[people/stevee/selinux-policy.git] / policy / modules / services / ppp.te


policy_module(ppp, 1.10.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow pppd to load kernel modules for certain modems
## </p>
## </desc>
gen_tunable(pppd_can_insmod, false)

## <desc>
## <p>
## Allow pppd to be run for a regular user
## </p>
## </desc>
gen_tunable(pppd_for_user, false)

# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)

type pppd_devpts_t;
term_pty(pppd_devpts_t)

# Define a separate type for /etc/ppp
type pppd_etc_t;
files_config_file(pppd_etc_t)

# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)

type pppd_script_exec_t;
files_type(pppd_script_exec_t)

# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)

type pppd_log_t;
logging_log_file(pppd_log_t)

type pppd_lock_t;
files_lock_file(pppd_lock_t)

type pppd_tmp_t;
files_tmp_file(pppd_tmp_t)

type pppd_var_run_t;
files_pid_file(pppd_var_run_t)

type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)

type pptp_log_t;
logging_log_file(pptp_log_t)

type pptp_var_run_t;
files_pid_file(pptp_var_run_t)

########################################
#
# PPPD Local policy
#

allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms;
allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
allow pppd_t self:tcp_socket create_stream_socket_perms;
allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;

domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)

allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };

allow pppd_t pppd_etc_t:dir rw_dir_perms;
allow pppd_t pppd_etc_t:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };

manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)

allow pppd_t pppd_lock_t:file manage_file_perms;
files_lock_filetrans(pppd_t, pppd_lock_t, file)

allow pppd_t pppd_log_t:file manage_file_perms;
logging_log_filetrans(pppd_t, pppd_log_t, file)

manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })

manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
files_pid_filetrans(pppd_t, pppd_var_run_t, file)

allow pppd_t pptp_t:process signal;

# for SSP
# Access secret files
allow pppd_t pppd_secret_t:file read_file_perms;

kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)

dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)

corenet_all_recvfrom_unlabeled(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
corenet_udp_sendrecv_all_if(pppd_t)
corenet_tcp_sendrecv_all_nodes(pppd_t)
corenet_raw_sendrecv_all_nodes(pppd_t)
corenet_udp_sendrecv_all_nodes(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)

fs_getattr_all_fs(pppd_t)
fs_search_auto_mountpoints(pppd_t)

term_use_unallocated_ttys(pppd_t)
term_setattr_unallocated_ttys(pppd_t)
term_ioctl_generic_ptys(pppd_t)
# for pppoe
term_create_pty(pppd_t, pppd_devpts_t)

# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)

domain_use_interactive_fds(pppd_t)

files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)

# for scripts
files_read_etc_files(pppd_t)

init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)

auth_use_nsswitch(pppd_t)

logging_send_syslog_msg(pppd_t)

miscfiles_read_localization(pppd_t)

sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)

userdom_use_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
userdom_search_user_home_dirs(pppd_t)

ppp_exec(pppd_t)

optional_policy(`
	ddclient_domtrans(pppd_t)
')

optional_policy(`
	tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
		modutils_domtrans_insmod_uncond(pppd_t)
	')
')

optional_policy(`
	mta_send_mail(pppd_t)
')

optional_policy(`
	networkmanager_signal(pppd_t)
')

optional_policy(`
	postfix_domtrans_master(pppd_t)
')

optional_policy(`
	seutil_sigchld_newrole(pppd_t)
')

optional_policy(`
	udev_read_db(pppd_t)
')

########################################
#
# PPTP Local policy
#

allow pptp_t self:capability net_raw;
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;

allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
allow pptp_t pppd_etc_t:lnk_file { getattr read };

allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
can_exec(pptp_t, pppd_etc_rw_t)

# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append_file_perms;

allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)

manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
files_pid_filetrans(pptp_t, pptp_var_run_t, file)

kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_proc_symlinks(pptp_t)

dev_read_sysfs(pptp_t)

corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
corenet_tcp_sendrecv_all_nodes(pptp_t)
corenet_raw_sendrecv_all_nodes(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_all_nodes(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)

fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)

term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)

domain_use_interactive_fds(pptp_t)

logging_send_syslog_msg(pptp_t)

miscfiles_read_localization(pptp_t)

sysnet_read_config(pptp_t)

userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_user_home_dirs(pptp_t)

optional_policy(`
	consoletype_exec(pppd_t)
')

optional_policy(`
	hostname_exec(pptp_t)
')

optional_policy(`
	nscd_socket_use(pptp_t)
')

optional_policy(`
	seutil_sigchld_newrole(pptp_t)
')

optional_policy(`
	udev_read_db(pptp_t)
')

optional_policy(`
	postfix_read_config(pppd_t)
')

