1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
790 lines
18 KiB
Plaintext
790 lines
18 KiB
Plaintext
|
|
policy_module(init,1.6.2)
|
|
|
|
gen_require(`
|
|
class passwd rootok;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
ifdef(`targeted_policy',`
|
|
## <desc>
|
|
## <p>
|
|
## Allow all daemons the ability to use unallocated ttys
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_daemons_use_tty,false)
|
|
')
|
|
|
|
# used for direct running of init scripts
|
|
# by admin domains
|
|
attribute direct_run_init;
|
|
attribute direct_init;
|
|
attribute direct_init_entry;
|
|
|
|
# Mark process types as daemons
|
|
attribute daemon;
|
|
|
|
#
|
|
# init_t is the domain of the init process.
|
|
#
|
|
type init_t;
|
|
type init_exec_t;
|
|
domain_type(init_t)
|
|
domain_entry_file(init_t,init_exec_t)
|
|
kernel_domtrans_to(init_t,init_exec_t)
|
|
role system_r types init_t;
|
|
|
|
#
|
|
# init_var_run_t is the type for /var/run/shutdown.pid.
|
|
#
|
|
type init_var_run_t;
|
|
files_pid_file(init_var_run_t)
|
|
|
|
#
|
|
# initctl_t is the type of the named pipe created
|
|
# by init during initialization. This pipe is used
|
|
# to communicate with init.
|
|
#
|
|
type initctl_t;
|
|
files_type(initctl_t)
|
|
mls_trusted_object(initctl_t)
|
|
|
|
type initrc_t;
|
|
type initrc_exec_t;
|
|
domain_type(initrc_t)
|
|
domain_entry_file(initrc_t,initrc_exec_t)
|
|
role system_r types initrc_t;
|
|
|
|
type initrc_devpts_t;
|
|
term_pty(initrc_devpts_t)
|
|
files_type(initrc_devpts_t)
|
|
|
|
type initrc_state_t;
|
|
files_type(initrc_state_t)
|
|
|
|
type initrc_tmp_t;
|
|
files_tmp_file(initrc_tmp_t)
|
|
|
|
type initrc_var_run_t;
|
|
files_pid_file(initrc_var_run_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init local policy
|
|
#
|
|
|
|
# Use capabilities. old rule:
|
|
allow init_t self:capability ~sys_module;
|
|
# is ~sys_module really needed? observed:
|
|
# sys_boot
|
|
# sys_tty_config
|
|
# kill: now provided by domain_kill_all_domains()
|
|
# setuid (from /sbin/shutdown)
|
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
|
|
|
allow init_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
# Re-exec itself
|
|
can_exec(init_t,init_exec_t)
|
|
|
|
allow init_t initrc_t:unix_stream_socket connectto;
|
|
|
|
# For /var/run/shutdown.pid.
|
|
allow init_t init_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(init_t,init_var_run_t,file)
|
|
|
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
|
dev_filetrans(init_t,initctl_t,fifo_file)
|
|
fs_associate_tmpfs(initctl_t)
|
|
|
|
# Modify utmp.
|
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
|
|
|
kernel_read_system_state(init_t)
|
|
kernel_share_state(init_t)
|
|
|
|
corecmd_exec_chroot(init_t)
|
|
corecmd_exec_bin(init_t)
|
|
|
|
dev_read_sysfs(init_t)
|
|
|
|
domain_kill_all_domains(init_t)
|
|
domain_signal_all_domains(init_t)
|
|
domain_signull_all_domains(init_t)
|
|
domain_sigstop_all_domains(init_t)
|
|
domain_sigstop_all_domains(init_t)
|
|
domain_sigchld_all_domains(init_t)
|
|
|
|
files_read_etc_files(init_t)
|
|
files_rw_generic_pids(init_t)
|
|
files_dontaudit_search_isid_type_dirs(init_t)
|
|
files_manage_etc_runtime_files(init_t)
|
|
files_etc_filetrans_etc_runtime(init_t,file)
|
|
# Run /etc/X11/prefdm:
|
|
files_exec_etc_files(init_t)
|
|
# file descriptors inherited from the rootfs:
|
|
files_dontaudit_rw_root_files(init_t)
|
|
files_dontaudit_rw_root_chr_files(init_t)
|
|
|
|
# cjp: this may be related to /dev/log
|
|
fs_write_ramfs_sockets(init_t)
|
|
|
|
mcs_process_set_categories(init_t)
|
|
|
|
mls_process_write_down(init_t)
|
|
mls_fd_use_all_levels(init_t)
|
|
|
|
selinux_set_boolean(init_t)
|
|
|
|
term_use_all_terms(init_t)
