761 lines
16 KiB
Plaintext
761 lines
16 KiB
Plaintext
## <summary>System initialization programs (init and init scripts).</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain which can be started by init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Type to be used as a domain.
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </param>
|
|
#
|
|
interface(`init_domain',`
|
|
gen_require(`
|
|
type init_t;
|
|
role system_r;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
class process sigchld;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domain_auto_trans(init_t,$2,$1)
|
|
|
|
allow $1 init_t:fd use;
|
|
allow init_t $1:fd use;
|
|
allow $1 init_t:fifo_file rw_file_perms;
|
|
allow $1 init_t:process sigchld;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
optional_policy(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for long running processes
|
|
## (daemons) which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Type to be used as a domain.
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </param>
|
|
#
|
|
interface(`init_daemon_domain',`
|
|
gen_require(`
|
|
attribute direct_run_init, direct_init, direct_init_entry;
|
|
type initrc_t;
|
|
role system_r;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
domain_auto_trans(direct_run_init,$2,$1)
|
|
|
|
allow direct_run_init $1:fd use;
|
|
allow direct_run_init $1:process { noatsecure siginh rlimitinh };
|
|
allow $1 direct_run_init:fd use;
|
|
allow $1 direct_run_init:fifo_file rw_file_perms;
|
|
allow $1 direct_run_init:process sigchld;
|
|
|
|
typeattribute $1 direct_init;
|
|
typeattribute $2 direct_init_entry;
|
|
')
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
ifdef(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
# this regex is a hack, since it assumes there is a
|
|
# _t at the end of the domain type. If there is no _t
|
|
# at the end of the type, it returns empty!
|
|
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
|
if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
|
domain_auto_trans(initrc_t,$2,$1)
|
|
allow initrc_t $1:fd use;
|
|
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
|
allow $1 initrc_t:fd use;
|
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
allow $1 initrc_t:process sigchld;
|
|
} else {
|
|
can_exec(initrc_t,$2)
|
|
can_exec(direct_run_init,$2)
|
|
}
|
|
',`
|
|
domain_auto_trans(initrc_t,$2,$1)
|
|
allow initrc_t $1:fd use;
|
|
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
|
allow $1 initrc_t:fd use;
|
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
allow $1 initrc_t:process sigchld;
|
|
')
|
|
|
|
optional_policy(`nscd.te',`
|
|
nscd_use_socket($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a domain for short running processes
|
|
## which can be started by init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Type to be used as a domain.
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## Type of the program to be used as an entry point to this domain.
|
|
## </param>
|
|
#
|
|
interface(`init_system_domain',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
role system_r;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
class process sigchld;
|
|
')
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1,$2)
|
|
|
|
role system_r types $1;
|
|
|
|
domain_auto_trans(initrc_t,$2,$1)
|
|
|
|
allow initrc_t $1:fd use;
|
|
allow $1 initrc_t:fd use;
|
|
allow $1 initrc_t:fifo_file rw_file_perms;
|
|
allow $1 initrc_t:process sigchld;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
optional_policy(`distro_redhat',`
|
|
kernel_dontaudit_use_fd($1)
|
|
files_dontaudit_read_root_file($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_domtrans(domain)
|
|
#
|
|
interface(`init_domtrans',`
|
|
gen_require(`
|
|
type init_t, init_exec_t;
|
|
class process sigchld;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
domain_auto_trans($1,init_exec_t,init_t)
|
|
|
|
allow $1 init_t:fd use;
|
|
allow init_t $1:fd use;
|
|
allow init_t $1:fifo_file rw_file_perms;
|
|
allow init_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the init program in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_exec',`
|
|
gen_require(`
|
|
type init_exec_t;
|
|
')
|
|
|
|
corecmd_search_sbin($1)
|
|
can_exec($1,init_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_get_process_group(domain)
|
|
#
|
|
interface(`init_get_process_group',`
|
|
gen_require(`
|
|
type init_t;
|
|
class process getpgid;
|
|
')
|
|
|
|
allow $1 init_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_getattr_initctl(domain)
|
|
#
|
|
interface(`init_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
allow $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_getattr_initctl(domain)
|
|
#
|
|
interface(`init_dontaudit_getattr_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_write_initctl(domain)
|
|
#
|
|
interface(`init_write_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file write;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_initctl(domain)
|
|
#
|
|
interface(`init_use_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 initctl_t:fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_initctl(domain)
|
|
#
|
|
interface(`init_dontaudit_use_initctl',`
|
|
gen_require(`
|
|
type initctl_t;
|
|
class fifo_file { read write };
|
|
')
|
|
|
|
dontaudit $1 initctl_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send init a null signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_signull',`
|
|
gen_require(`
|
|
type init_t;
|
|
class process signull;
|
|
')
|
|
|
|
allow $1 init_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send init a SIGCHLD signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_sigchld',`
|
|
gen_require(`
|
|
type init_t;
|
|
class process sigchld;
|
|
')
|
|
|
|
allow $1 init_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_fd(domain)
|
|
#
|
|
interface(`init_use_fd',`
|
|
gen_require(`
|
|
type init_t;
|
|
class fd use;
|
|
')
|
|
|
|
allow $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_fd(domain)
|
|
#
|
|
interface(`init_dontaudit_use_fd',`
|
|
gen_require(`
|
|
type init_t;
|
|
class fd use;
|
|
')
|
|
|
|
dontaudit $1 init_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic to init.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_udp_sendto',`
|
|
gen_require(`
|
|
type init_t;
|
|
class udp_socket { sendto recvfrom };
|
|
')
|
|
|
|
allow $1 init_t:udp_socket sendto;
|
|
allow init_t $1:udp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_domtrans_script(domain)
|
|
#
|
|
interface(`init_domtrans_script',`
|
|
gen_require(`
|
|
type initrc_t, initrc_exec_t;
|
|
class process sigchld;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
domain_auto_trans($1,initrc_exec_t,initrc_t)
|
|
|
|
allow $1 initrc_t:fd use;
|
|
allow initrc_t $1:fd use;
|
|
allow initrc_t $1:fifo_file rw_file_perms;
|
|
allow initrc_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Start and stop daemon programs directly.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Start and stop daemon programs directly
