; ') allow $1 initrc_t:fd use; ') ######################################## # # init_dontaudit_use_script_fd(domain) # interface(`init_dontaudit_use_script_fd',` gen_require(` type initrc_t; class fd use; ') dontaudit $1 initrc_t:fd use; ') ######################################## # # init_get_script_process_group(domain) # interface(`init_get_script_process_group',` gen_require(` type initrc_t; class process getpgid; ') allow $1 initrc_t:process getpgid; ') ######################################## ## ## Read and write init script unnamed pipes. ## ## ## The type of the process performing this action. ## # interface(`init_rw_script_pipe',` gen_require(` type initrc_t; class chr_file { read write }; ') allow $1 initrc_t:fifo_file { read write }; ') ######################################## ## ## Send UDP network traffic to init scripts. ## ## ## The type of the process performing this action. ## # interface(`init_udp_sendto_script',` gen_require(` type initrc_t; class udp_socket { sendto recvfrom }; ') allow $1 initrc_t:udp_socket sendto; allow initrc_t $1:udp_socket recvfrom; ') ######################################## # # init_use_script_pty(domain) # interface(`init_use_script_pty',` gen_require(` type initrc_devpts_t; class chr_file rw_term_perms; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file rw_term_perms; ') ######################################## # # init_dontaudit_use_script_pty(domain) # interface(`init_dontaudit_use_script_pty',` gen_require(` type initrc_devpts_t; class chr_file { read write ioctl }; ') dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; ') ######################################## ## ## Read and write init script temporary data. ## ## ## The type of the process performing this action. ## # interface(`init_rw_script_tmp_files',` gen_require(` type initrc_var_run_t; class file rw_file_perms; ') # FIXME: read tmp_t dir allow $1 initrc_tmp_t:file rw_file_perms; ') ######################################## # # init_read_script_pid(domain) # interface(`init_read_script_pid',` gen_require(` type initrc_var_run_t; class file r_file_perms; ') files_list_pids($1) allow $1 initrc_var_run_t:file r_file_perms; ') ######################################## # # init_dontaudit_write_script_pid(domain) # interface(`init_dontaudit_write_script_pid',` gen_require(` type initrc_var_run_t; class file { write lock }; ') dontaudit $1 initrc_var_run_t:file { write lock }; ') ######################################## # # init_rw_script_pid(domain) # interface(`init_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; ') files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; ') ######################################## # # init_dontaudit_rw_script_pid(domain) # interface(`init_dontaudit_rw_script_pid',` gen_require(` type initrc_var_run_t; class file rw_file_perms; ') dontaudit $1 initrc_var_run_t:file { getattr read write append }; ')