|
|
|
|
# Run init scripts.
|
|
init_domtrans_script(init_t)
|
|
|
|
libs_use_ld_so(init_t)
|
|
libs_use_shared_libs(init_t)
|
|
libs_rw_ld_so_cache(init_t)
|
|
|
|
logging_send_syslog_msg(init_t)
|
|
logging_rw_generic_logs(init_t)
|
|
|
|
mcs_killall(init_t)
|
|
|
|
mls_file_read_up(init_t)
|
|
mls_file_write_down(init_t)
|
|
mls_rangetrans_target(init_t)
|
|
|
|
seutil_read_config(init_t)
|
|
|
|
miscfiles_read_localization(init_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
allow init_t self:process { getcap setcap };
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
fs_rw_tmpfs_chr_files(init_t)
|
|
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
auth_rw_login_records(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(init_t)
|
|
')
|
|
|
|
# Run the shell in the sysadm_t domain for single-user mode.
|
|
optional_policy(`
|
|
userdom_shell_domtrans_sysadm(init_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init script local policy
|
|
#
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
|
allow initrc_t self:capability ~{ sys_admin sys_module };
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
|
allow initrc_t self:passwd rootok;
|
|
|
|
# Allow IPC with self
|
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
|
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
|
allow initrc_t self:tcp_socket create_stream_socket_perms;
|
|
allow initrc_t self:udp_socket create_socket_perms;
|
|
allow initrc_t self:fifo_file rw_file_perms;
|
|
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
|
term_create_pty(initrc_t,initrc_devpts_t)
|
|
|
|
# Going to single user mode
|
|
init_exec(initrc_t)
|
|
|
|
can_exec(initrc_t,initrc_exec_t)
|
|
|
|
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
|
|
|
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
|
|
|
|
can_exec(initrc_t,initrc_tmp_t)
|
|
allow initrc_t initrc_tmp_t:file manage_file_perms;
|
|
allow initrc_t initrc_tmp_t:dir manage_dir_perms;
|
|
files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir })
|
|
|
|
init_write_initctl(initrc_t)
|
|
|
|
kernel_read_system_state(initrc_t)
|
|
kernel_read_software_raid_state(initrc_t)
|
|
kernel_read_network_state(initrc_t)
|
|
kernel_read_ring_buffer(initrc_t)
|
|
kernel_change_ring_buffer_level(initrc_t)
|
|
kernel_clear_ring_buffer(initrc_t)
|
|
kernel_get_sysvipc_info(initrc_t)
|
|
kernel_read_all_sysctls(initrc_t)
|
|
kernel_rw_all_sysctls(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
kernel_dontaudit_getattr_message_if(initrc_t)
|
|
|
|
files_read_kernel_symbol_table(initrc_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(initrc_t)
|
|
corenet_all_recvfrom_netlabel(initrc_t)
|
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
|
corenet_udp_sendrecv_all_if(initrc_t)
|
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
|
corenet_tcp_connect_all_ports(initrc_t)
|
|
corenet_sendrecv_all_client_packets(initrc_t)
|
|
|
|
dev_read_rand(initrc_t)
|
|
dev_read_urand(initrc_t)
|
|
dev_write_rand(initrc_t)
|
|
dev_write_urand(initrc_t)
|
|
dev_rw_sysfs(initrc_t)
|
|
dev_list_usbfs(initrc_t)
|
|
dev_read_framebuffer(initrc_t)
|
|
dev_read_realtime_clock(initrc_t)
|
|
dev_read_sound_mixer(initrc_t)
|
|
dev_write_sound_mixer(initrc_t)
|
|
dev_setattr_all_chr_files(initrc_t)
|
|
dev_read_lvm_control(initrc_t)
|
|
dev_delete_lvm_control_dev(initrc_t)
|
|
dev_manage_generic_symlinks(initrc_t)
|
|
