768 lines
18 KiB
Plaintext
768 lines
18 KiB
Plaintext
|
|
policy_module(init,1.9.0)
|
|
|
|
gen_require(`
|
|
class passwd rootok;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
# used for direct running of init scripts
|
|
# by admin domains
|
|
attribute direct_run_init;
|
|
attribute direct_init;
|
|
attribute direct_init_entry;
|
|
|
|
# Mark process types as daemons
|
|
attribute daemon;
|
|
|
|
#
|
|
# init_t is the domain of the init process.
|
|
#
|
|
type init_t;
|
|
type init_exec_t;
|
|
domain_type(init_t)
|
|
domain_entry_file(init_t,init_exec_t)
|
|
kernel_domtrans_to(init_t,init_exec_t)
|
|
role system_r types init_t;
|
|
|
|
#
|
|
# init_var_run_t is the type for /var/run/shutdown.pid.
|
|
#
|
|
type init_var_run_t;
|
|
files_pid_file(init_var_run_t)
|
|
|
|
#
|
|
# initctl_t is the type of the named pipe created
|
|
# by init during initialization. This pipe is used
|
|
# to communicate with init.
|
|
#
|
|
type initctl_t;
|
|
files_type(initctl_t)
|
|
mls_trusted_object(initctl_t)
|
|
|
|
type initrc_t;
|
|
type initrc_exec_t;
|
|
domain_type(initrc_t)
|
|
domain_entry_file(initrc_t,initrc_exec_t)
|
|
role system_r types initrc_t;
|
|
|
|
type initrc_devpts_t;
|
|
term_pty(initrc_devpts_t)
|
|
files_type(initrc_devpts_t)
|
|
|
|
type initrc_state_t;
|
|
files_type(initrc_state_t)
|
|
|
|
type initrc_tmp_t;
|
|
files_tmp_file(initrc_tmp_t)
|
|
|
|
type initrc_var_run_t;
|
|
files_pid_file(initrc_var_run_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init local policy
|
|
#
|
|
|
|
# Use capabilities. old rule:
|
|
allow init_t self:capability ~sys_module;
|
|
# is ~sys_module really needed? observed:
|
|
# sys_boot
|
|
# sys_tty_config
|
|
# kill: now provided by domain_kill_all_domains()
|
|
# setuid (from /sbin/shutdown)
|
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
|
|
|
allow init_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
# Re-exec itself
|
|
can_exec(init_t,init_exec_t)
|
|
|
|
allow init_t initrc_t:unix_stream_socket connectto;
|
|
|
|
# For /var/run/shutdown.pid.
|
|
allow init_t init_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(init_t,init_var_run_t,file)
|
|
|
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
|
dev_filetrans(init_t,initctl_t,fifo_file)
|
|
fs_associate_tmpfs(initctl_t)
|
|
|
|
# Modify utmp.
|
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
|
|
|
kernel_read_system_state(init_t)
|
|
kernel_share_state(init_t)
|
|
|
|
corecmd_exec_chroot(init_t)
|
|
corecmd_exec_bin(init_t)
|
|
|
|
dev_read_sysfs(init_t)
|
|
|
|
domain_kill_all_domains(init_t)
|
|
domain_signal_all_domains(init_t)
|
|
domain_signull_all_domains(init_t)
|
|
domain_sigstop_all_domains(init_t)
|
|
domain_sigstop_all_domains(init_t)
|
|
domain_sigchld_all_domains(init_t)
|
|
|
|
files_read_etc_files(init_t)
|
|
files_rw_generic_pids(init_t)
|
|
files_dontaudit_search_isid_type_dirs(init_t)
|
|
files_manage_etc_runtime_files(init_t)
|
|
files_etc_filetrans_etc_runtime(init_t,file)
|
|
# Run /etc/X11/prefdm:
|
|
files_exec_etc_files(init_t)
|
|
# file descriptors inherited from the rootfs:
|
|
files_dontaudit_rw_root_files(init_t)
|
|
files_dontaudit_rw_root_chr_files(init_t)
|
|
|
|
# cjp: this may be related to /dev/log
|
|
fs_write_ramfs_sockets(init_t)
|
|
|
|
mcs_process_set_categories(init_t)
|
|
mcs_killall(init_t)
|
|
|
|
mls_file_read_all_levels(init_t)
|
|
mls_file_write_all_levels(init_t)
|
|
mls_process_write_down(init_t)
|
|
mls_fd_use_all_levels(init_t)
|
|
|
|
selinux_set_boolean(init_t)
|
|
|
|
term_use_all_terms(init_t)
