## System initialization programs (init and init scripts). ######################################## ## ## Create a domain which can be started by init. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # interface(`init_domain',` gen_require(` type init_t; role system_r; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domtrans_pattern(init_t,$2,$1) ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') ') ') ######################################## ## ## Create a domain which can be started by init, ## with a range transition. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # interface(`init_ranged_domain',` gen_require(` type init_t; ') init_domain($1,$2) ifdef(`enable_mcs',` range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition init_t $2:process $3; ') ') ######################################## ## ## Create a domain for long running processes ## (daemons) which can be started by init scripts. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; attribute daemon; ') typeattribute $1 daemon; domain_type($1) domain_entry_file($1,$2) role system_r types $1; ifdef(`direct_sysadm_daemon',` domtrans_pattern(direct_run_init,$2,$1) allow direct_run_init $1:process { noatsecure siginh rlimitinh }; typeattribute $1 direct_init; typeattribute $2 direct_init_entry; ') ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') ') ifdef(`targeted_policy',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t # at the end of the type, it returns empty! ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',` bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans')) ') if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { can_exec(initrc_t,$2) can_exec(direct_run_init,$2) } else { domtrans_pattern(initrc_t,$2,$1) allow initrc_t $1:process { noatsecure siginh rlimitinh }; } ',` domtrans_pattern(initrc_t,$2,$1) ') optional_policy(` nscd_socket_use($1) ') ') ######################################## ## ## Create a domain for long running processes ## (daemons) which can be started by init scripts. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; ') init_daemon_domain($1,$2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; ') ') ######################################## ## ## Create a domain for short running processes ## which can be started by init scripts. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; domtrans_pattern(initrc_t,$2,$1) ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') ') ') ######################################## ## ## Create a domain for short running processes ## which can be started by init scripts. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # interface(`init_ranged_system_domain',` gen_require(` type initrc_t; ') init_system_domain($1,$2) ifdef(`enable_mcs',` range_transition initrc_t $2 $3; ') ifdef(`enable_mls',` range_transition initrc_t $2 $3; ') ') ######################################## ## ## Execute init (/sbin/init) with a domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; ') domtrans_pattern($1,init_exec_t,init_t) ') ######################################## ## ## Execute the init program in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`init_exec',` gen_require(` type init_exec_t; ') corecmd_search_sbin($1) can_exec($1,init_exec_t) ') ######################################## ## ## Get the process group of init. ## ## ## ## Domain allowed access. ## ## # interface(`init_getpgid',` gen_require(` type init_t; # cjp: remove this when init_t decl is moved back to this module attribute direct_run_init; ') allow $1 init_t:process getpgid; ') ######################################## ## ## Send init a null signal. ## ## ## ## Domain allowed access. ## ## # interface(`init_signull',` gen_require(` type init_t; # cjp: remove this when init_t decl is moved back to this module attribute direct_run_init; ') allow $1 init_t:process signull; ') ######################################## ## ## Send init a SIGCHLD signal. ## ## ## ## Domain allowed access. ## ## # interface(`init_sigchld',` gen_require(` type init_t; # cjp: remove this when init_t decl is moved back to this module attribute direct_run_init; ') allow $1 init_t:process sigchld; ') ######################################## ## ## Inherit and use file descriptors from init. ## ## ## ## Domain allowed access. ## ## # interface(`init_use_fds',` gen_require(` type init_t; # cjp: remove this when init_t decl is moved back to this module attribute direct_run_init; ') allow $1 init_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit file ## descriptors from init. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_use_fds',` gen_require(` type init_t; # cjp: remove this when init_t decl is moved back to this module attribute direct_run_init; ') dontaudit $1 init_t:fd use; ') ######################################## ## ## Send UDP network traffic to init. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`init_udp_send',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Get the attributes of initctl. ## ## ## ## Domain allowed access. ## ## # interface(`init_getattr_initctl',` gen_require(` type initctl_t; ') allow $1 initctl_t:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of initctl. ## ## ## ## Domain to not audit. ## ## # interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file getattr; ') ######################################## ## ## Write to initctl. ## ## ## ## Domain allowed access. ## ## # interface(`init_write_initctl',` gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file write; ') ######################################## ## ## Use telinit (Read and write initctl). ## ## ## ## Domain allowed access. ## ## ## # interface(`init_telinit',` gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) ') ######################################## ## ## Read and write initctl. ## ## ## ## Domain allowed access. ## ## # interface(`init_rw_initctl',` gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and ## write initctl. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_rw_initctl',` gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file { read write }; ') ######################################## ## ## Make init scripts an entry point for ## the specified domain. ## ## ## ## The domain for which init scripts are an entrypoint. ## ## # cjp: added for gentoo integrated run_init interface(`init_script_file_entry_type',` gen_require(` type initrc_exec_t; ') domain_entry_file($1,initrc_exec_t) ') ######################################## ## ## Execute init scripts with a specified domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`init_spec_domtrans_script',` gen_require(` type initrc_t, initrc_exec_t; ') files_list_etc($1) spec_domtrans_pattern($1,initrc_exec_t,initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; ') ifdef(`enable_mls',` range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ') ') ######################################## ## ## Execute init scripts with an automatic domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`init_domtrans_script',` gen_require(` type initrc_t, initrc_exec_t; ') files_list_etc($1) domtrans_pattern($1,initrc_exec_t,initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; ') ifdef(`enable_mls',` range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ') ') ######################################## ## ## Execute a init script in a specified domain. ## ## ##

## Execute a init script in a specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain to transition from. ## ## ## ## ## Domain to transition to. ## ## # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` type initrc_exec_t; ') files_list_etc($1) domain_auto_trans($1,initrc_exec_t,$2) ') ######################################## ## ## Start and stop daemon programs directly. ## ## ##

## Start and stop daemon programs directly ## in the traditional "/etc/init.d/daemon start" ## style, and do not require run_init. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role to be performing this action. ## ## ## ## ## The type of the terminal of the user. ## ## # interface(`init_run_daemon',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; role system_r; ') typeattribute $1 direct_run_init; role_transition $2 direct_init_entry system_r; dontaudit direct_init $3:chr_file rw_file_perms; ') ######################################## ## ## Write an init script unnamed pipe. ## ## ## ## Domain allowed access. ## ## # interface(`init_write_script_pipes',` gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file write; ') ######################################## ## ## Get the attribute of init script entrypoint files. ## ## ## ## Domain allowed access. ## ## # interface(`init_getattr_script_files',` gen_require(` type initrc_exec_t; ') files_list_etc($1) allow $1 initrc_exec_t:file getattr; ') ######################################## ## ## Execute init scripts in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`init_exec_script_files',` gen_require(` type initrc_exec_t; ') files_list_etc($1) can_exec($1,initrc_exec_t) ') ######################################## ## ## Read the process state (/proc/pid) of the init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_read_script_state',` gen_require(` type initrc_t; ') kernel_search_proc($1) read_files_pattern($1,initrc_t,initrc_t) read_lnk_files_pattern($1,initrc_t,initrc_t) list_dirs_pattern($1,initrc_t,initrc_t) # should move this to separate interface allow $1 initrc_t:process getattr; ') ######################################## ## ## Inherit and use init script file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`init_use_script_fds',` gen_require(` type initrc_t; ') allow $1 initrc_t:fd use; ') ######################################## ## ## Do not audit attempts to inherit ## init script file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_use_script_fds',` gen_require(` type initrc_t; ') dontaudit $1 initrc_t:fd use; ') ######################################## ## ## Get the process group ID of init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_getpgid_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process getpgid; ') ######################################## ## ## Send SIGCHLD signals to init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_sigchld_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process sigchld; ') ######################################## ## ## Send generic signals to init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_signal_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signal; ') ######################################## ## ## Send null signals to init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_signull_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signull; ') ######################################## ## ## Read and write init script unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`init_rw_script_pipes',` gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file { read write }; ') ######################################## ## ## Send UDP network traffic to init scripts. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`init_udp_send_script',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Allow the specified domain to connect to ## init scripts with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`init_stream_connect_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket connectto; ') ######################################## ## ## Allow the specified domain to read/write to ## init scripts with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`init_rw_script_stream_sockets',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket { read write }; ') ######################################## ## ## Dont audit the specified domain connecting to ## init scripts with a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_stream_connect_script',` gen_require(` type initrc_t; ') dontaudit $1 initrc_t:unix_stream_socket connectto; ') ######################################## ## ## Send and receive messages from ## init scripts over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`init_dbus_chat_script',` gen_require(` type initrc_t; class dbus send_msg; ') allow $1 initrc_t:dbus send_msg; allow initrc_t $1:dbus send_msg; ') ######################################## ## ## Read and write the init script pty. ## ## ##

## Read and write the init script pty. This ## pty is generally opened by the open_init_pty ## portion of the run_init program so that the ## daemon does not require direct access to ## the administrator terminal. ##

##
## ## ## Domain allowed access. ## ## # interface(`init_use_script_ptys',` gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Do not audit attempts to read and ## write the init script pty. ## ## ## ## Domain to not audit. ## ## # interface(`init_dontaudit_use_script_ptys',` gen_require(` type initrc_devpts_t; ') dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ## ## Read init scripts. ## ## ## ## Domain allowed access. ## ## # interface(`init_read_script_files',` gen_require(` type initrc_exec_t; ') files_search_etc($1) allow $1 initrc_exec_t:file read_file_perms; ') ######################################## ## ## Get the attributes of init script ## status files. ## ## ## ## Domain allowed access. ## ## # interface(`init_getattr_script_status_files',` gen_require(` type initrc_state_t; ') getattr_files_pattern($1,initrc_state_t,initrc_state_t) ') ######################################## ## ## Do not audit attempts to read init script ## status files. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_read_script_status_files',` gen_require(` type initrc_state_t; ') dontaudit $1 initrc_state_t:dir search_dir_perms; dontaudit $1 initrc_state_t:file read_file_perms; ') ######################################## ## ## Read and write init script temporary data. ## ## ## ## Domain allowed access. ## ## # interface(`init_rw_script_tmp_files',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) allow $1 initrc_tmp_t:file rw_file_perms; ') ######################################## ## ## Create files in a init script ## temporary data directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## # interface(`init_script_tmp_filetrans',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) filetrans_pattern($1,initrc_tmp_t,$2,$3) ') ######################################## ## ## Get the attributes of init script process id files. ## ## ## ## Domain allowed access. ## ## # interface(`init_getattr_utmp',` gen_require(` type initrc_var_run_t; ') allow $1 initrc_var_run_t:file getattr; ') ######################################## ## ## Read utmp. ## ## ## ## Domain allowed access. ## ## # interface(`init_read_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to write utmp. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_write_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file { write lock }; ') ######################################## ## ## Write to utmp. ## ## ## ## Domain allowed access. ## ## # interface(`init_write_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file { getattr write }; ') ######################################## ## ## Do not audit attempts to lock ## init script pid files. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_lock_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file lock; ') ######################################## ## ## Read and write utmp. ## ## ## ## Domain allowed access. ## ## # interface(`init_rw_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; ') ######################################## ## ## Do not audit attempts to read and write utmp. ## ## ## ## Domain allowed access. ## ## # interface(`init_dontaudit_rw_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') ######################################## ## ## Create, read, write, and delete utmp. ## ## ## ## Domain access allowed. ## ## # interface(`init_manage_utmp',` gen_require(` type initrc_var_run_t; ') files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ')