148 lines
4.0 KiB
Plaintext
148 lines
4.0 KiB
Plaintext
#DESC Init - Process initialization
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# X-Debian-Packages: sysvinit
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the init_t domain.
|
|
#
|
|
# init_t is the domain of the init process.
|
|
# init_exec_t is the type of the init program.
|
|
# initctl_t is the type of the named pipe created
|
|
# by init during initialization. This pipe is used
|
|
# to communicate with init.
|
|
#
|
|
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
|
|
role system_r types init_t;
|
|
uses_shlib(init_t);
|
|
type init_exec_t, file_type, sysadmfile, exec_type;
|
|
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
|
|
|
# for init to determine whether SE Linux is active so it can know whether to
|
|
# activate it
|
|
allow init_t security_t:dir search;
|
|
allow init_t security_t:file { getattr read };
|
|
|
|
# for mount points
|
|
allow init_t file_t:dir search;
|
|
|
|
# Use capabilities.
|
|
allow init_t self:capability ~sys_module;
|
|
|
|
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
|
|
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
|
|
|
|
# Run the shell in the sysadm_t domain for single-user mode.
|
|
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
|
|
|
|
# Run /sbin/update in the init_t domain.
|
|
can_exec(init_t, sbin_t)
|
|
|
|
# Run init.
|
|
can_exec(init_t, init_exec_t)
|
|
|
|
# Run chroot from initrd scripts.
|
|
ifdef(`chroot.te', `
|
|
can_exec(init_t, chroot_exec_t)
|
|
')
|
|
|
|
# Create /dev/initctl.
|
|
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
|
|
ifdef(`distro_redhat', `
|
|
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
|
|
')
|
|
|
|
# Create ioctl.save.
|
|
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
|
|
|
|
# Update /etc/ld.so.cache
|
|
allow init_t ld_so_cache_t:file rw_file_perms;
|
|
|
|
# Allow access to log files
|
|
allow init_t var_t:dir search;
|
|
allow init_t var_log_t:dir search;
|
|
allow init_t var_log_t:file rw_file_perms;
|
|
|
|
read_locale(init_t)
|
|
|
|
# Create unix sockets
|
|
allow init_t self:unix_dgram_socket create_socket_perms;
|
|
allow init_t self:unix_stream_socket create_socket_perms;
|
|
allow init_t self:fifo_file rw_file_perms;
|
|
|
|
# Permissions required for system startup
|
|
allow init_t { bin_t sbin_t }:dir r_dir_perms;
|
|
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
|
|
|
|
# allow init to fork
|
|
allow init_t self:process { fork sigchld };
|
|
|
|
# Modify utmp.
|
|
allow init_t var_run_t:file rw_file_perms;
|
|
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
|
|
can_unix_connect(init_t, initrc_t)
|
|
|
|
# For /var/run/shutdown.pid.
|
|
var_run_domain(init)
|
|
|
|
# Shutdown permissions
|
|
r_dir_file(init_t, proc_t)
|
|
r_dir_file(init_t, self)
|
|
allow init_t devpts_t:dir r_dir_perms;
|
|
|
|
# Modify wtmp.
|
|
allow init_t wtmp_t:file rw_file_perms;
|
|
|
|
# Kill all processes.
|
|
allow init_t domain:process signal_perms;
|
|
|
|
# Allow all processes to send SIGCHLD to init.
|
|
allow domain init_t:process { sigchld signull };
|
|
|
|
# If you load a new policy that removes active domains, processes can
|
|
# get stuck if you do not allow unlabeled processes to signal init
|
|
# If you load an incompatible policy, you should probably reboot,
|
|
# since you may have compromised system security.
|
|
allow unlabeled_t init_t:process sigchld;
|
|
|
|
# for loading policy
|
|
allow init_t policy_config_t:file r_file_perms;
|
|
|
|
# Set booleans.
|
|
can_setbool(init_t)
|
|
|
|
# Read and write the console and ttys.
|
|
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
|
|
ifdef(`distro_redhat', `
|
|
allow init_t tmpfs_t:chr_file rw_file_perms;
|
|
')
|
|
allow init_t ttyfile:chr_file rw_file_perms;
|
|
allow init_t ptyfile:chr_file rw_file_perms;
|
|
|
|
# Run system executables.
|
|
can_exec(init_t,bin_t)
|
|
ifdef(`consoletype.te', `
|
|
can_exec(init_t, consoletype_exec_t)
|
|
')
|
|
|
|
# Run /etc/X11/prefdm.
|
|
can_exec(init_t,etc_t)
|
|
|
|
allow init_t lib_t:file { getattr read };
|
|
|
|
allow init_t devtty_t:chr_file { read write };
|
|
allow init_t ramfs_t:dir search;
|
|
allow init_t ramfs_t:sock_file write;
|
|
r_dir_file(init_t, sysfs_t)
|
|
|
|
r_dir_file(init_t, selinux_config_t)
|
|
|
|
# file descriptors inherited from the rootfs.
|
|
dontaudit init_t root_t:{ file chr_file } { read write };
|
|
ifdef(`targeted_policy', `
|
|
unconfined_domain(init_t)
|
|
')
|
|
|