|
|
|
|
# Run init scripts.
|
|
init_domtrans_script(init_t)
|
|
|
|
libs_use_ld_so(init_t)
|
|
libs_use_shared_libs(init_t)
|
|
libs_rw_ld_so_cache(init_t)
|
|
|
|
logging_send_syslog_msg(init_t)
|
|
logging_rw_generic_logs(init_t)
|
|
|
|
seutil_read_config(init_t)
|
|
|
|
miscfiles_read_localization(init_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
allow init_t self:process { getcap setcap };
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
fs_rw_tmpfs_chr_files(init_t)
|
|
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
|
|
')
|
|
|
|
optional_policy(`
|
|
auth_rw_login_records(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(init_t)
|
|
')
|
|
|
|
# Run the shell in the sysadm_t domain for single-user mode.
|
|
optional_policy(`
|
|
userdom_shell_domtrans_sysadm(init_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init script local policy
|
|
#
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
|
allow initrc_t self:capability ~{ sys_admin sys_module };
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
|
allow initrc_t self:passwd rootok;
|
|
|
|
# Allow IPC with self
|
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
|
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
|
allow initrc_t self:tcp_socket create_stream_socket_perms;
|
|
allow initrc_t self:udp_socket create_socket_perms;
|
|
allow initrc_t self:fifo_file rw_file_perms;
|
|
|
|
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
|
term_create_pty(initrc_t,initrc_devpts_t)
|
|
|
|
# Going to single user mode
|
|
init_exec(initrc_t)
|
|
|
|
can_exec(initrc_t,initrc_exec_t)
|
|
|
|
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
|
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
|
|
|
|
can_exec(initrc_t,initrc_tmp_t)
|
|
allow initrc_t initrc_tmp_t:file manage_file_perms;
|
|
allow initrc_t initrc_tmp_t:dir manage_dir_perms;
|
|
files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir })
|
|
|
|
init_write_initctl(initrc_t)
|
|
|
|
kernel_read_system_state(initrc_t)
|
|
kernel_read_software_raid_state(initrc_t)
|
|
kernel_read_network_state(initrc_t)
|
|
kernel_read_ring_buffer(initrc_t)
|
|
kernel_change_ring_buffer_level(initrc_t)
|
|
kernel_clear_ring_buffer(initrc_t)
|
|
kernel_get_sysvipc_info(initrc_t)
|
|
kernel_read_all_sysctls(initrc_t)
|
|
kernel_rw_all_sysctls(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
kernel_dontaudit_getattr_message_if(initrc_t)
|
|
|
|
files_read_kernel_symbol_table(initrc_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(initrc_t)
|
|
corenet_all_recvfrom_netlabel(initrc_t)
|
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
|
corenet_udp_sendrecv_all_if(initrc_t)
|
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
|
corenet_tcp_connect_all_ports(initrc_t)
|
|
corenet_sendrecv_all_client_packets(initrc_t)
|
|
|
|
dev_read_rand(initrc_t)
|
|
dev_read_urand(initrc_t)
|
|
