]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/init.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add SELinux support for ssh pre-auth net process in F17
[people/stevee/selinux-policy.git] / policy / modules / system / init.if
CommitLineData
e32d52ba 1## <summary>System initialization programs (init and init scripts).</summary>
e181fe05 2
6cc3f356
CP		 3########################################
4## <summary>
5## Create a file type used for init scripts.
6## </summary>
7## <desc>
8## <p>
13f000d2
CP		 9## Create a file type used for init scripts. It can not be
10## used in conjunction with init_script_domain(). These
11## script files are typically stored in the /etc/init.d directory.
12## </p>
13## <p>
14## Typically this is used to constrain what services an
15## admin can start/stop. For example, a policy writer may want
16## to constrain a web administrator to only being able to
17## restart the web server, not other services. This special type
18## will help address that goal.
19## </p>
20## <p>
21## This also makes the type usable for files; thus an
22## explicit call to files_type() is redundant.
6cc3f356
CP		 23## </p>
24## </desc>
25## <param name="script_file">
26## <summary>
13f000d2 27## Type to be used for a script file.
6cc3f356
CP		 28## </summary>
29## </param>
13f000d2 30## <infoflow type="none"/>
6cc3f356
CP		 31#
32interface(`init_script_file',`
33 gen_require(`
34 type initrc_t;
35 attribute init_script_file_type, init_run_all_scripts_domain;
36 ')
37
38 typeattribute $1 init_script_file_type;
39
40 domain_entry_file(initrc_t, $1)
41
42 domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
43')
44
45########################################
46## <summary>
47## Create a domain used for init scripts.
48## </summary>
49## <desc>
50## <p>
51## Create a domain used for init scripts.
52## Can not be used in conjunction with
53## init_script_file().
54## </p>
55## </desc>
56## <param name="domain">
57## <summary>
58## Type to be used as an init script domain.
59## </summary>
60## </param>
61## <param name="script_file">
62## <summary>
63## Type of the script file used as an entry point to this domain.
64## </summary>
65## </param>
66#
67interface(`init_script_domain',`
68 gen_require(`
69 attribute init_script_domain_type, init_script_file_type;
70 attribute init_run_all_scripts_domain;
71 ')
72
73 typeattribute $1 init_script_domain_type;
74 typeattribute $2 init_script_file_type;
75
76 domain_type($1)
77 domain_entry_file($1, $2)
78
79 domtrans_pattern(init_run_all_scripts_domain, $2, $1)
80')
81
c18322f4
MG		 82
83#######################################
84## <summary>
85## Create a domain which can be started by init.
86## </summary>
87## <param name="domain">
88## <summary>
89## Type to be used as a domain.
90## </summary>
91## </param>
92## <param name="entry_point">
93## <summary>
94## Type of the program to be used as an entry point to this domain.
95## </summary>
96## </param>
97#
98interface(`init_systemd_domain',`
99 gen_require(`
100 type init_t;
101 role system_r;
102 ')
103
104 domain_type($1)
105 domain_entry_file($1,$2)
106
107 role system_r types $1;
108
109 tunable_policy(`init_systemd',`
110 domtrans_pattern(init_t,$2,$1)
111 allow init_t $1:unix_stream_socket create_stream_socket_perms;
70eb8318 112 allow init_t $1:unix_dgram_socket create_socket_perms;
bb7a62be 113 allow $1 init_t:unix_stream_socket ioctl;
c18322f4 114 allow $1 init_t:unix_dgram_socket sendto;
bb7a62be
MG		 115 # need write to /var/run/systemd/notify
116 init_write_pid_socket($1)
c18322f4
MG		 117 ')
118')
119
ff313860 120########################################
e5f80603
CP		 121## <summary>
122## Create a domain which can be started by init.
123## </summary>
124## <param name="domain">
885b83ec 125## <summary>
e5f80603 126## Type to be used as a domain.
885b83ec 127## </summary>
e5f80603
CP		 128## </param>
129## <param name="entry_point">
885b83ec 130## <summary>
e5f80603 131## Type of the program to be used as an entry point to this domain.
885b83ec 132## </summary>
e5f80603 133## </param>
ff313860 134#
199895e2 135interface(`init_domain',`
139520a2
CP		 136 gen_require(`
137 type init_t;
138 role system_r;
139520a2 139 ')
3b857eae 140
c9428d33 141 domain_type($1)
7a15ba8b 142 domain_entry_file($1, $2)
3b857eae
CP		 143
144 role system_r types $1;
145
3eaa9939 146 tunable_policy(`init_systemd',`', `
442a14fe 147 domtrans_pattern(init_t, $2, $1)
3eaa9939
DW		 148 allow init_t $1:unix_stream_socket create_stream_socket_perms;
149 allow $1 init_t:unix_dgram_socket sendto;
150 ')
8fa49430
CP		 151
152 ifdef(`hide_broken_symptoms',`
153 # RHEL4 systems seem to have a stray
154 # fds open from the initrd
155 ifdef(`distro_rhel4',`
263721b9 156 kernel_dontaudit_use_fds($1)
8fa49430
CP		 157 ')
158 ')
ff313860
CP		 159')
160
e070dd2d
CP		 161########################################
162## <summary>
163## Create a domain which can be started by init,
164## with a range transition.
165## </summary>
166## <param name="domain">
167## <summary>
168## Type to be used as a domain.
169## </summary>
170## </param>
171## <param name="entry_point">
172## <summary>
173## Type of the program to be used as an entry point to this domain.
174## </summary>
175## </param>
176## <param name="range">
177## <summary>
178## Range for the domain.
179## </summary>
180## </param>
181#
182interface(`init_ranged_domain',`
183 gen_require(`
184 type init_t;
185 ')
186
7a15ba8b 187 init_domain($1, $2)
e070dd2d
CP		 188
189 ifdef(`enable_mcs',`
190 range_transition init_t $2:process $3;
191 ')
192
193 ifdef(`enable_mls',`
194 range_transition init_t $2:process $3;
2d0c9cec 195 mls_rangetrans_target($1)
e070dd2d
CP		 196 ')
197')
198
ff313860 199########################################
e5f80603
CP		 200## <summary>
201## Create a domain for long running processes
13f000d2 202## (daemons/services) which are started by init scripts.
e5f80603 203## </summary>
13f000d2
CP		 204## <desc>
205## <p>
206## Create a domain for long running processes (daemons/services)
207## which are started by init scripts. Short running processes
208## should use the init_system_domain() interface instead.
209## Typically all long running processes started by an init
210## script (usually in /etc/init.d) will need to use this
211## interface.
212## </p>
213## <p>
214## The types will be made usable as a domain and file, making
215## calls to domain_type() and files_type() redundant.
216## </p>
217## <p>
218## If the process must also run in a specific MLS/MCS level,
219## the init_ranged_daemon_domain() should be used instead.
220## </p>
221## </desc>
e5f80603 222## <param name="domain">
885b83ec 223## <summary>
13f000d2 224## Type to be used as a daemon domain.
885b83ec 225## </summary>
e5f80603
CP		 226## </param>
227## <param name="entry_point">
885b83ec 228## <summary>
e5f80603 229## Type of the program to be used as an entry point to this domain.