dev_manage_generic_files(initrc_t)
|
|
# Wants to remove udev.tbl:
|
|
dev_delete_generic_symlinks(initrc_t)
|
|
|
|
fs_register_binary_executable_type(initrc_t)
|
|
# rhgb-console writes to ramfs
|
|
fs_write_ramfs_pipes(initrc_t)
|
|
# cjp: not sure why these are here; should use mount policy
|
|
fs_mount_all_fs(initrc_t)
|
|
fs_unmount_all_fs(initrc_t)
|
|
fs_remount_all_fs(initrc_t)
|
|
fs_getattr_all_fs(initrc_t)
|
|
|
|
# initrc_t needs to do a pidof which requires ptrace
|
|
mcs_ptrace_all(initrc_t)
|
|
|
|
selinux_get_enforce_mode(initrc_t)
|
|
|
|
storage_getattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_removable_dev(initrc_t)
|
|
|
|
term_use_all_terms(initrc_t)
|
|
term_reset_tty_labels(initrc_t)
|
|
|
|
auth_rw_login_records(initrc_t)
|
|
auth_setattr_login_records(initrc_t)
|
|
auth_rw_lastlog(initrc_t)
|
|
auth_read_pam_pid(initrc_t)
|
|
auth_delete_pam_pid(initrc_t)
|
|
auth_delete_pam_console_data(initrc_t)
|
|
|
|
corecmd_exec_all_executables(initrc_t)
|
|
|
|
domain_kill_all_domains(initrc_t)
|
|
domain_signal_all_domains(initrc_t)
|
|
domain_signull_all_domains(initrc_t)
|
|
domain_sigstop_all_domains(initrc_t)
|
|
domain_sigstop_all_domains(initrc_t)
|
|
domain_sigchld_all_domains(initrc_t)
|
|
domain_read_all_domains_state(initrc_t)
|
|
domain_getattr_all_domains(initrc_t)
|
|
domain_dontaudit_ptrace_all_domains(initrc_t)
|
|
domain_getsession_all_domains(initrc_t)
|
|
domain_use_interactive_fds(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
|
|
|
files_getattr_all_dirs(initrc_t)
|
|
files_getattr_all_files(initrc_t)
|
|
files_getattr_all_symlinks(initrc_t)
|
|
files_getattr_all_pipes(initrc_t)
|
|
files_getattr_all_sockets(initrc_t)
|
|
files_purge_tmp(initrc_t)
|
|
files_delete_all_locks(initrc_t)
|
|
files_read_all_pids(initrc_t)
|
|
files_delete_all_pids(initrc_t)
|
|
files_delete_all_pid_dirs(initrc_t)
|
|
files_read_etc_files(initrc_t)
|
|
files_manage_etc_runtime_files(initrc_t)
|
|
files_etc_filetrans_etc_runtime(initrc_t,file)
|
|
files_manage_generic_locks(initrc_t)
|
|
files_exec_etc_files(initrc_t)
|
|
files_read_usr_files(initrc_t)
|
|
files_manage_urandom_seed(initrc_t)
|
|
files_manage_generic_spool(initrc_t)
|
|
# Mount and unmount file systems.
|
|
# cjp: not sure why these are here; should use mount policy
|
|
files_list_isid_type_dirs(initrc_t)
|
|
files_mounton_isid_type_dirs(initrc_t)
|
|
files_list_default(initrc_t)
|
|
files_mounton_default(initrc_t)
|
|
|
|
libs_rw_ld_so_cache(initrc_t)
|
|
libs_use_ld_so(initrc_t)
|
|
libs_use_shared_libs(initrc_t)
|
|
libs_exec_lib_files(initrc_t)
|
|
|
|
logging_send_syslog_msg(initrc_t)
|
|
logging_manage_generic_logs(initrc_t)
|
|
logging_read_all_logs(initrc_t)
|
|
logging_append_all_logs(initrc_t)
|
|
logging_read_audit_config(initrc_t)
|
|
|
|
miscfiles_read_localization(initrc_t)
|
|
# slapd needs to read cert files from its initscript
|
|
miscfiles_read_certs(initrc_t)
|
|
|
|
mcs_killall(initrc_t)
|
|
mcs_process_set_categories(initrc_t)
|
|
|
|
mls_file_read_up(initrc_t)
|
|
mls_file_write_down(initrc_t)
|
|
mls_process_read_up(initrc_t)
|
|
mls_process_write_down(initrc_t)
|
|
mls_rangetrans_source(initrc_t)
|
|
mls_rangetrans_target(initrc_t)
|
|
|
|
modutils_read_module_config(initrc_t)
|
|
modutils_domtrans_insmod(initrc_t)
|
|
|
|
seutil_read_config(initrc_t)
|
|
|
|
sysnet_read_config(initrc_t)
|
|
|
|
userdom_read_all_users_home_content_files(initrc_t)