dev_write_rand(initrc_t)
|
|
dev_write_urand(initrc_t)
|
|
dev_rw_sysfs(initrc_t)
|
|
dev_list_usbfs(initrc_t)
|
|
dev_read_framebuffer(initrc_t)
|
|
dev_read_realtime_clock(initrc_t)
|
|
dev_read_sound_mixer(initrc_t)
|
|
dev_write_sound_mixer(initrc_t)
|
|
dev_setattr_all_chr_files(initrc_t)
|
|
dev_read_lvm_control(initrc_t)
|
|
dev_delete_lvm_control_dev(initrc_t)
|
|
dev_manage_generic_symlinks(initrc_t)
|
|
dev_manage_generic_files(initrc_t)
|
|
# Wants to remove udev.tbl:
|
|
dev_delete_generic_symlinks(initrc_t)
|
|
|
|
fs_register_binary_executable_type(initrc_t)
|
|
# rhgb-console writes to ramfs
|
|
fs_write_ramfs_pipes(initrc_t)
|
|
# cjp: not sure why these are here; should use mount policy
|
|
fs_mount_all_fs(initrc_t)
|
|
fs_unmount_all_fs(initrc_t)
|
|
fs_remount_all_fs(initrc_t)
|
|
fs_getattr_all_fs(initrc_t)
|
|
|
|
# initrc_t needs to do a pidof which requires ptrace
|
|
mcs_ptrace_all(initrc_t)
|
|
mcs_killall(initrc_t)
|
|
mcs_process_set_categories(initrc_t)
|
|
|
|
mls_file_read_all_levels(initrc_t)
|
|
mls_file_write_all_levels(initrc_t)
|
|
mls_process_read_up(initrc_t)
|
|
mls_process_write_down(initrc_t)
|
|
mls_rangetrans_source(initrc_t)
|
|
mls_fd_share_all_levels(initrc_t)
|
|
|
|
selinux_get_enforce_mode(initrc_t)
|
|
|
|
storage_getattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_removable_dev(initrc_t)
|
|
|
|
term_use_all_terms(initrc_t)
|
|
term_reset_tty_labels(initrc_t)
|
|
|
|
auth_rw_login_records(initrc_t)
|
|
auth_setattr_login_records(initrc_t)
|
|
auth_rw_lastlog(initrc_t)
|
|
auth_read_pam_pid(initrc_t)
|
|
auth_delete_pam_pid(initrc_t)
|
|
auth_delete_pam_console_data(initrc_t)
|
|
|
|
corecmd_exec_all_executables(initrc_t)
|
|
|
|
domain_kill_all_domains(initrc_t)
|
|
domain_signal_all_domains(initrc_t)
|
|
domain_signull_all_domains(initrc_t)
|
|
domain_sigstop_all_domains(initrc_t)
|
|
domain_sigstop_all_domains(initrc_t)
|
|
domain_sigchld_all_domains(initrc_t)
|
|
domain_read_all_domains_state(initrc_t)
|
|
domain_getattr_all_domains(initrc_t)
|
|
domain_dontaudit_ptrace_all_domains(initrc_t)
|
|
domain_getsession_all_domains(initrc_t)
|
|
domain_use_interactive_fds(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
|
|
|
files_getattr_all_dirs(initrc_t)
|
|
files_getattr_all_files(initrc_t)
|
|
files_getattr_all_symlinks(initrc_t)
|
|
files_getattr_all_pipes(initrc_t)
|
|
files_getattr_all_sockets(initrc_t)
|
|
files_purge_tmp(initrc_t)
|
|
files_delete_all_locks(initrc_t)
|
|
files_read_all_pids(initrc_t)
|
|
files_delete_all_pids(initrc_t)
|
|
files_delete_all_pid_dirs(initrc_t)
|
|
files_read_etc_files(initrc_t)
|
|
files_manage_etc_runtime_files(initrc_t)
|
|
files_etc_filetrans_etc_runtime(initrc_t,file)
|
|
files_manage_generic_locks(initrc_t)
|
|
files_exec_etc_files(initrc_t)
|
|
files_read_usr_files(initrc_t)
|
|
files_manage_urandom_seed(initrc_t)
|
|
files_manage_generic_spool(initrc_t)
