#DESC Init - Process initialization # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # X-Debian-Packages: sysvinit # ################################# # # Rules for the init_t domain. # # init_t is the domain of the init process. # init_exec_t is the type of the init program. # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. # type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite; role system_r types init_t; uses_shlib(init_t); type init_exec_t, file_type, sysadmfile, exec_type; type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; # for init to determine whether SE Linux is active so it can know whether to # activate it allow init_t security_t:dir search; allow init_t security_t:file { getattr read }; # for mount points allow init_t file_t:dir search; # Use capabilities. allow init_t self:capability ~sys_module; # Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. domain_auto_trans(init_t, initrc_exec_t, initrc_t) # Run the shell in the sysadm_t domain for single-user mode. domain_auto_trans(init_t, shell_exec_t, sysadm_t) # Run /sbin/update in the init_t domain. can_exec(init_t, sbin_t) # Run init. can_exec(init_t, init_exec_t) # Run chroot from initrd scripts. ifdef(`chroot.te', ` can_exec(init_t, chroot_exec_t) ') # Create /dev/initctl. file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) ifdef(`distro_redhat', ` file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) ') # Create ioctl.save. file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) # Update /etc/ld.so.cache allow init_t ld_so_cache_t:file rw_file_perms; # Allow access to log files allow init_t var_t:dir search; allow init_t var_log_t:dir search; allow init_t var_log_t:file rw_file_perms; read_locale(init_t) # Create unix sockets allow init_t self:unix_dgram_socket create_socket_perms; allow init_t self:unix_stream_socket create_socket_perms; allow init_t self:fifo_file rw_file_perms; # Permissions required for system startup allow init_t { bin_t sbin_t }:dir r_dir_perms; allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; # allow init to fork allow init_t self:process { fork sigchld }; # Modify utmp. allow init_t var_run_t:file rw_file_perms; allow init_t initrc_var_run_t:file { setattr rw_file_perms }; can_unix_connect(init_t, initrc_t) # For /var/run/shutdown.pid. var_run_domain(init) # Shutdown permissions r_dir_file(init_t, proc_t) r_dir_file(init_t, self) allow init_t devpts_t:dir r_dir_perms; # Modify wtmp. allow init_t wtmp_t:file rw_file_perms; # Kill all processes. allow init_t domain:process signal_perms; # Allow all processes to send SIGCHLD to init. allow domain init_t:process { sigchld signull }; # If you load a new policy that removes active domains, processes can # get stuck if you do not allow unlabeled processes to signal init # If you load an incompatible policy, you should probably reboot, # since you may have compromised system security. allow unlabeled_t init_t:process sigchld; # for loading policy allow init_t policy_config_t:file r_file_perms; # Set booleans. can_setbool(init_t) # Read and write the console and ttys. allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; ifdef(`distro_redhat', ` allow init_t tmpfs_t:chr_file rw_file_perms; ') allow init_t ttyfile:chr_file rw_file_perms; allow init_t ptyfile:chr_file rw_file_perms; # Run system executables. can_exec(init_t,bin_t) ifdef(`consoletype.te', ` can_exec(init_t, consoletype_exec_t) ') # Run /etc/X11/prefdm. can_exec(init_t,etc_t) allow init_t lib_t:file { getattr read }; allow init_t devtty_t:chr_file { read write }; allow init_t ramfs_t:dir search; allow init_t ramfs_t:sock_file write; r_dir_file(init_t, sysfs_t) r_dir_file(init_t, selinux_config_t) # file descriptors inherited from the rootfs. dontaudit init_t root_t:{ file chr_file } { read write }; ifdef(`targeted_policy', ` unconfined_domain(init_t) ')