selinux-policy/refpolicy/policy/modules/system/init.if

## <summary>System initialization programs (init and init scripts).</summary>

########################################
## <summary>
##	Create a domain which can be started by init.
## </summary>
## <param name="domain">
##	Type to be used as a domain.
## </param>
## <param name="entry_point">
##	Type of the program to be used as an entry point to this domain.
## </param>
#
interface(`init_domain',`
	gen_require(`
		type init_t;
		role system_r;
		class fd use;
		class fifo_file rw_file_perms;
		class process sigchld;
	')

	domain_type($1)
	domain_entry_file($1,$2)

	role system_r types $1;

	domain_auto_trans(init_t,$2,$1)

	allow $1 init_t:fd use;
	allow init_t $1:fd use;
	allow $1 init_t:fifo_file rw_file_perms;
	allow $1 init_t:process sigchld;

	# Red Hat systems seem to have stray
	# fds open from the initrd
	ifdef(`hide_broken_symptoms',`
		# Red Hat systems seem to have a stray
		# fds open from the initrd
		ifdef(`distro_redhat',`
			kernel_dontaudit_use_fd($1)
			storage_dontaudit_read_fixed_disk($1)
			files_dontaudit_read_root_file($1)
		')
	')
')

########################################
## <summary>
##	Create a domain for long running processes
##	(daemons) which can be started by init scripts.
## </summary>
## <param name="domain">
##	Type to be used as a domain.
## </param>
## <param name="entry_point">
##	Type of the program to be used as an entry point to this domain.
## </param>
#
interface(`init_daemon_domain',`
	gen_require(`
		attribute direct_run_init, direct_init, direct_init_entry;
		type initrc_t;
		role system_r;
	')

	domain_type($1)
	domain_entry_file($1,$2)

	role system_r types $1;

	ifdef(`direct_sysadm_daemon',`
		domain_auto_trans(direct_run_init,$2,$1)

		allow direct_run_init $1:fd use;
		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
		allow $1 direct_run_init:fd use;
		allow $1 direct_run_init:fifo_file rw_file_perms;
		allow $1 direct_run_init:process sigchld;

		typeattribute $1 direct_init;
		typeattribute $2 direct_init_entry;
	')

	ifdef(`hide_broken_symptoms',`
		# Red Hat systems seem to have a stray
		# fds open from the initrd
		ifdef(`distro_redhat',`
			kernel_dontaudit_use_fd($1)
			storage_dontaudit_read_fixed_disk($1)
			files_dontaudit_read_root_file($1)
		')
	')

	ifdef(`targeted_policy',`
		# this regex is a hack, since it assumes there is a
		# _t at the end of the domain type.  If there is no _t
		# at the end of the type, it returns empty!
		ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
			bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
			define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
		')
		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
			can_exec(initrc_t,$2)
			can_exec(direct_run_init,$2)
		} else {
			domain_auto_trans(initrc_t,$2,$1)
			allow initrc_t $1:fd use;
			allow $1 initrc_t:fd use;
			allow $1 initrc_t:fifo_file rw_file_perms;
			allow $1 initrc_t:process sigchld;
			allow initrc_t $1:process { noatsecure siginh rlimitinh };

			# make sediff happy
			allow $1 $2:file { rx_file_perms entrypoint };
		}
	',`
		domain_auto_trans(initrc_t,$2,$1)
		allow initrc_t $1:fd use;
		allow $1 initrc_t:fd use;
		allow $1 initrc_t:fifo_file rw_file_perms;
		allow $1 initrc_t:process sigchld;
		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };

		# make sediff happy
		allow $1 $2:file { rx_file_perms entrypoint };
	')

	optional_policy(`nscd.te',`
		nscd_use_socket($1)
	')
')

########################################
## <summary>
##	Create a domain for short running processes
##	which can be started by init scripts.
## </summary>
## <param name="domain">
##	Type to be used as a domain.
## </param>
## <param name="entry_point">
##	Type of the program to be used as an entry point to this domain.
## </param>
#
interface(`init_system_domain',`
	gen_require(`
		type initrc_t;
		role system_r;
		class fd use;
		class fifo_file rw_file_perms;
		class process sigchld;
	')

	domain_type($1)
	domain_entry_file($1,$2)

	role system_r types $1;

	domain_auto_trans(initrc_t,$2,$1)

	allow initrc_t $1:fd use;
	allow $1 initrc_t:fd use;
	allow $1 initrc_t:fifo_file rw_file_perms;
	allow $1 initrc_t:process sigchld;

	ifdef(`hide_broken_symptoms',`
		# Red Hat systems seem to have a stray
		# fds open from the initrd
		ifdef(`distro_redhat',`
			kernel_dontaudit_use_fd($1)
			storage_dontaudit_read_fixed_disk($1)
			files_dontaudit_read_root_file($1)
		')
	')
')

########################################
#
# init_domtrans(domain)
#
interface(`init_domtrans',`
	gen_require(`
		type init_t, init_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	domain_auto_trans($1,init_exec_t,init_t)

	allow $1 init_t:fd use;
	allow init_t $1:fd use;
	allow init_t $1:fifo_file rw_file_perms;
	allow init_t $1:process sigchld;
')