885b83ec 230## </summary>
e5f80603 231## </param>
13f000d2 232## <infoflow type="read" weight="10"/>
ff313860 233#
199895e2 234interface(`init_daemon_domain',`
139520a2 235 gen_require(`
e5f80603 236 attribute direct_run_init, direct_init, direct_init_entry;
139520a2 237 type initrc_t;
3eaa9939 238 type init_t;
139520a2 239 role system_r;
693d4aed 240 attribute daemon;
3eaa9939 241 attribute initrc_transition_domain;
139520a2 242 ')
3b857eae 243
693d4aed
CP		 244 typeattribute $1 daemon;
245
c9428d33 246 domain_type($1)
7a15ba8b 247 domain_entry_file($1, $2)
3b857eae 248
ab514d6a 249 domtrans_pattern(initrc_t,$2,$1)
a5f5eba4 250
e5f80603 251 ifdef(`direct_sysadm_daemon',`
7a15ba8b 252 domtrans_pattern(direct_run_init, $2, $1)
e5f80603
CP		 253
254 typeattribute $1 direct_init;
255 typeattribute $2 direct_init_entry;
296273a7 256
ae68f77d 257# userdom_dontaudit_use_user_terminals($1)
8fa49430
CP		 258 ')
259
ae68f77d
DW		 260 tunable_policy(`init_upstart || init_systemd',`
261 # Handle upstart direct transition to a executable
262 domtrans_pattern(init_t,$2,$1)
98a8ead4 263 ')
ff313860
CP		 264')
265
e070dd2d
CP		 266########################################
267## <summary>
268## Create a domain for long running processes
13f000d2
CP		 269## (daemons/services) which are started by init scripts,
270## running at a specified MLS/MCS range.
e070dd2d 271## </summary>
13f000d2
CP		 272## <desc>
273## <p>
274## Create a domain for long running processes (daemons/services)
275## which are started by init scripts, running at a specified
276## MLS/MCS range. Short running processes
277## should use the init_ranged_system_domain() interface instead.
278## Typically all long running processes started by an init
279## script (usually in /etc/init.d) will need to use this
280## interface if they need to run in a specific MLS/MCS range.
281## </p>
282## <p>
283## The types will be made usable as a domain and file, making
284## calls to domain_type() and files_type() redundant.
285## </p>
286## <p>
287## If the policy build option TYPE is standard (MLS and MCS disabled),
288## this interface has the same behavior as init_daemon_domain().
289## </p>
290## </desc>
e070dd2d
CP		 291## <param name="domain">
292## <summary>
13f000d2 293## Type to be used as a daemon domain.
e070dd2d
CP		 294## </summary>
295## </param>
296## <param name="entry_point">
297## <summary>
298## Type of the program to be used as an entry point to this domain.
299## </summary>
300## </param>
301## <param name="range">
302## <summary>
13f000d2 303## MLS/MCS range for the domain.
e070dd2d
CP		 304## </summary>
305## </param>
13f000d2 306## <infoflow type="read" weight="10"/>
e070dd2d
CP		 307#
308interface(`init_ranged_daemon_domain',`
309 gen_require(`
310 type initrc_t;
060d0f18 311 type init_t;
e070dd2d
CP		 312 ')
313
442a14fe 314# init_daemon_domain($1, $2)
e070dd2d
CP		 315
316 ifdef(`enable_mcs',`
317 range_transition initrc_t $2:process $3;
060d0f18 318 range_transition init_t $2:process $3;
e070dd2d
CP		 319 ')
320
321 ifdef(`enable_mls',`
322 range_transition initrc_t $2:process $3;
2d0c9cec 323 mls_rangetrans_target($1)
060d0f18 324 range_transition init_t $2:process $3;
e070dd2d
CP		 325 ')
326')
327
ff313860 328########################################
e5f80603
CP		 329## <summary>
330## Create a domain for short running processes
13f000d2 331## which are started by init scripts.
e5f80603 332## </summary>
13f000d2
CP		 333## <desc>
334## <p>
3979c688 335## Create a domain for short running processes
13f000d2
CP		 336## which are started by init scripts. These are generally applications that
337## are used to initialize the system during boot.
3979c688 338## Long running processes, such as daemons/services
13f000d2
CP		 339## should use the init_daemon_domain() interface instead.
340## Typically all short running processes started by an init
341## script (usually in /etc/init.d) will need to use this
7a15ba8b 342## interface.
13f000d2
CP		 343## </p>
344## <p>
345## The types will be made usable as a domain and file, making
346## calls to domain_type() and files_type() redundant.
347## </p>
348## <p>
349## If the process must also run in a specific MLS/MCS level,
350## the init_ranged_system_domain() should be used instead.
351## </p>
352## </desc>
e5f80603 353## <param name="domain">
885b83ec 354## <summary>
13f000d2 355## Type to be used as a system domain.
885b83ec 356## </summary>
e5f80603
CP		 357## </param>
358## <param name="entry_point">
885b83ec 359## <summary>
e5f80603 360## Type of the program to be used as an entry point to this domain.
885b83ec 361## </summary>
e5f80603 362## </param>
13f000d2 363## <infoflow type="read" weight="10"/>
ff313860 364#
199895e2 365interface(`init_system_domain',`
139520a2 366 gen_require(`
3eaa9939 367 type init_t;
139520a2
CP		 368 type initrc_t;
369 role system_r;
3eaa9939 370 attribute initrc_transition_domain;
ae68f77d 371 attribute systemprocess;
139520a2 372 ')
d115b247 373
ae68f77d 374 typeattribute $1 systemprocess;
7a15ba8b 375 application_domain($1, $2)
d115b247
CP		 376
377 role system_r types $1;
378
c0868a7a 379 domtrans_pattern(initrc_t,$2,$1)
3f335a42 380
3eaa9939
DW		 381 tunable_policy(`init_systemd',`
382 # Handle upstart/systemd direct transition to a executable
383 domtrans_pattern(init_t,$2,$1)
3eaa9939 384 ')
ff313860
CP		 385')
386
e070dd2d
CP		 387########################################
388## <summary>
389## Create a domain for short running processes
13f000d2 390## which are started by init scripts.
e070dd2d 391## </summary>
13f000d2
CP		 392## <desc>
393## <p>
394## Create a domain for long running processes (daemons/services)
395## which are started by init scripts.
396## These are generally applications that
397## are used to initialize the system during boot.
398## Long running processes
399## should use the init_ranged_system_domain() interface instead.
400## Typically all short running processes started by an init
401## script (usually in /etc/init.d) will need to use this
402## interface if they need to run in a specific MLS/MCS range.
403## </p>
404## <p>
405## The types will be made usable as a domain and file, making
406## calls to domain_type() and files_type() redundant.
407## </p>
408## <p>
409## If the policy build option TYPE is standard (MLS and MCS disabled),
410## this interface has the same behavior as init_system_domain().
411## </p>
412## </desc>
e070dd2d
CP		 413## <param name="domain">
414## <summary>
13f000d2 415## Type to be used as a system domain.
e070dd2d
CP		 416## </summary>
417## </param>
418## <param name="entry_point">
419## <summary>
420## Type of the program to be used as an entry point to this domain.
