453 lines
8.6 KiB
Plaintext
453 lines
8.6 KiB
Plaintext
## <module name="init">
|
|
## <summary>System initialization programs (init and init scripts).</summary>
|
|
|
|
########################################
|
|
#
|
|
# init_domain(domain,entrypointfile)
|
|
#
|
|
define(`init_domain',`
|
|
gen_require(`
|
|
type init_t;
|
|
role system_r;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
class process sigchld;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domain_auto_trans(init_t,$2,$1)
|
|
|
|
allow $1 init_t:fd use;
|
|
allow init_t $1:fd use;
|
|
allow $1 init_t:fifo_file rw_file_perms;
|
|
allow $1 init_t:process sigchld;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
optional_policy(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_daemon_domain(domain,entrypointfile)
|
|
#
|
|
define(`init_daemon_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
role system_r;
|
|
class fifo_file rw_file_perms;
|
|
class fd use;
|
|
class process sigchld;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domain_auto_trans(initrc_t,$2,$1)
|
|
|
|
allow initrc_t $1:fd use;
|
|
allow $1 initrc_t:fd use;
|
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
allow $1 initrc_t:process sigchld;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
optional_policy(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_system_domain(domain,entrypointfile)
|
|
#
|
|
define(`init_system_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
role system_r;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
class process sigchld;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domain_auto_trans(initrc_t,$2,$1)
|
|
|
|
allow initrc_t $1:fd use;
|
|
allow $1 initrc_t:fd use;
|
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
allow $1 initrc_t:process sigchld;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
optional_policy(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_domtrans(domain)
|
|
#
|
|
define(`init_domtrans',`
|
|
gen_require(`
|
|
type init_t, init_exec_t;
|
|
class process sigchld;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
domain_auto_trans($1,init_exec_t,init_t)
|
|
|
|
allow $1 init_t:fd use;
|
|
allow init_t $1:fd use;
|
|
allow init_t $1:fifo_file rw_file_perms;
|
|
allow init_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_get_process_group(domain)
|
|
#
|
|
define(`init_get_process_group',`
|
|
gen_require(`
|
|
type init_t;
|
|
class process getpgid;
|
|
')
|
|
|
|
allow $1 init_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_getattr_initctl(domain)
|
|
#
|
|
define(`init_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
allow $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_getattr_initctl(domain)
|
|
#
|
|
define(`init_dontaudit_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_initctl(domain)
|
|
#
|
|
define(`init_use_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_initctl(domain)
|
|
#
|
|
define(`init_dontaudit_use_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file { read write };
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_sigchld(domain)
|
|
#
|
|
define(`init_sigchld',`
|
|
gen_require(`
|
|
type init_t;
|
|
class process sigchld;
|
|
')
|
|
|
|
allow $1 init_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_fd(domain)
|
|
#
|
|
define(`init_use_fd',`
|
|
gen_require(`
|
|
type init_t;
|
|
class fd use;
|
|
')
|
|
|
|
allow $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_fd(domain)
|
|
#
|
|
define(`init_dontaudit_use_fd',`
|
|
gen_require(`
|
|
type init_t;
|
|
class fd use;
|
|
')
|
|
|
|
dontaudit $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_domtrans_script(domain)
|
|
#
|
|
define(`init_domtrans_script',`
|
|
gen_require(`
|
|
type initrc_t, initrc_exec_t;
|
|
class process sigchld;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
domain_auto_trans($1,initrc_exec_t,initrc_t)
|
|
|
|
allow $1 initrc_t:fd use;
|
|
allow initrc_t $1:fd use;
|
|
allow initrc_t $1:fifo_file rw_file_perms;
|
|
allow initrc_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_exec_script(domain)
|
|
#
|
|
define(`init_exec_script',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
can_exec($1,initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <interface name="init_read_script_process_state">
|
|
## <description>
|
|
## Read the process state (/proc/pid) of the init scripts.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`init_read_script_process_state',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
class lnk_file r_file_perms;
|
|
class process { getattr ptrace };
|
|
')
|
|
|
|
#FIXME: search proc dir
|
|
allow $1 initrc_t:dir r_dir_perms;
|
|
allow $1 initrc_t:{ file lnk_file } r_file_perms;
|
|
allow $1 initrc_t:process getattr;
|
|
|
|
# We need to suppress this denial because procps tries to access
|
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
# running in a privileged domain.
|
|
dontaudit $1 initrc_t:process ptrace;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_script_fd(domain)
|
|
#
|
|
define(`init_use_script_fd',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class fd use;
|
|
')
|
|
|
|
allow $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_script_fd(domain)
|
|
#
|
|
define(`init_dontaudit_use_script_fd',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class fd use;
|
|
')
|
|
|
|
dontaudit $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_get_script_process_group(domain)
|
|
#
|
|
define(`init_get_script_process_group',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class process getpgid;
|
|
')
|
|
|
|
allow $1 initrc_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="init_rw_script_pipe">
|
|
## <description>
|
|
## Read and write init script unnamed pipes.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`init_rw_script_pipe',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class chr_file { read write };
|
|
')
|
|
|
|
allow $1 initrc_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_script_pty(domain)
|
|
#
|
|
define(`init_use_script_pty',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
class chr_file rw_term_perms;
|
|
')
|
|
|
|
term_list_ptys($1)
|
|
allow $1 initrc_devpts_t:chr_file rw_term_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_script_pty(domain)
|
|
#
|
|
define(`init_dontaudit_use_script_pty',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
class chr_file { read write ioctl };
|
|
')
|
|
|
|
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
|
')
|
|
|
|
########################################
|
|
## <interface name="init_rw_script_tmp_files">
|
|
## <description>
|
|
## Read and write init script temporary data.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`init_rw_script_tmp_files',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
# FIXME: read tmp_t dir
|
|
allow $1 initrc_tmp_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_read_script_pid(domain)
|
|
#
|
|
define(`init_read_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_write_script_pid(domain)
|
|
#
|
|
define(`init_dontaudit_write_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file { write lock };
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_rw_script_pid(domain)
|
|
#
|
|
define(`init_rw_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_rw_script_pid(domain)
|
|
#
|
|
define(`init_dontaudit_rw_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
|
')
|
|
|
|
## </module>
|