# FIXME:
domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
Commit	Line	Data
e08118a5	1
17ec8c1f	2	policy_module(ppp, 1.10.0)
e08118a5 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Allow pppd to load kernel modules for certain modems
	12	## </p>
	13	## </desc>
0bfccda4	14	gen_tunable(pppd_can_insmod, false)
56e1b3d2	15
56e1b3d2 CP	16	## <desc>
	17	## <p>
	18	## Allow pppd to be run for a regular user
	19	## </p>
	20	## </desc>
0bfccda4	21	gen_tunable(pppd_for_user, false)
56e1b3d2	22
e08118a5 CP	23	# pppd_t is the domain for the pppd program.
	24	# pppd_exec_t is the type of the pppd executable.
	25	type pppd_t;
	26	type pppd_exec_t;
0bfccda4	27	init_daemon_domain(pppd_t, pppd_exec_t)
e08118a5 CP	28
	29	type pppd_devpts_t;
	30	term_pty(pppd_devpts_t)
	31
	32	# Define a separate type for /etc/ppp
9bbc757a CP	33	type pppd_etc_t;
9bbc757a CP	34	files_config_file(pppd_etc_t)
e08118a5 CP	35
	36	# Define a separate type for writable files under /etc/ppp
	37	type pppd_etc_rw_t;
	38	files_type(pppd_etc_rw_t)
	39
	40	type pppd_script_exec_t;
	41	files_type(pppd_script_exec_t)
	42
	43	# pppd_secret_t is the type of the pap and chap password files
	44	type pppd_secret_t;
	45	files_type(pppd_secret_t)
	46
	47	type pppd_log_t;
	48	logging_log_file(pppd_log_t)
	49
	50	type pppd_lock_t;
	51	files_lock_file(pppd_lock_t)
	52
	53	type pppd_tmp_t;
	54	files_tmp_file(pppd_tmp_t)
	55
	56	type pppd_var_run_t;
	57	files_pid_file(pppd_var_run_t)
	58
	59	type pptp_t;
	60	type pptp_exec_t;
0bfccda4	61	init_daemon_domain(pptp_t, pptp_exec_t)
e08118a5 CP	62
	63	type pptp_log_t;
	64	logging_log_file(pptp_log_t)
	65
	66	type pptp_var_run_t;
	67	files_pid_file(pptp_var_run_t)
	68
	69	########################################
	70	#
	71	# PPPD Local policy
	72	#
	73
ae338637	74	allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
141cffdd	75	dontaudit pppd_t self:capability sys_tty_config;
123a990b	76	allow pppd_t self:process signal;
c0868a7a	77	allow pppd_t self:fifo_file rw_fifo_file_perms;
e08118a5 CP	78	allow pppd_t self:socket create_socket_perms;
	79	allow pppd_t self:unix_dgram_socket create_socket_perms;
	80	allow pppd_t self:unix_stream_socket create_socket_perms;
8708d9be	81	allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
e08118a5 CP	82	allow pppd_t self:tcp_socket create_stream_socket_perms;
	83	allow pppd_t self:udp_socket { connect connected_socket_perms };
	84	allow pppd_t self:packet_socket create_socket_perms;
	85
c0868a7a	86	domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
e08118a5	87
c0868a7a	88	allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
e08118a5 CP	89
e08118a5 CP	90	allow pppd_t pppd_etc_t:dir rw_dir_perms;
c0868a7a	91	allow pppd_t pppd_etc_t:file read_file_perms;
e08118a5	92	allow pppd_t pppd_etc_t:lnk_file { getattr read };
e08118a5	93
0bfccda4	94	manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
8708d9be	95	# Automatically label newly created files under /etc/ppp with this type
0bfccda4	96	filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
e08118a5	97
c0868a7a	98	allow pppd_t pppd_lock_t:file manage_file_perms;
0bfccda4	99	files_lock_filetrans(pppd_t, pppd_lock_t, file)
e08118a5	100
c0868a7a	101	allow pppd_t pppd_log_t:file manage_file_perms;
0bfccda4	102	logging_log_filetrans(pppd_t, pppd_log_t, file)
e08118a5	103
0bfccda4 CP	104	manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
0bfccda4 CP	105	manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