421## </summary>
422## </param>
423## <param name="range">
424## <summary>
425## Range for the domain.
426## </summary>
427## </param>
13f000d2 428## <infoflow type="read" weight="10"/>
e070dd2d
CP		 429#
430interface(`init_ranged_system_domain',`
431 gen_require(`
432 type initrc_t;
060d0f18 433 type init_t;
e070dd2d
CP		 434 ')
435
7a15ba8b 436 init_system_domain($1, $2)
e070dd2d
CP		 437
438 ifdef(`enable_mcs',`
3ece1180 439 range_transition initrc_t $2:process $3;
060d0f18 440 range_transition init_t $2:process $3;
e070dd2d
CP		 441 ')
442
443 ifdef(`enable_mls',`
3ece1180 444 range_transition initrc_t $2:process $3;
060d0f18 445 range_transition init_t $2:process $3;
9f8a7729 446 mls_rangetrans_target($1)
e070dd2d
CP		 447 ')
448')
449
6e54263f
MG		 450######################################
451## <summary>
452## Allow domain dyntransition to init_t domain.
453## </summary>
454## <param name="domain">
455## <summary>
456## Domain allowed to transition.
457## </summary>
458## </param>
459#
460interface(`init_dyntrans',`
461 gen_require(`
7a6b3619 462 type init_t;
6e54263f
MG		 463 ')
464
465 dyntrans_pattern($1, init_t)
466')
467
b4cd1533 468########################################
ac9db9b5
CP		 469## <summary>
470## Execute init (/sbin/init) with a domain transition.
471## </summary>
472## <param name="domain">
473## <summary>
a0546c9d 474## Domain allowed to transition.
ac9db9b5
CP		 475## </summary>
476## </param>
b4cd1533 477#
199895e2 478interface(`init_domtrans',`
139520a2
CP		 479 gen_require(`
480 type init_t, init_exec_t;
139520a2 481 ')
0c73cd25 482
3f67f722 483 domtrans_pattern($1, init_exec_t, init_t)
b4cd1533
CP		 484')
485
605ba285
CP		 486########################################
487## <summary>
488## Execute the init program in the caller domain.
489## </summary>
490## <param name="domain">
885b83ec 491## <summary>
605ba285 492## Domain allowed access.
885b83ec 493## </summary>
605ba285 494## </param>
bbcd3c97 495## <rolecap/>
605ba285
CP		 496#
497interface(`init_exec',`
498 gen_require(`
499 type init_exec_t;
500 ')
501
8021cb4f 502 corecmd_search_bin($1)
3f67f722 503 can_exec($1, init_exec_t)
fe6315a6
DW		 504
505 tunable_policy(`init_systemd',`
506 systemd_exec_systemctl($1)
507 ')
605ba285
CP		 508')
509
5d7e8ba6 510########################################
ac9db9b5
CP		 511## <summary>
512## Get the process group of init.
513## </summary>
514## <param name="domain">
515## <summary>
516## Domain allowed access.
517## </summary>
518## </param>
5d7e8ba6 519#
1815bad1 520interface(`init_getpgid',`
139520a2
CP		 521 gen_require(`
522 type init_t;
139520a2 523 ')
0c73cd25 524
bcdcc55c 525 allow $1 init_t:process getpgid;
d0b6abeb
CP		 526')
527
b4cd1533 528########################################
6e61566d
CP		 529## <summary>
530## Send init a null signal.
531## </summary>
532## <param name="domain">
885b83ec 533## <summary>
6e61566d 534## Domain allowed access.
885b83ec 535## </summary>
6e61566d 536## </param>
b4cd1533 537#
6e61566d
CP		 538interface(`init_signull',`
539 gen_require(`
540 type init_t;
6e61566d
CP		 541 ')
542
543 allow $1 init_t:process signull;
544')
545
546########################################
547## <summary>
548## Send init a SIGCHLD signal.
549## </summary>
550## <param name="domain">
885b83ec 551## <summary>
6e61566d 552## Domain allowed access.
885b83ec 553## </summary>
6e61566d 554## </param>
b4cd1533 555#
199895e2 556interface(`init_sigchld',`
139520a2
CP		 557 gen_require(`
558 type init_t;
139520a2 559 ')
0c73cd25
CP		 560
561 allow $1 init_t:process sigchld;
b4cd1533
CP		 562')
563
d98b86a3
DW		 564########################################
565## <summary>
566## Send generic signals to init.
567## </summary>
568## <param name="domain">
569## <summary>
570## Domain allowed access.
571## </summary>
572## </param>
573#
574interface(`init_signal',`
575 gen_require(`
576 type init_t;
577 ')
578
579 allow $1 init_t:process signal;
580')
581
5718c0a5
DG		 582########################################
583## <summary>
584## Connect to init with a unix socket.
585## </summary>
586## <param name="domain">
587## <summary>
588## Domain allowed access.
589## </summary>
590## </param>
591#
592interface(`init_stream_connect',`
593 gen_require(`
8b1eddf4 594 type init_t, init_var_run_t;
5718c0a5
DG		 595 ')
596
8b1eddf4 597 files_search_pids($1)
1f685fa6 598 stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
395df07f 599 allow $1 init_t:unix_stream_socket getattr;
5718c0a5
DG		 600')
601
17ebfc37
MG		 602#######################################
603## <summary>
604## Dontaudit Connect to init with a unix socket.
605## </summary>
606## <param name="domain">
607## <summary>
24280f35 608## Domain to not audit.
17ebfc37
MG		 609## </summary>
610## </param>
611#
612interface(`init_dontaudit_stream_connect',`
613 gen_require(`
614 type init_t;
615 ')
616
617 dontaudit $1 init_t:unix_stream_socket connectto;
618')
619
4b3dce9b
DW		 620######################################
621## <summary>
622## Dontaudit getattr to init with a unix socket.
623## </summary>
624## <param name="domain">
625## <summary>
626## Domain to not audit.
627## </summary>
628## </param>
629#
630interface(`init_dontaudit_getattr_stream_socket',`
631 gen_require(`
632 type init_t;
633 ')
634
635 dontaudit $1 init_t:unix_stream_socket getattr;
636')
637
1f685fa6
MG		 638######################################
639## <summary>
640## Dontaudit read and write to init with a unix socket.
641## </summary>
642## <param name="domain">
643## <summary>
644## Domain to not audit.
645## </summary>
646## </param>
647#
fa55a8d5
MG		 648interface(`init_dontaudit_rw_stream_socket',`
649 gen_require(`
650 type init_t;
651 ')
652
653 dontaudit $1 init_t:unix_stream_socket { read write };
654')
655
889c9a97 656########################################
ac9db9b5
CP		 657## <summary>
658## Inherit and use file descriptors from init.
659## </summary>
13f000d2
CP		 660## <desc>
661## <p>
662## Allow the specified domain to inherit file
663## descriptors from the init program (process ID 1).
664## Typically the only file descriptors to be
665## inherited from init are for the console.
666## This does not allow the domain any access to
667## the object to which the file descriptors references.