|
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
|
# started from init should be placed in their own domain.
|
|
userdom_use_sysadm_terms(initrc_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
dev_setattr_generic_dirs(initrc_t)
|
|
|
|
fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
|
|
|
|
# for storing state under /dev/shm
|
|
fs_setattr_tmpfs_dirs(initrc_t)
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_tmpfs_filetrans_fixed_disk(initrc_t)
|
|
|
|
files_setattr_etc_dirs(initrc_t)
|
|
')
|
|
|
|
ifdef(`distro_gentoo',`
|
|
kernel_dontaudit_getattr_core_if(initrc_t)
|
|
|
|
# seed udev /dev
|
|
allow initrc_t self:process setfscreate;
|
|
dev_create_null_dev(initrc_t)
|
|
dev_create_zero_dev(initrc_t)
|
|
dev_create_generic_dirs(initrc_t)
|
|
term_create_console_dev(initrc_t)
|
|
|
|
# unfortunately /sbin/rc does stupid tricks
|
|
# with /dev/.rcboot to decide if we are in
|
|
# early init
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_delete_generic_dirs(initrc_t)
|
|
|
|
# needed until baselayout is fixed to have the
|
|
# restorecon on /dev to again be immediately after
|
|
# mounting tmpfs on /dev
|
|
fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
|
|
|
|
# init scripts touch this
|
|
clock_dontaudit_write_adjtime(initrc_t)
|
|
|
|
# for integrated run_init to read run_init_type.
|
|
# happens during boot (/sbin/rc execs init scripts)
|
|
seutil_read_default_contexts(initrc_t)
|
|
|
|
optional_policy(`
|
|
arpwatch_manage_data_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dhcpd_setattr_state_files(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
# this is from kmodule, which should get its own policy:
|
|
allow initrc_t self:capability sys_admin;
|
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
kernel_dontaudit_use_fds(initrc_t)
|
|
files_dontaudit_read_root_files(initrc_t)
|
|
|
|
selinux_set_enforce_mode(initrc_t)
|
|
|
|
# These seem to be from the initrd
|
|
# during device initialization:
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_rwx_zero(initrc_t)
|
|
dev_rx_raw_memory(initrc_t)
|
|
dev_wx_raw_memory(initrc_t)
|
|
storage_raw_read_fixed_disk(initrc_t)
|
|
storage_raw_write_fixed_disk(initrc_t)
|
|
|
|
files_create_boot_flag(initrc_t)
|
|
files_rw_boot_symlinks(initrc_t)
|
|
# wants to read /.fonts directory
|
|
files_read_default_files(initrc_t)
|
|
files_mountpoint(initrc_tmp_t)
|
|
# Needs to cp localtime to /var dirs
|
|
files_write_var_dirs(initrc_t)
|
|
|
|
fs_rw_tmpfs_chr_files(initrc_t)
|
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_dev_filetrans_fixed_disk(initrc_t)
|
|
storage_getattr_removable_dev(initrc_t)
|
|
|
|
# readahead asks for these
|
|
auth_dontaudit_read_shadow(initrc_t)
|
|
|
|
# init scripts cp /etc/localtime over other directories localtime
|
|
miscfiles_rw_localization(initrc_t)
|
|
miscfiles_setattr_localization(initrc_t)
|
|
miscfiles_relabel_localization(initrc_t)
|
|
|
|
miscfiles_read_fonts(initrc_t)
|
|
miscfiles_read_hwdata(initrc_t)
|
|
|
|
optional_policy(`
|
|
bind_manage_config_dirs(initrc_t)
|
|
bind_write_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
rpc_write_exports(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_rw_dhcp_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_delete_log(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_suse',`
|
|
optional_policy(`
|
|
# set permissions on /tmp/.X11-unix
|
|
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
domain_subj_id_change_exemption(initrc_t)
|
|
unconfined_domain(initrc_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# system-config-services causes avc messages that should be dontaudited
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
')
|
|
|
|
tunable_policy(`allow_daemons_use_tty',`
|
|
term_use_unallocated_ttys(daemon)
|
|
term_use_generic_ptys(daemon)
|
|
')
|
|
|
|
optional_policy(`
|
|
mono_domtrans(initrc_t)
|
|
')
|
|
',`
|
|
# cjp: require doesnt work in the else of optionals :\
|
|
# this also would result in a type transition
|
|
# conflict if sendmail is enabled
|
|
# optional_policy(`',`
|
|
# mta_send_mail(initrc_t)
|
|
# ')
|
|
|
|
# allow init scripts to su
|
|
optional_policy(`
|
|
su_restricted_domain_template(initrc,initrc_t,system_r)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