103fe280	106	files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
e08118a5	107
0bfccda4 CP	108	manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
0bfccda4 CP	109	files_pid_filetrans(pppd_t, pppd_var_run_t, file)
e08118a5 CP	110
	111	allow pppd_t pptp_t:process signal;
	112
	113	# for SSP
	114	# Access secret files
c0868a7a	115	allow pppd_t pppd_secret_t:file read_file_perms;
e08118a5	116
445522dc	117	kernel_read_kernel_sysctls(pppd_t)
725926c5	118	kernel_read_system_state(pppd_t)
ae338637	119	kernel_rw_net_sysctls(pppd_t)
e08118a5 CP	120	kernel_read_network_state(pppd_t)
	121	kernel_load_module(pppd_t)
	122
	123	dev_read_urand(pppd_t)
	124	dev_search_sysfs(pppd_t)
	125	dev_read_sysfs(pppd_t)
	126
19006686 CP	127	corenet_all_recvfrom_unlabeled(pppd_t)
19006686 CP	128	corenet_all_recvfrom_netlabel(pppd_t)
e08118a5 CP	129	corenet_tcp_sendrecv_all_if(pppd_t)
	130	corenet_raw_sendrecv_all_if(pppd_t)
	131	corenet_udp_sendrecv_all_if(pppd_t)
	132	corenet_tcp_sendrecv_all_nodes(pppd_t)
	133	corenet_raw_sendrecv_all_nodes(pppd_t)
	134	corenet_udp_sendrecv_all_nodes(pppd_t)
	135	corenet_tcp_sendrecv_all_ports(pppd_t)
	136	corenet_udp_sendrecv_all_ports(pppd_t)
e08118a5	137	# Access /dev/ppp.
5b6ddb98	138	corenet_rw_ppp_dev(pppd_t)
e08118a5 CP	139
	140	fs_getattr_all_fs(pppd_t)
	141	fs_search_auto_mountpoints(pppd_t)
	142
1815bad1	143	term_use_unallocated_ttys(pppd_t)
e08118a5	144	term_setattr_unallocated_ttys(pppd_t)
1815bad1	145	term_ioctl_generic_ptys(pppd_t)
e08118a5	146	# for pppoe
0bfccda4	147	term_create_pty(pppd_t, pppd_devpts_t)
e08118a5 CP	148
	149	# allow running ip-up and ip-down scripts and running chat.
	150	corecmd_exec_bin(pppd_t)
e08118a5 CP	151	corecmd_exec_shell(pppd_t)
e08118a5 CP	152
15722ec9	153	domain_use_interactive_fds(pppd_t)
e08118a5 CP	154
e08118a5 CP	155	files_exec_etc_files(pppd_t)
8708d9be	156	files_manage_etc_runtime_files(pppd_t)
8708d9be CP	157	files_dontaudit_write_etc_files(pppd_t)
8708d9be CP	158
e08118a5 CP	159	# for scripts
	160	files_read_etc_files(pppd_t)
	161
68228b33 CP	162	init_read_utmp(pppd_t)
68228b33 CP	163	init_dontaudit_write_utmp(pppd_t)
e08118a5	164
7a5e2d8a CP	165	auth_use_nsswitch(pppd_t)
7a5e2d8a CP	166
e08118a5 CP	167	logging_send_syslog_msg(pppd_t)
	168
	169	miscfiles_read_localization(pppd_t)
	170
e08118a5 CP	171	sysnet_exec_ifconfig(pppd_t)
e08118a5 CP	172	sysnet_manage_config(pppd_t)
f6a590d7	173	sysnet_etc_filetrans_config(pppd_t)
e08118a5	174
296273a7	175	userdom_use_user_terminals(pppd_t)
15722ec9	176	userdom_dontaudit_use_unpriv_user_fds(pppd_t)
e08118a5	177	# for ~/.ppprc - if it actually exists then you need some policy to read it
296273a7	178	userdom_search_user_home_dirs(pppd_t)
e08118a5	179
8708d9be CP	180	ppp_exec(pppd_t)
8708d9be CP	181
70b8a723 CP	182	optional_policy(`
	183	ddclient_domtrans(pppd_t)
	184	')
	185
bb7170f6	186	optional_policy(`
8967bf8b CP	187	tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
8967bf8b CP	188	modutils_domtrans_insmod_uncond(pppd_t)
e08118a5 CP	189	')
	190	')
	191
bb7170f6	192	optional_policy(`
88dd3896 CP	193	mta_send_mail(pppd_t)
	194	')
	195
ae338637 CP	196	optional_policy(`
	197	networkmanager_signal(pppd_t)
	198	')
	199
56e1b3d2 CP	200	optional_policy(`
	201	postfix_domtrans_master(pppd_t)
	202	')
	203
bb7170f6	204	optional_policy(`
e08118a5 CP	205	seutil_sigchld_newrole(pppd_t)
	206	')
	207
bb7170f6	208	optional_policy(`