668## </p>
669## <p>
670## Related interfaces:
671## </p>
672## <ul>
673## <li>init_dontaudit_use_fds()</li>
674## <li>term_dontaudit_use_console()</li>
675## <li>term_use_console()</li>
676## </ul>
677## <p>
678## Example usage:
679## </p>
680## <p>
681## init_use_fds(mydomain_t)
682## term_use_console(mydomain_t)
683## </p>
684## <p>
685## Normally, processes that can inherit these file
686## descriptors (usually services) write messages to the
687## system log instead of writing to the console.
688## Therefore, in many cases, this access should
689## dontaudited instead.
690## </p>
691## <p>
692## Example dontaudit usage:
693## </p>
694## <p>
695## init_dontaudit_use_fds(mydomain_t)
696## term_dontaudit_use_console(mydomain_t)
697## </p>
698## </desc>
ac9db9b5
CP		 699## <param name="domain">
700## <summary>
701## Domain allowed access.
702## </summary>
703## </param>
13f000d2 704## <infoflow type="read" weight="1"/>
889c9a97 705#
1c1ac67f 706interface(`init_use_fds',`
139520a2
CP		 707 gen_require(`
708 type init_t;
139520a2 709 ')
0c73cd25
CP		 710
711 allow $1 init_t:fd use;
889c9a97
CP		 712')
713
07efe969 714########################################
ac9db9b5
CP		 715## <summary>
716## Do not audit attempts to inherit file
717## descriptors from init.
718## </summary>
719## <param name="domain">
720## <summary>
a0546c9d 721## Domain to not audit.
ac9db9b5
CP		 722## </summary>
723## </param>
07efe969 724#
1c1ac67f 725interface(`init_dontaudit_use_fds',`
139520a2
CP		 726 gen_require(`
727 type init_t;
139520a2 728 ')
0c73cd25
CP		 729
730 dontaudit $1 init_t:fd use;
07efe969
CP		 731')
732
eb3cb682
CP		 733########################################
734## <summary>
33c7e6b4 735## Send UDP network traffic to init. (Deprecated)
eb3cb682
CP		 736## </summary>
737## <param name="domain">
885b83ec 738## <summary>
725926c5 739## Domain allowed access.
885b83ec 740## </summary>
eb3cb682
CP		 741## </param>
742#
1815bad1 743interface(`init_udp_send',`
33c7e6b4 744 refpolicywarn(`$0($*) has been deprecated.')
eb3cb682
CP		 745')
746
bcdcc55c 747########################################
ac9db9b5
CP		 748## <summary>
749## Get the attributes of initctl.
750## </summary>
751## <param name="domain">
752## <summary>
753## Domain allowed access.
754## </summary>
755## </param>
bcdcc55c
CP		 756#
757interface(`init_getattr_initctl',`
758 gen_require(`
759 type initctl_t;
760 ')
761
762 allow $1 initctl_t:fifo_file getattr;
763')
764
765########################################
ac9db9b5
CP		 766## <summary>
767## Do not audit attempts to get the
768## attributes of initctl.
769## </summary>
770## <param name="domain">
771## <summary>
772## Domain to not audit.
773## </summary>
774## </param>
bcdcc55c
CP		 775#
776interface(`init_dontaudit_getattr_initctl',`
777 gen_require(`
778 type initctl_t;
779 ')
780
781 dontaudit $1 initctl_t:fifo_file getattr;
782')
783
784########################################
ac9db9b5
CP		 785## <summary>
786## Write to initctl.
787## </summary>
788## <param name="domain">
789## <summary>
790## Domain allowed access.
791## </summary>
792## </param>
bcdcc55c
CP		 793#
794interface(`init_write_initctl',`
795 gen_require(`
796 type initctl_t;
797 ')
798
799 dev_list_all_dev_nodes($1)
800 allow $1 initctl_t:fifo_file write;
801')
802
bbcd3c97
CP		 803########################################
804## <summary>
805## Use telinit (Read and write initctl).
806## </summary>
807## <param name="domain">
808## <summary>
809## Domain allowed access.
810## </summary>
811## </param>
812## <rolecap/>
813#
814interface(`init_telinit',`
815 gen_require(`
816 type initctl_t;
817 ')
818
3eaa9939
DW		 819 corecmd_exec_bin($1)
820
bbcd3c97 821 dev_list_all_dev_nodes($1)
c0868a7a 822 allow $1 initctl_t:fifo_file rw_fifo_file_perms;
ca448bd6
CP		 823
824 init_exec($1)
4459a7c0 825
3eaa9939 826 tunable_policy(`init_upstart || init_systemd',`
4459a7c0
CP		 827 gen_require(`
828 type init_t;
829 ')
830
5d919a57 831 ps_process_pattern($1, init_t)
f5b49a5e 832 allow $1 init_t:process signal;
4459a7c0
CP		 833 # upstart uses a datagram socket instead of initctl pipe
834 allow $1 self:unix_dgram_socket create_socket_perms;
835 allow $1 init_t:unix_dgram_socket sendto;
3eaa9939
DW		 836 #576913
837 allow $1 init_t:unix_stream_socket connectto;
4459a7c0 838 ')
bbcd3c97
CP		 839')
840
bcdcc55c 841########################################
ac9db9b5
CP		 842## <summary>
843## Read and write initctl.
844## </summary>
845## <param name="domain">
846## <summary>
847## Domain allowed access.
848## </summary>
849## </param>
bcdcc55c
CP		 850#
851interface(`init_rw_initctl',`
852 gen_require(`
853 type initctl_t;
854 ')
855
856 dev_list_all_dev_nodes($1)
c0868a7a 857 allow $1 initctl_t:fifo_file rw_fifo_file_perms;
bcdcc55c
CP		 858')
859
860########################################
ac9db9b5
CP		 861## <summary>
862## Do not audit attempts to read and
863## write initctl.
864## </summary>
865## <param name="domain">
866## <summary>
24280f35 867## Domain to not audit.
ac9db9b5
CP		 868## </summary>
869## </param>
bcdcc55c
CP		 870#
871interface(`init_dontaudit_rw_initctl',`
872 gen_require(`
873 type initctl_t;
874 ')
875
876 dontaudit $1 initctl_t:fifo_file { read write };
877')
878
2283dc74
CP		 879########################################
880## <summary>
881## Make init scripts an entry point for
882## the specified domain.
883## </summary>
884## <param name="domain">
885## <summary>
a0546c9d 886## Domain allowed access.
2283dc74
CP		 887## </summary>
888## </param>
889# cjp: added for gentoo integrated run_init
890interface(`init_script_file_entry_type',`
891 gen_require(`
892 type initrc_exec_t;
893 ')
894
3f67f722 895 domain_entry_file($1, initrc_exec_t)
2283dc74
CP		 896')
897
b4cd1533 898########################################
ac9db9b5 899## <summary>
93ddc669
CP		 900## Execute init scripts with a specified domain transition.
901## </summary>
902## <param name="domain">
903## <summary>
a0546c9d 904## Domain allowed to transition.