|
|
# Mount and unmount file systems.
|
|
# cjp: not sure why these are here; should use mount policy
|
|
files_list_isid_type_dirs(initrc_t)
|
|
files_mounton_isid_type_dirs(initrc_t)
|
|
files_list_default(initrc_t)
|
|
files_mounton_default(initrc_t)
|
|
|
|
auth_use_nsswitch(initrc_t)
|
|
|
|
libs_rw_ld_so_cache(initrc_t)
|
|
libs_use_ld_so(initrc_t)
|
|
libs_use_shared_libs(initrc_t)
|
|
libs_exec_lib_files(initrc_t)
|
|
|
|
logging_send_syslog_msg(initrc_t)
|
|
logging_manage_generic_logs(initrc_t)
|
|
logging_read_all_logs(initrc_t)
|
|
logging_append_all_logs(initrc_t)
|
|
logging_read_audit_config(initrc_t)
|
|
|
|
miscfiles_read_localization(initrc_t)
|
|
# slapd needs to read cert files from its initscript
|
|
miscfiles_read_certs(initrc_t)
|
|
|
|
modutils_read_module_config(initrc_t)
|
|
modutils_domtrans_insmod(initrc_t)
|
|
|
|
seutil_read_config(initrc_t)
|
|
|
|
userdom_read_all_users_home_content_files(initrc_t)
|
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
|
# started from init should be placed in their own domain.
|
|
userdom_use_sysadm_terms(initrc_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
dev_setattr_generic_dirs(initrc_t)
|
|
|
|
fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
|
|
|
|
# for storing state under /dev/shm
|
|
fs_setattr_tmpfs_dirs(initrc_t)
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_tmpfs_filetrans_fixed_disk(initrc_t)
|
|
|
|
files_setattr_etc_dirs(initrc_t)
|
|
')
|
|
|
|
ifdef(`distro_gentoo',`
|
|
kernel_dontaudit_getattr_core_if(initrc_t)
|
|
|
|
# seed udev /dev
|
|
allow initrc_t self:process setfscreate;
|
|
dev_create_null_dev(initrc_t)
|
|
dev_create_zero_dev(initrc_t)
|
|
dev_create_generic_dirs(initrc_t)
|
|
term_create_console_dev(initrc_t)
|
|
|
|
# unfortunately /sbin/rc does stupid tricks
|
|
# with /dev/.rcboot to decide if we are in
|
|
# early init
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_delete_generic_dirs(initrc_t)
|
|
|
|
# needed until baselayout is fixed to have the
|
|
# restorecon on /dev to again be immediately after
|
|
# mounting tmpfs on /dev
|
|
fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
|
|
|
|
# init scripts touch this
|
|
clock_dontaudit_write_adjtime(initrc_t)
|
|
|
|
# for integrated run_init to read run_init_type.
|
|
# happens during boot (/sbin/rc execs init scripts)
|
|
seutil_read_default_contexts(initrc_t)
|
|
|
|
optional_policy(`
|
|
arpwatch_manage_data_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dhcpd_setattr_state_files(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
# this is from kmodule, which should get its own policy:
|
|
allow initrc_t self:capability sys_admin;
|
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
kernel_dontaudit_use_fds(initrc_t)
|
|
files_dontaudit_read_root_files(initrc_t)
|
|
|
|
selinux_set_enforce_mode(initrc_t)
|
|
|
|
# These seem to be from the initrd
|
|
# during device initialization:
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_rwx_zero(initrc_t)
|
|
dev_rx_raw_memory(initrc_t)
|
|
dev_wx_raw_memory(initrc_t)
|
|
storage_raw_read_fixed_disk(initrc_t)
|
|
storage_raw_write_fixed_disk(initrc_t)
|
|
|
|
files_create_boot_flag(initrc_t)
|
|
files_rw_boot_symlinks(initrc_t)
|
|
# wants to read /.fonts directory
|
|
files_read_default_files(initrc_t)
|
|
files_mountpoint(initrc_tmp_t)
|
|
# Needs to cp localtime to /var dirs
|
|
files_write_var_dirs(initrc_t)
|
|
|
|
fs_rw_tmpfs_chr_files(initrc_t)
|
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_dev_filetrans_fixed_disk(initrc_t)
|
|
storage_getattr_removable_dev(initrc_t)
|
|
|
|
# readahead asks for these
|
|
auth_dontaudit_read_shadow(initrc_t)
|
|
|
|
# init scripts cp /etc/localtime over other directories localtime
|
|
miscfiles_rw_localization(initrc_t)
|
|
miscfiles_setattr_localization(initrc_t)
|
|
miscfiles_relabel_localization(initrc_t)
|
|
|
|
miscfiles_read_fonts(initrc_t)
|
|
miscfiles_read_hwdata(initrc_t)
|
|
|
|
optional_policy(`
|
|
bind_manage_config_dirs(initrc_t)
|
|
bind_write_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
rpc_write_exports(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_rw_dhcp_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_delete_log(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_suse',`
|
|
optional_policy(`
|
|
# set permissions on /tmp/.X11-unix
|
|
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
amavis_search_lib(initrc_t)
|
|
amavis_setattr_pid_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_rw_apm_bios(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_read_config(initrc_t)
|
|
apache_list_modules(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