|
|
## in the traditional "/etc/init.d/daemon start"
|
|
## style, and do not require run_init.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
## <param name="role">
|
|
## The role to be performing this action.
|
|
## </param>
|
|
## <param name="terminal">
|
|
## The type of the terminal of the user.
|
|
## </param>
|
|
#
|
|
interface(`init_run_daemon',`
|
|
gen_require(`
|
|
attribute direct_run_init, direct_init, direct_init_entry;
|
|
role system_r;
|
|
class chr_file rw_file_perms;
|
|
')
|
|
|
|
typeattribute $1 direct_run_init;
|
|
role_transition $2 direct_init_entry system_r;
|
|
dontaudit direct_init $3:chr_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to connect to
|
|
## init scripts with a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_unix_connect_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Dont audit the specified domain connecting to
|
|
## init scripts with a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_unix_connect_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class unix_stream_socket connectto;
|
|
')
|
|
|
|
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_read_script',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
class file { getattr read };
|
|
')
|
|
|
|
files_list_etc($1)
|
|
allow $1 initrc_exec_t:file { getattr read };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_exec_script(domain)
|
|
#
|
|
interface(`init_exec_script',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
')
|
|
|
|
files_list_etc($1)
|
|
can_exec($1,initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read the process state (/proc/pid) of the init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_read_script_process_state',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
class lnk_file r_file_perms;
|
|
class process { getattr ptrace };
|
|
')
|
|
|
|
#FIXME: search proc dir
|
|
allow $1 initrc_t:dir r_dir_perms;
|
|
allow $1 initrc_t:{ file lnk_file } r_file_perms;
|
|
allow $1 initrc_t:process getattr;
|
|
|
|
# We need to suppress this denial because procps tries to access
|
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
# running in a privileged domain.
|
|
dontaudit $1 initrc_t:process ptrace;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_use_script_fd(domain)
|
|
#
|
|
interface(`init_use_script_fd',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class fd use;
|
|
')
|
|
|
|
allow $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_use_script_fd(domain)
|
|
#
|
|
interface(`init_dontaudit_use_script_fd',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class fd use;
|
|
')
|
|
|
|
dontaudit $1 initrc_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_get_script_process_group(domain)
|
|
#
|
|
interface(`init_get_script_process_group',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class process getpgid;
|
|
')
|
|
|
|
allow $1 initrc_t:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write init script unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_rw_script_pipe',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class chr_file { read write };
|
|
')
|
|
|
|
allow $1 initrc_t:fifo_file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic to init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_udp_sendto_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
class udp_socket { sendto recvfrom };
|
|
')
|
|
|
|
allow $1 initrc_t:udp_socket sendto;
|
|
allow initrc_t $1:udp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to connect to
|
|
## init scripts with a unix socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_unix_connect_script',`
|
|
gen_require(`
|
|
type initrc_t;
|
|
')
|
|
|
|
allow $1 initrc_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write the init script pty.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Read and write the init script pty. This
|
|
## pty is generally opened by the open_init_pty
|
|
## portion of the run_init program so that the
|
|
## daemon does not require direct access to
|
|
## the administrator terminal.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_use_script_pty',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
')
|
|
|
|
term_list_ptys($1)
|
|
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write the init script pty.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`init_dontaudit_use_script_pty',`
|
|
gen_require(`
|
|
type initrc_devpts_t;
|
|
')
|
|
|
|
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read init scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_read_script_file',`
|
|
gen_require(`
|
|
type initrc_exec_t;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 initrc_exec_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write init script temporary data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`init_rw_script_tmp_files',`
|
|
gen_require(`
|
|
type initrc_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
allow $1 initrc_tmp_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of init script process id files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_getattr_script_pids',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file getattr;
|
|
')
|
|
|
|
allow $1 initrc_var_run_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of an init script
|
|
## process id directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`init_list_script_pids',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
allow $1 initrc_var_run_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_read_script_pid(domain)
|
|
#
|
|
interface(`init_read_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_write_script_pid(domain)
|
|
#
|
|
interface(`init_dontaudit_write_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file { write lock };
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_rw_script_pid(domain)
|
|
#
|
|
interface(`init_rw_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
files_list_pids($1)
|
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# init_dontaudit_rw_script_pid(domain)
|
|
#
|
|
interface(`init_dontaudit_rw_script_pid',`
|
|
gen_require(`
|
|
type initrc_var_run_t;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
|
')
|
|
|