93ddc669
CP		 905## </summary>
906## </param>
907#
908interface(`init_spec_domtrans_script',`
909 gen_require(`
3eaa9939
DW		 910 type initrc_t;
911 attribute init_script_file_type;
93ddc669
CP		 912 ')
913
914 files_list_etc($1)
3eaa9939 915 spec_domtrans_pattern($1, init_script_file_type, initrc_t)
93ddc669
CP		 916
917 ifdef(`enable_mcs',`
3eaa9939 918 range_transition $1 init_script_file_type:process s0;
93ddc669
CP		 919 ')
920
921 ifdef(`enable_mls',`
3eaa9939 922 range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
93ddc669
CP		 923 ')
924')
925
926########################################
927## <summary>
928## Execute init scripts with an automatic domain transition.
ac9db9b5
CP		 929## </summary>
930## <param name="domain">
931## <summary>
a0546c9d 932## Domain allowed to transition.
ac9db9b5
CP		 933## </summary>
934## </param>
b4cd1533 935#
199895e2 936interface(`init_domtrans_script',`
139520a2 937 gen_require(`
3eaa9939
DW		 938 type initrc_t;
939 attribute init_script_file_type;
940 attribute initrc_transition_domain;
139520a2 941 ')
3eaa9939 942 typeattribute $1 initrc_transition_domain;
0c73cd25 943
139520a2 944 files_list_etc($1)
3eaa9939 945 domtrans_pattern($1, init_script_file_type, initrc_t)
e070dd2d
CP		 946
947 ifdef(`enable_mcs',`
3eaa9939 948 range_transition $1 init_script_file_type:process s0;
e070dd2d
CP		 949 ')
950
951 ifdef(`enable_mls',`
3eaa9939 952 range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
e070dd2d 953 ')
b4cd1533
CP		 954')
955
3eaa9939
DW		 956########################################
957## <summary>
958## Execute a file in a bin directory
959## in the initrc_t domain
960## </summary>
961## <param name="domain">
962## <summary>
963## Domain allowed access.
964## </summary>
965## </param>
966#
967interface(`init_bin_domtrans_spec',`
968 gen_require(`
969 type initrc_t;
970 ')
971
972 corecmd_bin_domtrans($1, initrc_t)
973')
974
2283dc74
CP		 975########################################
976## <summary>
977## Execute a init script in a specified domain.
978## </summary>
979## <desc>
ff8f0a63 980## <p>
2283dc74 981## Execute a init script in a specified domain.
ff8f0a63
CP		 982## </p>
983## <p>
984## No interprocess communication (signals, pipes,
985## etc.) is provided by this interface since
986## the domains are not owned by this module.
987## </p>
2283dc74
CP		 988## </desc>
989## <param name="source_domain">
990## <summary>
a0546c9d 991## Domain allowed to transition.
2283dc74
CP		 992## </summary>
993## </param>
994## <param name="target_domain">
995## <summary>
996## Domain to transition to.
997## </summary>
998## </param>
999# cjp: added for gentoo integrated run_init
1000interface(`init_script_file_domtrans',`
1001 gen_require(`
1002 type initrc_exec_t;
1003 ')
1004
1005 files_list_etc($1)
7a15ba8b 1006 domain_auto_trans($1, initrc_exec_t, $2)
2283dc74
CP		 1007')
1008
64c5b997
CP		 1009########################################
1010## <summary>
1011## Transition to the init script domain
1012## on a specified labeled init script.
1013## </summary>
1014## <param name="domain">
1015## <summary>
a0546c9d 1016## Domain allowed to transition.
64c5b997
CP		 1017## </summary>
1018## </param>
1019## <param name="init_script_file">
1020## <summary>
1021## Labeled init script file.
1022## </summary>
1023## </param>
1024#
1025interface(`init_labeled_script_domtrans',`
1026 gen_require(`
1027 type initrc_t;
3eaa9939 1028 attribute initrc_transition_domain;
64c5b997
CP		 1029 ')
1030
3eaa9939 1031 typeattribute $1 initrc_transition_domain;
81873430
DW		 1032 # service script searches all filesystems via mountpoint
1033 fs_search_all($1)
64c5b997 1034 domtrans_pattern($1, $2, initrc_t)
5a1cc7f0 1035 allow $1 $2:file ioctl;
64c5b997
CP		 1036 files_search_etc($1)
1037')
1038
e8779130
CG		 1039#########################################
1040## <summary>
1041## Transition to the init script domain
1042## for all labeled init script types
1043## </summary>
1044## <param name="domain">
1045## <summary>
a0546c9d 1046## Domain allowed to transition.
e8779130
CG		 1047## </summary>
1048## </param>
e6d8fd1e 1049#
e8779130
CG		 1050interface(`init_all_labeled_script_domtrans',`
1051 gen_require(`
1052 attribute init_script_file_type;
1053 ')
1054
1055 init_labeled_script_domtrans($1, init_script_file_type)
1056')
1057
e5f80603 1058########################################
f7ebea06 1059## <summary>
e5f80603 1060## Start and stop daemon programs directly.
f7ebea06 1061## </summary>
57a96cbd
CP		 1062## <desc>
1063## <p>
1064## Start and stop daemon programs directly
1065## in the traditional "/etc/init.d/daemon start"
1066## style, and do not require run_init.
1067## </p>
1068## </desc>
e5f80603 1069## <param name="domain">
885b83ec 1070## <summary>
725926c5 1071## Domain allowed access.
885b83ec 1072## </summary>
e5f80603
CP		 1073## </param>
1074## <param name="role">
885b83ec 1075## <summary>
e5f80603 1076## The role to be performing this action.
885b83ec 1077## </summary>
e5f80603 1078## </param>
e5f80603
CP		 1079#
1080interface(`init_run_daemon',`
1081 gen_require(`
1082 attribute direct_run_init, direct_init, direct_init_entry;
1083 role system_r;
e5f80603
CP		 1084 ')
1085
1086 typeattribute $1 direct_run_init;
1087 role_transition $2 direct_init_entry system_r;
e5f80603
CP		 1088')
1089
36095d11
CP		 1090########################################
1091## <summary>
1092## Read the process state (/proc/pid) of init.
1093## </summary>
1094## <param name="domain">
1095## <summary>
1096## Domain allowed access.
1097## </summary>
1098## </param>
1099#
1100interface(`init_read_state',`
1101 gen_require(`
756c96b5 1102 type init_t;
36095d11
CP		 1103 ')
1104
1105 allow $1 init_t:dir search_dir_perms;
1106 allow $1 init_t:file read_file_perms;
0b36a214 1107 allow $1 init_t:lnk_file read_lnk_file_perms;
36095d11
CP		 1108')
1109
1110########################################
1111## <summary>
1112## Ptrace init
1113## </summary>
1114## <param name="domain">
1115## <summary>
1116## Domain allowed access.
1117## </summary>
1118## </param>
1119## <rolecap/>
1120#
1121interface(`init_ptrace',`
1122 gen_require(`
756c96b5 1123 type init_t;
36095d11
CP		 1124 ')
1125
1126 allow $1 init_t:process ptrace;
1127')
1128
725926c5
CP		 1129########################################
1130## <summary>
1131## Write an init script unnamed pipe.
1132## </summary>
1133## <param name="domain">
885b83ec 1134## <summary>
725926c5 1135## Domain allowed access.
885b83ec 1136## </summary>
725926c5
CP		 1137## </param>
1138#
1815bad1 1139interface(`init_write_script_pipes',`
725926c5
CP		 1140 gen_require(`
1141 type initrc_t;
1142 ')
1143
1144 allow $1 initrc_t:fifo_file write;
1145')
1146
9fd4b818
CP		 1147########################################
1148## <summary>
1149## Get the attribute of init script entrypoint files.
