selinux-policy/strict/domains/program/init.te
2005-09-13 13:06:07 +00:00

148 lines
4.0 KiB
Plaintext

#DESC Init - Process initialization
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit
#
#################################
#
# Rules for the init_t domain.
#
# init_t is the domain of the init process.
# init_exec_t is the type of the init program.
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
allow init_t security_t:dir search;
allow init_t security_t:file { getattr read };
# for mount points
allow init_t file_t:dir search;
# Use capabilities.
allow init_t self:capability ~sys_module;
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)
# Run init.
can_exec(init_t, init_exec_t)
# Run chroot from initrd scripts.
ifdef(`chroot.te', `
can_exec(init_t, chroot_exec_t)
')
# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
ifdef(`distro_redhat', `
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
')
# Create ioctl.save.
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;
# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
allow init_t var_log_t:file rw_file_perms;
read_locale(init_t)
# Create unix sockets
allow init_t self:unix_dgram_socket create_socket_perms;
allow init_t self:unix_stream_socket create_socket_perms;
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
allow init_t { bin_t sbin_t }:dir r_dir_perms;
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
can_unix_connect(init_t, initrc_t)
# For /var/run/shutdown.pid.
var_run_domain(init)
# Shutdown permissions
r_dir_file(init_t, proc_t)
r_dir_file(init_t, self)
allow init_t devpts_t:dir r_dir_perms;
# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;
# Kill all processes.
allow init_t domain:process signal_perms;
# Allow all processes to send SIGCHLD to init.
allow domain init_t:process { sigchld signull };
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;
# for loading policy
allow init_t policy_config_t:file r_file_perms;
# Set booleans.
can_setbool(init_t)
# Read and write the console and ttys.
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
ifdef(`distro_redhat', `
allow init_t tmpfs_t:chr_file rw_file_perms;
')
allow init_t ttyfile:chr_file rw_file_perms;
allow init_t ptyfile:chr_file rw_file_perms;
# Run system executables.
can_exec(init_t,bin_t)
ifdef(`consoletype.te', `
can_exec(init_t, consoletype_exec_t)
')
# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)
allow init_t lib_t:file { getattr read };
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
allow init_t ramfs_t:sock_file write;
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
ifdef(`targeted_policy', `
unconfined_domain(init_t)
')