########################################
## <summary>
##	Execute the init program in the caller domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_exec',`
	gen_require(`
		type init_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1,init_exec_t)
')

########################################
#
# init_get_process_group(domain)
#
interface(`init_get_process_group',`
	gen_require(`
		type init_t;
		class process getpgid;
	')

	allow $1 init_t:process getpgid;
')

########################################
#
# init_getattr_initctl(domain)
#
interface(`init_getattr_initctl',`
	gen_require(`
		type initctl_t;
		class fifo_file getattr;
	')

	allow $1 initctl_t:fifo_file getattr;
')

########################################
#
# init_dontaudit_getattr_initctl(domain)
#
interface(`init_dontaudit_getattr_initctl',`
	gen_require(`
		type initctl_t;
		class fifo_file getattr;
	')

	dontaudit $1 initctl_t:fifo_file getattr;
')

########################################
#
# init_write_initctl(domain)
#
interface(`init_write_initctl',`
	gen_require(`
		type initctl_t;
		class fifo_file write;
	')

	dev_list_all_dev_nodes($1)
	allow $1 initctl_t:fifo_file write;
')

########################################
#
# init_use_initctl(domain)
#
interface(`init_use_initctl',`
	gen_require(`
		type initctl_t;
		class fifo_file rw_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 initctl_t:fifo_file rw_file_perms;
')

########################################
#
# init_dontaudit_use_initctl(domain)
#
interface(`init_dontaudit_use_initctl',`
	gen_require(`
		type initctl_t;
		class fifo_file { read write };
	')

	dontaudit $1 initctl_t:fifo_file { read write };
')

########################################
## <summary>
##	Send init a null signal.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_signull',`
	gen_require(`
		type init_t;
		class process signull;
	')

	allow $1 init_t:process signull;
')

########################################
## <summary>
##	Send init a SIGCHLD signal.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_sigchld',`
	gen_require(`
		type init_t;
		class process sigchld;
	')

	allow $1 init_t:process sigchld;
')

########################################
#
# init_use_fd(domain)
#
interface(`init_use_fd',`
	gen_require(`
		type init_t;
		class fd use;
	')

	allow $1 init_t:fd use;
')

########################################
#
# init_dontaudit_use_fd(domain)
#
interface(`init_dontaudit_use_fd',`
	gen_require(`
		type init_t;
		class fd use;
	')

	dontaudit $1 init_t:fd use;
')

########################################
## <summary>
##	Send UDP network traffic to init.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_udp_sendto',`
	gen_require(`
		type init_t;
		class udp_socket { sendto recvfrom };
	')

	allow $1 init_t:udp_socket sendto;
	allow init_t $1:udp_socket recvfrom;
')

########################################
#
# init_domtrans_script(domain)
#
interface(`init_domtrans_script',`
	gen_require(`
		type initrc_t, initrc_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_list_etc($1)
	domain_auto_trans($1,initrc_exec_t,initrc_t)

	allow $1 initrc_t:fd use;
	allow initrc_t $1:fd use;
	allow initrc_t $1:fifo_file rw_file_perms;
	allow initrc_t $1:process sigchld;
')

########################################
## <summary>
##	Start and stop daemon programs directly.
## </summary>
## <desc>
##	<p>
##	Start and stop daemon programs directly
##	in the traditional "/etc/init.d/daemon start"
##	style, and do not require run_init.
##	</p>
## </desc>
## <param name="domain">
##	Domain allowed access.
## </param>
## <param name="role">
##	The role to be performing this action.
## </param>
## <param name="terminal">
##	The type of the terminal of the user.
## </param>
#
interface(`init_run_daemon',`
	gen_require(`
		attribute direct_run_init, direct_init, direct_init_entry;
		role system_r;
		class chr_file rw_file_perms;
	')

	typeattribute $1 direct_run_init;
	role_transition $2 direct_init_entry system_r;
	dontaudit direct_init $3:chr_file rw_file_perms;
')

########################################
## <summary>
##	Write an init script unnamed pipe.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_write_script_pipe',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:fifo_file write;
')

########################################
## <summary>
##	Allow the specified domain to connect to
##	init scripts with a unix domain stream socket.
## </summary>
## <param name="domain">
##      Domain allowed access.
## </param>
#
interface(`init_unix_connect_script',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Dont audit the specified domain connecting to
##	init scripts with a unix domain stream socket.
## </summary>
## <param name="domain">
##      Domain allowed access.
## </param>
#
interface(`init_dontaudit_unix_connect_script',`
	gen_require(`
		type initrc_t;
		class unix_stream_socket connectto;
	')

	dontaudit $1 initrc_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Read init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_read_script',`
	gen_require(`
		type initrc_exec_t;
		class file { getattr read };
	')

	files_list_etc($1)
	allow $1 initrc_exec_t:file { getattr read };
')

########################################
#
# init_exec_script(domain)
#
interface(`init_exec_script',`
	gen_require(`
		type initrc_exec_t;
	')

	files_list_etc($1)
	can_exec($1,initrc_exec_t)
')