1150## </summary>
1151## <param name="domain">
885b83ec 1152## <summary>
9fd4b818 1153## Domain allowed access.
885b83ec 1154## </summary>
9fd4b818
CP		 1155## </param>
1156#
f7547934 1157interface(`init_getattr_script_files',`
9fd4b818
CP		 1158 gen_require(`
1159 type initrc_exec_t;
1160 ')
1161
1162 files_list_etc($1)
1163 allow $1 initrc_exec_t:file getattr;
1164')
1165
6cc3f356
CP		 1166########################################
1167## <summary>
1168## Read init scripts.
1169## </summary>
1170## <param name="domain">
1171## <summary>
1172## Domain allowed access.
1173## </summary>
1174## </param>
1175#
1176interface(`init_read_script_files',`
1177 gen_require(`
1178 type initrc_exec_t;
1179 ')
1180
1181 files_search_etc($1)
1182 allow $1 initrc_exec_t:file read_file_perms;
1183')
1184
bd202fe1 1185########################################
ac9db9b5
CP		 1186## <summary>
1187## Execute init scripts in the caller domain.
1188## </summary>
1189## <param name="domain">
1190## <summary>
1191## Domain allowed access.
1192## </summary>
1193## </param>
bd202fe1 1194#
f7547934 1195interface(`init_exec_script_files',`
139520a2
CP		 1196 gen_require(`
1197 type initrc_exec_t;
1198 ')
0c73cd25 1199
139520a2 1200 files_list_etc($1)
3f67f722 1201 can_exec($1, initrc_exec_t)
bd202fe1
CP		 1202')
1203
6cc3f356
CP		 1204########################################
1205## <summary>
1206## Get the attribute of all init script entrypoint files.
1207## </summary>
1208## <param name="domain">
1209## <summary>
1210## Domain allowed access.
1211## </summary>
1212## </param>
1213#
1214interface(`init_getattr_all_script_files',`
1215 gen_require(`
1216 attribute init_script_file_type;
1217 ')
1218
1219 files_list_etc($1)
1220 allow $1 init_script_file_type:file getattr;
1221')
1222
1223########################################
1224## <summary>
1225## Read all init script files.
1226## </summary>
1227## <param name="domain">
1228## <summary>
1229## Domain allowed access.
1230## </summary>
1231## </param>
1232#
1233interface(`init_read_all_script_files',`
1234 gen_require(`
1235 attribute init_script_file_type;
1236 ')
1237
1238 files_search_etc($1)
1239 allow $1 init_script_file_type:file read_file_perms;
1240')
1241
ddd786e4 1242#######################################
12367e67
DW		 1243## <summary>
1244## Dontaudit getattr all init script files.
1245## </summary>
1246## <param name="domain">
1247## <summary>
1248## Domain to not audit.
1249## </summary>
1250## </param>
1251#
1252interface(`init_dontaudit_getattr_all_script_files',`
1253 gen_require(`
1254 attribute init_script_file_type;
1255 ')
1256
1257 dontaudit $1 init_script_file_type:file getattr;
1258')
1259
1260#######################################
ddd786e4
CP		 1261## <summary>
1262## Dontaudit read all init script files.
1263## </summary>
1264## <param name="domain">
1265## <summary>
a0546c9d 1266## Domain to not audit.
ddd786e4
CP		 1267## </summary>
1268## </param>
1269#
1270interface(`init_dontaudit_read_all_script_files',`
1271 gen_require(`
1272 attribute init_script_file_type;
1273 ')
1274
1275 dontaudit $1 init_script_file_type:file read_file_perms;
1276')
1277
6cc3f356
CP		 1278########################################
1279## <summary>
1280## Execute all init scripts in the caller domain.
1281## </summary>
1282## <param name="domain">
1283## <summary>
1284## Domain allowed access.
1285## </summary>
1286## </param>
1287#
1288interface(`init_exec_all_script_files',`
1289 gen_require(`
1290 attribute init_script_file_type;
1291 ')
1292
1293 files_list_etc($1)
1294 can_exec($1, init_script_file_type)
1295')
1296
daa0e0b0 1297########################################
e88003ff 1298## <summary>
414e4151 1299## Read the process state (/proc/pid) of the init scripts.
e88003ff 1300## </summary>
414e4151 1301## <param name="domain">
885b83ec 1302## <summary>
725926c5 1303## Domain allowed access.
885b83ec 1304## </summary>
414e4151 1305## </param>
daa0e0b0 1306#
1815bad1 1307interface(`init_read_script_state',`
139520a2
CP		 1308 gen_require(`
1309 type initrc_t;
139520a2 1310 ')
0c73cd25 1311
c0868a7a 1312 kernel_search_proc($1)
6cd6ed35 1313 ps_process_pattern($1, initrc_t)
daa0e0b0
CP		 1314')
1315
3ce6cb4a 1316########################################
ac9db9b5
CP		 1317## <summary>
1318## Inherit and use init script file descriptors.
1319## </summary>
1320## <param name="domain">
1321## <summary>
1322## Domain allowed access.
1323## </summary>
1324## </param>
ee5772e4 1325#
15722ec9 1326interface(`init_use_script_fds',`
139520a2
CP		 1327 gen_require(`
1328 type initrc_t;
139520a2 1329 ')
0c73cd25
CP		 1330
1331 allow $1 initrc_t:fd use;
ee5772e4
CP		 1332')
1333
daa0e0b0 1334########################################
ac9db9b5
CP		 1335## <summary>
1336## Do not audit attempts to inherit
1337## init script file descriptors.
1338## </summary>
1339## <param name="domain">
1340## <summary>
a0546c9d 1341## Domain to not audit.
ac9db9b5
CP		 1342## </summary>
1343## </param>
daa0e0b0 1344#
15722ec9 1345interface(`init_dontaudit_use_script_fds',`
139520a2
CP		 1346 gen_require(`
1347 type initrc_t;
139520a2 1348 ')
0c73cd25
CP		 1349
1350 dontaudit $1 initrc_t:fd use;
daa0e0b0
CP		 1351')
1352
b2184659
DG		 1353########################################
1354## <summary>
1355## Search init script keys.
1356## </summary>
1357## <param name="domain">
1358## <summary>
1359## Domain allowed access.
1360## </summary>
1361## </param>
1362#
8d387b32 1363interface(`init_search_script_keys',`
b2184659
DG		 1364 gen_require(`
1365 type initrc_t;
1366 ')
1367
1368 allow $1 initrc_t:key search;
1369')
1370
b16c6b8c 1371########################################
ac9db9b5
CP		 1372## <summary>
1373## Get the process group ID of init scripts.
1374## </summary>
1375## <param name="domain">
1376## <summary>
1377## Domain allowed access.
1378## </summary>
1379## </param>
b16c6b8c 1380#
1815bad1 1381interface(`init_getpgid_script',`
139520a2
CP		 1382 gen_require(`
1383 type initrc_t;
139520a2 1384 ')
0c73cd25
CP		 1385
1386 allow $1 initrc_t:process getpgid;
b16c6b8c
CP		 1387')
1388
04926d07
CP		 1389########################################
1390## <summary>
1391## Send SIGCHLD signals to init scripts.