amavis_search_lib(initrc_t)
|
|
amavis_setattr_pid_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_rw_apm_bios(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_read_config(initrc_t)
|
|
apache_list_modules(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
automount_exec_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_read_config(initrc_t)
|
|
|
|
# for chmod in start script
|
|
bind_setattr_pid_dirs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
bluetooth_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cpucontrol_stub(initrc_t)
|
|
dev_getattr_cpu_dev(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_getattr_printer_dev(initrc_t)
|
|
|
|
cups_read_log(initrc_t)
|
|
cups_read_rw_config(initrc_t)
|
|
#cups init script clears error log
|
|
cups_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_manage_svc(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(initrc_t)
|
|
dbus_send_system_bus(initrc_t)
|
|
dbus_system_bus_client_template(initrc,initrc_t)
|
|
dbus_read_config(initrc_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpm_setattr_gpmctl(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
hotplug_read_config(initrc_t)
|
|
|
|
modutils_read_module_deps(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inn_exec_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipsec_read_config(initrc_t)
|
|
ipsec_manage_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ldap_read_config(initrc_t)
|
|
ldap_list_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
loadkeys_exec(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
lpd_list_spool(initrc_t)
|
|
|
|
lpd_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
|
|
|
dev_read_lvm_control(initrc_t)
|
|
dev_create_generic_chr_files(initrc_t)
|
|
|
|
lvm_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_list_data(initrc_t)
|
|
mailman_read_data_symlinks(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_read_config(initrc_t)
|
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ifdef(`distro_redhat',`
|
|
mysql_manage_db_dirs(initrc_t)
|
|
')
|
|
|
|
mysql_stream_connect(initrc_t)
|
|
mysql_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(initrc_t)
|
|
nis_list_var_yp(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openvpn_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_manage_db(initrc_t)
|
|
postgresql_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_list_spool(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
quota_manage_flags(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_manage_mdadm_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
corecmd_shell_entry_type(initrc_t)
|
|
fs_write_ramfs_sockets(initrc_t)
|
|
fs_search_ramfs(initrc_t)
|
|
|
|
rhgb_rw_stream_sockets(initrc_t)
|
|
rhgb_stream_connect(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_read_exports(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# bash tries to access a block device in the initrd
|
|
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
|
|
|
|
# for a bug in rm
|
|
files_dontaudit_write_all_pids(initrc_t)
|
|
|
|
# bash tries ioctl for some reason
|
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
|
|
|
# why is this needed:
|
|
rpm_manage_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_rw_config(initrc_t)
|
|
samba_read_winbind_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
squid_read_config(initrc_t)
|
|
squid_manage_logs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_dontaudit_read_server_keys(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_read_dhcpc_state(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_rw_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
uml_setattr_util_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
vmware_read_system_config(initrc_t)
|
|
vmware_append_system_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
miscfiles_manage_fonts(initrc_t)
|
|
|
|
# cjp: is this really needed?
|
|
xfs_read_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Set device ownerships/modes.
|
|
xserver_setattr_console_pipes(initrc_t)
|
|
|
|
# init script wants to check if it needs to update windowmanagerlist
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
zebra_read_config(initrc_t)
|
|
')
|