########################################
## <summary>
##	Read the process state (/proc/pid) of the init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_read_script_process_state',`
	gen_require(`
		type initrc_t;
		class dir r_dir_perms;
		class file r_file_perms;
		class lnk_file r_file_perms;
		class process { getattr ptrace };
	')

	#FIXME: search proc dir
	allow $1 initrc_t:dir r_dir_perms;
	allow $1 initrc_t:{ file lnk_file } r_file_perms;
	allow $1 initrc_t:process getattr;

	# We need to suppress this denial because procps tries to access
	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
	# running in a privileged domain.
	dontaudit $1 initrc_t:process ptrace;
')

########################################
#
# init_use_script_fd(domain)
#
interface(`init_use_script_fd',`
	gen_require(`
		type initrc_t;
		class fd use;
	')

	allow $1 initrc_t:fd use;
')

########################################
#
# init_dontaudit_use_script_fd(domain)
#
interface(`init_dontaudit_use_script_fd',`
	gen_require(`
		type initrc_t;
		class fd use;
	')

	dontaudit $1 initrc_t:fd use;
')

########################################
#
# init_get_script_process_group(domain)
#
interface(`init_get_script_process_group',`
	gen_require(`
		type initrc_t;
		class process getpgid;
	')

	allow $1 initrc_t:process getpgid;
')

########################################
## <summary>
##	Send SIGCHLD signals to init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_sigchld_script',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:process sigchld;
')

########################################
## <summary>
##	Send generic signals to init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_signal_script',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:process signal;
')

########################################
## <summary>
##	Send null signals to init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_signull_script',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:process signull;
')

########################################
## <summary>
##	Read and write init script unnamed pipes.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_rw_script_pipe',`
	gen_require(`
		type initrc_t;
		class chr_file { read write };
	')

	allow $1 initrc_t:fifo_file { read write };
')

########################################
## <summary>
##	Send UDP network traffic to init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_udp_sendto_script',`
	gen_require(`
		type initrc_t;
		class udp_socket { sendto recvfrom };
	')

	allow $1 initrc_t:udp_socket sendto;
	allow initrc_t $1:udp_socket recvfrom;
')

########################################
## <summary>
##	Allow the specified domain to connect to
##	init scripts with a unix socket.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_unix_connect_script',`
	gen_require(`
		type initrc_t;
	')

	allow $1 initrc_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Read and write the init script pty.
## </summary>
## <desc>
##	<p>
##	Read and write the init script pty.  This
##	pty is generally opened by the open_init_pty
##	portion of the run_init program so that the
##	daemon does not require direct access to
##	the administrator terminal.
##	</p>
## </desc>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_use_script_pty',`
	gen_require(`
		type initrc_devpts_t;
	')

	term_list_ptys($1)
	allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write the init script pty.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`init_dontaudit_use_script_pty',`
	gen_require(`
		type initrc_devpts_t;
	')

	dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')

########################################
## <summary>
##	Read init scripts.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_read_script_file',`
	gen_require(`
		type initrc_exec_t;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 initrc_exec_t:file r_file_perms;
')

########################################
## <summary>
##	Read and write init script temporary data.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_rw_script_tmp_files',`
	gen_require(`
		type initrc_tmp_t;
	')

	files_search_tmp($1)
	allow $1 initrc_tmp_t:file rw_file_perms;
')

########################################
## <summary>
##	Get the attributes of init script process id files.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_getattr_script_pids',`
	gen_require(`
		type initrc_var_run_t;
		class file getattr;
	')

	allow $1 initrc_var_run_t:file getattr;
')

########################################
## <summary>
##	List the contents of an init script
##	process id directory.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`init_list_script_pids',`
	gen_require(`
		type initrc_var_run_t;
		class dir r_dir_perms;
	')

	files_search_pids($1)
	allow $1 initrc_var_run_t:dir r_dir_perms;
')

########################################
#
# init_read_script_pid(domain)
#
interface(`init_read_script_pid',`
	gen_require(`
		type initrc_var_run_t;
		class file r_file_perms;
	')

	files_list_pids($1)
	allow $1 initrc_var_run_t:file r_file_perms;
')

########################################
#
# init_dontaudit_write_script_pid(domain)
#
interface(`init_dontaudit_write_script_pid',`
	gen_require(`
		type initrc_var_run_t;
		class file { write lock };
	')

	dontaudit $1 initrc_var_run_t:file { write lock };
')

########################################
#
# init_rw_script_pid(domain)
#
interface(`init_rw_script_pid',`
	gen_require(`
		type initrc_var_run_t;
		class file rw_file_perms;
	')

	files_list_pids($1)
	allow $1 initrc_var_run_t:file rw_file_perms;
')

########################################
#
# init_dontaudit_rw_script_pid(domain)
#
interface(`init_dontaudit_rw_script_pid',`
	gen_require(`
		type initrc_var_run_t;
		class file rw_file_perms;
	')

	dontaudit $1 initrc_var_run_t:file { getattr read write append };
')