e08118a5 CP	209	udev_read_db(pppd_t)
	210	')
	211
	212	########################################
	213	#
	214	# PPTP Local policy
	215	#
	216
e08118a5	217	allow pptp_t self:capability net_raw;
7a5e2d8a CP	218	dontaudit pptp_t self:capability sys_tty_config;
7a5e2d8a CP	219	allow pptp_t self:process signal;
0b36a214	220	allow pptp_t self:fifo_file rw_fifo_file_perms;
e08118a5 CP	221	allow pptp_t self:unix_dgram_socket create_socket_perms;
	222	allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
	223	allow pptp_t self:rawip_socket create_socket_perms;
	224	allow pptp_t self:tcp_socket create_socket_perms;
	225
0b36a214 CP	226	allow pptp_t pppd_etc_t:dir list_dir_perms;
0b36a214 CP	227	allow pptp_t pppd_etc_t:file read_file_perms;
e08118a5 CP	228	allow pptp_t pppd_etc_t:lnk_file { getattr read };
e08118a5 CP	229
0b36a214 CP	230	allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
0b36a214 CP	231	allow pptp_t pppd_etc_rw_t:file read_file_perms;
e08118a5 CP	232	allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
	233	can_exec(pptp_t, pppd_etc_rw_t)
	234
	235	# Allow pptp to append to pppd log files
0b36a214	236	allow pptp_t pppd_log_t:file append_file_perms;
e08118a5	237
c0868a7a	238	allow pptp_t pptp_log_t:file manage_file_perms;
0bfccda4	239	logging_log_filetrans(pptp_t, pptp_log_t, file)
e08118a5	240
0bfccda4 CP	241	manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
	242	manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
	243	files_pid_filetrans(pptp_t, pptp_var_run_t, file)
e08118a5 CP	244
e08118a5 CP	245	kernel_list_proc(pptp_t)
445522dc	246	kernel_read_kernel_sysctls(pptp_t)
e08118a5 CP	247	kernel_read_proc_symlinks(pptp_t)
	248
	249	dev_read_sysfs(pptp_t)
	250
19006686 CP	251	corenet_all_recvfrom_unlabeled(pptp_t)
19006686 CP	252	corenet_all_recvfrom_netlabel(pptp_t)
e08118a5 CP	253	corenet_tcp_sendrecv_all_if(pptp_t)
	254	corenet_raw_sendrecv_all_if(pptp_t)
	255	corenet_tcp_sendrecv_all_nodes(pptp_t)
	256	corenet_raw_sendrecv_all_nodes(pptp_t)
	257	corenet_tcp_sendrecv_all_ports(pptp_t)
	258	corenet_tcp_bind_all_nodes(pptp_t)
	259	corenet_tcp_connect_generic_port(pptp_t)
	260	corenet_tcp_connect_all_reserved_ports(pptp_t)
141cffdd	261	corenet_sendrecv_generic_client_packets(pptp_t)
e08118a5 CP	262
	263	fs_getattr_all_fs(pptp_t)
	264	fs_search_auto_mountpoints(pptp_t)
	265
1815bad1	266	term_ioctl_generic_ptys(pptp_t)
e08118a5 CP	267	term_search_ptys(pptp_t)
	268	term_use_ptmx(pptp_t)
	269
15722ec9	270	domain_use_interactive_fds(pptp_t)
e08118a5	271
e08118a5 CP	272	logging_send_syslog_msg(pptp_t)
	273
	274	miscfiles_read_localization(pptp_t)
	275
	276	sysnet_read_config(pptp_t)
	277
15722ec9	278	userdom_dontaudit_use_unpriv_user_fds(pptp_t)
296273a7	279	userdom_dontaudit_search_user_home_dirs(pptp_t)
e08118a5	280
8708d9be CP	281	optional_policy(`
	282	consoletype_exec(pppd_t)
	283	')
	284
bb7170f6	285	optional_policy(`
e08118a5 CP	286	hostname_exec(pptp_t)
	287	')
	288
bb7170f6	289	optional_policy(`
1815bad1	290	nscd_socket_use(pptp_t)
e08118a5 CP	291	')
e08118a5 CP	292
bb7170f6	293	optional_policy(`
6073ea1e	294	seutil_sigchld_newrole(pptp_t)
e08118a5 CP	295	')
e08118a5 CP	296
bb7170f6	297	optional_policy(`
6073ea1e	298	udev_read_db(pptp_t)
e08118a5 CP	299	')
e08118a5 CP	300
bb7170f6	301	optional_policy(`
bf080a46	302	postfix_read_config(pppd_t)
e08118a5	303	')
725926c5	304
445522dc	305	# FIXME:
c0868a7a	306	domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)