1276 lines
24 KiB
Plaintext
1276 lines
24 KiB
Plaintext
## <summary>System initialization programs (init and init scripts).</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain which can be started by init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_domain',`
|
|
gen_require(`
|
|
type init_t;
|
|
role system_r;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domtrans_pattern(init_t,$2,$1)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
# RHEL4 systems seem to have a stray
|
|
# fds open from the initrd
|
|
ifdef(`distro_rhel4',`
|
|
kernel_dontaudit_use_fds($1)
|
|
')
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain which can be started by init,
|
|
## with a range transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="range">
|
|
## <summary>
|
|
## Range for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_ranged_domain',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
init_domain($1,$2)
|
|
|
|
ifdef(`enable_mcs',`
|
|
range_transition init_t $2:process $3;
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
range_transition init_t $2:process $3;
|
|
mls_rangetrans_target($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for long running processes
|
|
## (daemons) which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_daemon_domain',`
|
|
gen_require(`
|
|
attribute direct_run_init, direct_init, direct_init_entry;
|
|
type initrc_t;
|
|
role system_r;
|
|
attribute daemon;
|
|
')
|
|
|
|
typeattribute $1 daemon;
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domtrans_pattern(initrc_t,$2,$1)
|
|
|
|
# daemons started from init will
|
|
# inherit fds from init for the console
|
|
init_dontaudit_use_fds($1)
|
|
term_dontaudit_use_console($1)
|
|
|
|
# init script ptys are the stdin/out/err
|
|
# when using run_init
|
|
init_use_script_ptys($1)
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
domtrans_pattern(direct_run_init,$2,$1)
|
|
allow direct_run_init $1:process { noatsecure siginh rlimitinh };
|
|
|
|
typeattribute $1 direct_init;
|
|
typeattribute $2 direct_init_entry;
|
|
')
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
# RHEL4 systems seem to have a stray
|
|
# fds open from the initrd
|
|
ifdef(`distro_rhel4',`
|
|
kernel_dontaudit_use_fds($1)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for long running processes
|
|
## (daemons) which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="range">
|
|
## <summary>
|
|
## Range for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_ranged_daemon_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
init_daemon_domain($1,$2)
|
|
|
|
ifdef(`enable_mcs',`
|
|
range_transition initrc_t $2:process $3;
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
range_transition initrc_t $2:process $3;
|
|
mls_rangetrans_target($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for short running processes
|
|
## which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_system_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
role system_r;
|
|
')
|
|
|
|
application_domain($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domtrans_pattern(initrc_t,$2,$1)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
# RHEL4 systems seem to have a stray
|
|
# fds open from the initrd
|
|
ifdef(`distro_rhel4',`
|
|
kernel_dontaudit_use_fds($1)
|
|
')
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for short running processes
|
|
## which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="range">
|
|
## <summary>
|
|
## Range for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_ranged_system_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
init_system_domain($1,$2)
|
|
|
|
ifdef(`enable_mcs',`
|
|
range_transition initrc_t $2:process $3;
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
range_transition initrc_t $2:process $3;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute init (/sbin/init) with a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_domtrans',`
|
|
gen_require(`
|
|
type init_t, init_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1,init_exec_t,init_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the init program in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`init_exec',`
|
|
gen_require(`
|
|
type init_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1,init_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the process group of init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getpgid',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
allow $1 init_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send init a null signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_signull',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
allow $1 init_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send init a SIGCHLD signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_sigchld',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
allow $1 init_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Inherit and use file descriptors from init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_use_fds',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
allow $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to inherit file
|
|
## descriptors from init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_use_fds',`
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
|
|
dontaudit $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic to init. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_udp_send',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of initctl.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
allow $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the
|
|
## attributes of initctl.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write to initctl.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_write_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use telinit (Read and write initctl).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`init_telinit',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
|
|
|
init_exec($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write initctl.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_rw_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write initctl.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_rw_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make init scripts an entry point for
|
|
## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain for which init scripts are an entrypoint.