automount_exec_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_read_config(initrc_t)
|
|
|
|
# for chmod in start script
|
|
bind_setattr_pid_dirs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
bluetooth_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cpucontrol_stub(initrc_t)
|
|
dev_getattr_cpu_dev(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_getattr_printer_dev(initrc_t)
|
|
|
|
cups_read_log(initrc_t)
|
|
cups_read_rw_config(initrc_t)
|
|
#cups init script clears error log
|
|
cups_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_manage_svc(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(initrc_t)
|
|
dbus_system_bus_client_template(initrc,initrc_t)
|
|
dbus_read_config(initrc_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpm_setattr_gpmctl(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
hotplug_read_config(initrc_t)
|
|
|
|
modutils_read_module_deps(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inn_exec_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipsec_read_config(initrc_t)
|
|
ipsec_manage_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ldap_read_config(initrc_t)
|
|
ldap_list_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
loadkeys_exec(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# in emergency/recovery situations use sulogin
|
|
locallogin_domtrans_sulogin(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
lpd_list_spool(initrc_t)
|
|
|
|
lpd_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
|
|
|
dev_read_lvm_control(initrc_t)
|
|
dev_create_generic_chr_files(initrc_t)
|
|
|
|
lvm_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_list_data(initrc_t)
|
|
mailman_read_data_symlinks(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_read_config(initrc_t)
|
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
|
')
|
|
# cjp: require doesnt work in the else of optionals :\
|
|
# this also would result in a type transition
|
|
# conflict if sendmail is enabled
|
|
#optional_policy(`',`
|
|
# mta_send_mail(initrc_t)
|
|
#')
|
|
|
|
optional_policy(`
|
|
ifdef(`distro_redhat',`
|
|
mysql_manage_db_dirs(initrc_t)
|
|
')
|
|
|
|
mysql_stream_connect(initrc_t)
|
|
mysql_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_list_var_yp(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openvpn_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_manage_db(initrc_t)
|
|
postgresql_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_list_spool(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
quota_manage_flags(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_manage_mdadm_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
corecmd_shell_entry_type(initrc_t)
|
|
fs_write_ramfs_sockets(initrc_t)
|
|
fs_search_ramfs(initrc_t)
|
|
|
|
rhgb_rw_stream_sockets(initrc_t)
|
|
rhgb_stream_connect(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_read_exports(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# bash tries to access a block device in the initrd
|
|
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
|
|
|
|
# for a bug in rm
|
|
files_dontaudit_write_all_pids(initrc_t)
|
|
|
|
# bash tries ioctl for some reason
|
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
|
|
|
# why is this needed:
|
|
rpm_manage_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_rw_config(initrc_t)
|
|
samba_read_winbind_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
squid_read_config(initrc_t)
|
|
squid_manage_logs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# allow init scripts to su
|
|
su_restricted_domain_template(initrc,initrc_t,system_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_dontaudit_read_server_keys(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_read_dhcpc_state(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_rw_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
uml_setattr_util_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(initrc_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# system-config-services causes avc messages that should be dontaudited
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
')
|
|
|
|
optional_policy(`
|
|
mono_domtrans(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
vmware_read_system_config(initrc_t)
|
|
vmware_append_system_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
miscfiles_manage_fonts(initrc_t)
|
|
|
|
# cjp: is this really needed?
|
|
xfs_read_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Set device ownerships/modes.
|
|
xserver_setattr_console_pipes(initrc_t)
|
|
|
|
# init script wants to check if it needs to update windowmanagerlist
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
zebra_read_config(initrc_t)
|
|
')
|