|
|
## </summary>
|
|
## </param>
|
|
# cjp: added for gentoo integrated run_init
|
|
interface(`init_script_file_entry_type',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
domain_entry_file($1,initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute init scripts with a specified domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_spec_domtrans_script',`
|
|
gen_require(`
|
|
type initrc_t, initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
range_transition $1 initrc_exec_t:process s0;
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute init scripts with an automatic domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_domtrans_script',`
|
|
gen_require(`
|
|
type initrc_t, initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
domtrans_pattern($1,initrc_exec_t,initrc_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
range_transition $1 initrc_exec_t:process s0;
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a init script in a specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a init script in a specified domain.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="source_domain">
|
|
## <summary>
|
|
## Domain to transition from.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## Domain to transition to.
|
|
## </summary>
|
|
## </param>
|
|
# cjp: added for gentoo integrated run_init
|
|
interface(`init_script_file_domtrans',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
domain_auto_trans($1,initrc_exec_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Start and stop daemon programs directly.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Start and stop daemon programs directly
|
|
## in the traditional "/etc/init.d/daemon start"
|
|
## style, and do not require run_init.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be performing this action.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="terminal">
|
|
## <summary>
|
|
## The type of the terminal of the user.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_run_daemon',`
|
|
gen_require(`
|
|
attribute direct_run_init, direct_init, direct_init_entry;
|
|
role system_r;
|
|
')
|
|
|
|
typeattribute $1 direct_run_init;
|
|
role_transition $2 direct_init_entry system_r;
|
|
dontaudit direct_init $3:chr_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write an init script unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_write_script_pipes',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attribute of init script entrypoint files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getattr_script_files',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
allow $1 initrc_exec_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute init scripts in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_exec_script_files',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
can_exec($1,initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read the process state (/proc/pid) of the init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_read_script_state',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
kernel_search_proc($1)
|
|
read_files_pattern($1,initrc_t,initrc_t)
|
|
read_lnk_files_pattern($1,initrc_t,initrc_t)
|
|
list_dirs_pattern($1,initrc_t,initrc_t)
|
|
|
|
# should move this to separate interface
|
|
allow $1 initrc_t:process getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Inherit and use init script file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_use_script_fds',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to inherit
|
|
## init script file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_use_script_fds',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the process group ID of init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getpgid_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send SIGCHLD signals to init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_sigchld_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic signals to init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_signal_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send null signals to init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_signull_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write init script unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_rw_script_pipes',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic to init scripts. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_udp_send_script',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to connect to
|
|
## init scripts with a unix socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_stream_connect_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to read/write to
|
|
## init scripts with a unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_rw_script_stream_sockets',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Dont audit the specified domain connecting to
|
|
## init scripts with a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_stream_connect_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
|
')
|
|
########################################
|
|
## <summary>
|
|
## Send messages to init scripts over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dbus_send_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 initrc_t:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## init scripts over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dbus_chat_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 initrc_t:dbus send_msg;
|
|
allow initrc_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write the init script pty.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Read and write the init script pty. This
|
|
## pty is generally opened by the open_init_pty
|
|
## portion of the run_init program so that the
|
|
## daemon does not require direct access to
|
|
## the administrator terminal.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_use_script_ptys',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
')
|
|
|
|
term_list_ptys($1)
|
|
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write the init script pty.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_use_script_ptys',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_read_script_files',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 initrc_exec_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of init script
|
|
## status files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getattr_script_status_files',`
|
|
gen_require(`
|
|
type initrc_state_t;
|
|
')
|
|
|
|
getattr_files_pattern($1,initrc_state_t,initrc_state_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read init script
|
|
## status files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_read_script_status_files',`
|
|
gen_require(`
|
|
type initrc_state_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_state_t:dir search_dir_perms;
|
|
dontaudit $1 initrc_state_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write init script temporary data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_rw_script_tmp_files',`
|
|
gen_require(`
|
|
type initrc_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
rw_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create files in a init script
|
|
## temporary data directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="file_type">
|
|
## <summary>
|
|
## The type of the object to be created
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object_class">
|
|
## <summary>
|
|
## The object class.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_script_tmp_filetrans',`
|
|
gen_require(`
|
|
type initrc_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
filetrans_pattern($1,initrc_tmp_t,$2,$3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of init script process id files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_getattr_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
allow $1 initrc_var_run_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_read_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_write_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write to utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_write_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file { getattr write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to lock
|
|
## init script pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_lock_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file lock;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_rw_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_rw_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete utmp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain access allowed.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`init_manage_utmp',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
allow $1 initrc_var_run_t:file manage_file_perms;
|
|
')
|