1392## </summary>
1393## <param name="domain">
885b83ec 1394## <summary>
725926c5 1395## Domain allowed access.
885b83ec 1396## </summary>
04926d07
CP		 1397## </param>
1398#
1399interface(`init_sigchld_script',`
1400 gen_require(`
1401 type initrc_t;
1402 ')
1403
1404 allow $1 initrc_t:process sigchld;
1405')
1406
4b9516c1
CP		 1407########################################
1408## <summary>
1409## Send generic signals to init scripts.
1410## </summary>
1411## <param name="domain">
885b83ec 1412## <summary>
4b9516c1 1413## Domain allowed access.
885b83ec 1414## </summary>
4b9516c1
CP		 1415## </param>
1416#
1417interface(`init_signal_script',`
1418 gen_require(`
1419 type initrc_t;
1420 ')
1421
1422 allow $1 initrc_t:process signal;
1423')
1424
1425########################################
1426## <summary>
1427## Send null signals to init scripts.
1428## </summary>
1429## <param name="domain">
885b83ec 1430## <summary>
4b9516c1 1431## Domain allowed access.
885b83ec 1432## </summary>
4b9516c1
CP		 1433## </param>
1434#
1435interface(`init_signull_script',`
1436 gen_require(`
1437 type initrc_t;
1438 ')
1439
1440 allow $1 initrc_t:process signull;
1441')
1442
7a2f20a3 1443########################################
e88003ff 1444## <summary>
414e4151 1445## Read and write init script unnamed pipes.
e88003ff 1446## </summary>
414e4151 1447## <param name="domain">
885b83ec 1448## <summary>
725926c5 1449## Domain allowed access.
885b83ec 1450## </summary>
414e4151 1451## </param>
7a2f20a3 1452#
1815bad1 1453interface(`init_rw_script_pipes',`
7a2f20a3
CP		 1454 gen_require(`
1455 type initrc_t;
7a2f20a3
CP		 1456 ')
1457
1458 allow $1 initrc_t:fifo_file { read write };
1459')
1460
e88003ff
CP		 1461########################################
1462## <summary>
33c7e6b4 1463## Send UDP network traffic to init scripts. (Deprecated)
e88003ff
CP		 1464## </summary>
1465## <param name="domain">
885b83ec 1466## <summary>
725926c5 1467## Domain allowed access.
885b83ec 1468## </summary>
e88003ff
CP		 1469## </param>
1470#
1815bad1 1471interface(`init_udp_send_script',`
33c7e6b4 1472 refpolicywarn(`$0($*) has been deprecated.')
e88003ff
CP		 1473')
1474
fc6524d7
CP		 1475########################################
1476## <summary>
1477## Allow the specified domain to connect to
1478## init scripts with a unix socket.
1479## </summary>
1480## <param name="domain">
885b83ec 1481## <summary>
fc6524d7 1482## Domain allowed access.
885b83ec 1483## </summary>
fc6524d7
CP		 1484## </param>
1485#
1815bad1 1486interface(`init_stream_connect_script',`
fc6524d7
CP		 1487 gen_require(`
1488 type initrc_t;
1489 ')
1490
1491 allow $1 initrc_t:unix_stream_socket connectto;
1492')
1493
165b42d2
CP		 1494########################################
1495## <summary>
1496## Allow the specified domain to read/write to
1497## init scripts with a unix domain stream sockets.
1498## </summary>
1499## <param name="domain">
1500## <summary>
1501## Domain allowed access.
1502## </summary>
1503## </param>
1504#
1505interface(`init_rw_script_stream_sockets',`
1506 gen_require(`
1507 type initrc_t;
1508 ')
1509
ddd786e4 1510 allow $1 initrc_t:unix_stream_socket rw_socket_perms;
165b42d2
CP		 1511')
1512
1470ffb0
CP		 1513########################################
1514## <summary>
1515## Dont audit the specified domain connecting to
1516## init scripts with a unix domain stream socket.
1517## </summary>
1518## <param name="domain">
885b83ec 1519## <summary>
a0546c9d 1520## Domain to not audit.
885b83ec 1521## </summary>
1470ffb0
CP		 1522## </param>
1523#
1815bad1 1524interface(`init_dontaudit_stream_connect_script',`
1470ffb0
CP		 1525 gen_require(`
1526 type initrc_t;
1527 ')
1528
1529 dontaudit $1 initrc_t:unix_stream_socket connectto;
1530')
350b6ab7
CP		 1531########################################
1532## <summary>
1533## Send messages to init scripts over dbus.
1534## </summary>
1535## <param name="domain">
1536## <summary>
1537## Domain allowed access.
1538## </summary>
1539## </param>
1540#
1541interface(`init_dbus_send_script',`
1542 gen_require(`
1543 type initrc_t;
1544 class dbus send_msg;
1545 ')
1546
1547 allow $1 initrc_t:dbus send_msg;
1548')
1470ffb0 1549
3eaa9939
DW		 1550########################################
1551## <summary>
1552## Send and receive messages from
1553## init over dbus.
1554## </summary>
1555## <param name="domain">
1556## <summary>
1557## Domain allowed access.
1558## </summary>
1559## </param>
1560#
1561interface(`init_dbus_chat',`
1562 gen_require(`
1563 type init_t;
1564 class dbus send_msg;
1565 ')
1566
1567 allow $1 init_t:dbus send_msg;
1568 allow init_t $1:dbus send_msg;
1569')
1570
6f81e1d3
CP		 1571########################################
1572## <summary>
1573## Send and receive messages from
1574## init scripts over dbus.
1575## </summary>
1576## <param name="domain">
885b83ec 1577## <summary>
6f81e1d3 1578## Domain allowed access.
885b83ec 1579## </summary>
6f81e1d3
CP		 1580## </param>
1581#
1582interface(`init_dbus_chat_script',`
1583 gen_require(`
1584 type initrc_t;
1585 class dbus send_msg;
1586 ')
1587
1588 allow $1 initrc_t:dbus send_msg;
1589 allow initrc_t $1:dbus send_msg;
1590')
1591
889c9a97 1592########################################
57a96cbd
CP		 1593## <summary>
1594## Read and write the init script pty.
1595## </summary>
1596## <desc>
1597## <p>
1598## Read and write the init script pty. This
1599## pty is generally opened by the open_init_pty
1600## portion of the run_init program so that the
1601## daemon does not require direct access to
1602## the administrator terminal.
1603## </p>
1604## </desc>
1605## <param name="domain">
885b83ec 1606## <summary>
725926c5 1607## Domain allowed access.
885b83ec 1608## </summary>
57a96cbd 1609## </param>
889c9a97 1610#
1815bad1 1611interface(`init_use_script_ptys',`
139520a2
CP		 1612 gen_require(`
1613 type initrc_devpts_t;
139520a2 1614 ')
0c73cd25 1615
0fd9dc55 1616 term_list_ptys($1)
da4fc9ce 1617 allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
889c9a97
CP		 1618')
1619
5d7e8ba6 1620########################################
57a96cbd 1621## <summary>
e6a2eaff
CP		 1622## Do not audit attempts to read and
1623## write the init script pty.
57a96cbd
CP		 1624## </summary>
1625## <param name="domain">
885b83ec 1626## <summary>
e6a2eaff 1627## Domain to not audit.
885b83ec 1628## </summary>
57a96cbd
CP		 1629## </param>
1630#
1815bad1 1631interface(`init_dontaudit_use_script_ptys',`
57a96cbd 1632 gen_require(`
e6a2eaff 1633 type initrc_devpts_t;
57a96cbd
CP		 1634 ')
1635
e6a2eaff 1636 dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
57a96cbd
CP		 1637')
1638
1639########################################
e6a2eaff 1640## <summary>
ed38ca9f
CP		 1641## Get the attributes of init script
1642## status files.
1643## </summary>
1644## <param name="domain">
1645## <summary>
1646## Domain allowed access.
1647## </summary>
1648## </param>
1649#
1650interface(`init_getattr_script_status_files',`
1651 gen_require(`
1652 type initrc_state_t;
1653 ')
1654
3f67f722 1655 getattr_files_pattern($1, initrc_state_t, initrc_state_t)
ed38ca9f
CP		 1656')
1657
3034a8d9
DW		 1658########################################
1659## <summary>
1660## Manage init script
1661## status files.
1662## </summary>
1663## <param name="domain">
1664## <summary>
1665## Domain allowed access.
1666## </summary>
1667## </param>
1668#
1669interface(`init_manage_script_status_files',`
1670 gen_require(`
1671 type initrc_state_t;
1672 ')
1673
1674 manage_files_pattern($1, initrc_state_t, initrc_state_t)
1675')
1676
ed38ca9f 1677########################################
5afdf0bc
CP		 1678## <summary>
1679## Do not audit attempts to read init script
1680## status files.
1681## </summary>
1682## <param name="domain">
1683## <summary>
a0546c9d 1684## Domain to not audit.
5afdf0bc
CP		 1685## </summary>
1686## </param>
1687#
1688interface(`init_dontaudit_read_script_status_files',`
1689 gen_require(`
1690 type initrc_state_t;
1691 ')
1692
1693 dontaudit $1 initrc_state_t:dir search_dir_perms;
1694 dontaudit $1 initrc_state_t:file read_file_perms;
1695')
1696
ddd786e4
CP		 1697########################################
1698## <summary>
1699## Read init script temporary data.
1700## </summary>
1701## <param name="domain">
1702## <summary>
1703## Domain allowed access.
1704## </summary>
1705## </param>
1706#
1707interface(`init_read_script_tmp_files',`
1708 gen_require(`
1709 type initrc_tmp_t;
1710 ')
1711
1712 files_search_tmp($1)
1713 read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
1714')
1715
daa0e0b0 1716########################################
e88003ff 1717## <summary>
414e4151 1718## Read and write init script temporary data.
e88003ff 1719## </summary>
414e4151 1720## <param name="domain">
885b83ec 1721## <summary>
725926c5 1722## Domain allowed access.
885b83ec 1723## </summary>
414e4151 1724## </param>
daa0e0b0 1725#
199895e2 1726interface(`init_rw_script_tmp_files',`
139520a2 1727 gen_require(`
25c67461 1728 type initrc_tmp_t;
139520a2 1729 ')
0c73cd25 1730
25c67461 1731 files_search_tmp($1)
3f67f722 1732 rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
daa0e0b0
CP		 1733')
1734
30a4d4d5
DW		 1735########################################
1736## <summary>
1737## Read and write init script inherited temporary data.
1738## </summary>
1739## <param name="domain">
1740## <summary>
1741## Domain allowed access.
1742## </summary>
1743## </param>
1744#
1745interface(`init_rw_inherited_script_tmp_files',`
1746 gen_require(`
1747 type initrc_tmp_t;
1748 ')
1749
1750 allow $1 initrc_tmp_t:file rw_inherited_file_perms;
1751')
1752
3f41889d
CP		 1753########################################
1754## <summary>
1755## Create files in a init script
1756## temporary data directory.
1757## </summary>
1758## <param name="domain">
885b83ec 1759## <summary>
3f41889d 1760## Domain allowed access.
885b83ec 1761## </summary>
3f41889d
CP		 1762## </param>
1763## <param name="file_type">
885b83ec 1764## <summary>
3f41889d 1765## The type of the object to be created
885b83ec 1766## </summary>
3f41889d 1767## </param>
1c1ac67f 1768## <param name="object_class">
885b83ec 1769## <summary>
1c1ac67f 1770## The object class.
885b83ec 1771## </summary>
3f41889d
CP		 1772## </param>
1773#
103fe280 1774interface(`init_script_tmp_filetrans',`
3f41889d
CP		 1775 gen_require(`
1776 type initrc_tmp_t;
1777 ')
1778
1779 files_search_tmp($1)
3f67f722 1780 filetrans_pattern($1, initrc_tmp_t, $2, $3)
3f41889d
CP		 1781')
1782
29ce0009
CP		 1783########################################
1784## <summary>
1785## Get the attributes of init script process id files.
1786## </summary>
1787## <param name="domain">
885b83ec 1788## <summary>
29ce0009 1789## Domain allowed access.
885b83ec 1790## </summary>
29ce0009
CP		 1791## </param>
1792#
68228b33 1793interface(`init_getattr_utmp',`
29ce0009
CP		 1794 gen_require(`
1795 type initrc_var_run_t;
29ce0009
CP		 1796 ')
1797
1798 allow $1 initrc_var_run_t:file getattr;
1799')
1800
5f38a65a 1801########################################
ac9db9b5
CP		 1802## <summary>
1803## Read utmp.
1804## </summary>
1805## <param name="domain">
1806## <summary>
1807## Domain allowed access.
1808## </summary>
1809## </param>
b4cd1533 1810#
68228b33 1811interface(`init_read_utmp',`
139520a2
CP		 1812 gen_require(`
1813 type initrc_var_run_t;
139520a2 1814 ')
0c73cd25 1815
c9428d33 1816 files_list_pids($1)
c0868a7a 1817 allow $1 initrc_var_run_t:file read_file_perms;
b4cd1533
CP		 1818')
1819
2f85a0ca
DW		 1820########################################
1821## <summary>
1822## Do not audit attempts to read utmp.
1823## </summary>
1824## <param name="domain">
1825## <summary>
1826## Domain to not audit.
1827## </summary>
1828## </param>
1829#
1830interface(`init_dontaudit_read_utmp',`
1831 gen_require(`
1832 type initrc_var_run_t;
1833 ')
1834
1835 dontaudit $1 initrc_var_run_t:file read_file_perms;
1836')
1837
7bba9d31 1838########################################
ac9db9b5
CP		 1839## <summary>
1840## Do not audit attempts to write utmp.
1841## </summary>
1842## <param name="domain">
1843## <summary>
a0546c9d 1844## Domain to not audit.
ac9db9b5
CP		 1845## </summary>
1846## </param>
7bba9d31 1847#
68228b33 1848interface(`init_dontaudit_write_utmp',`
139520a2
CP		 1849 gen_require(`
1850 type initrc_var_run_t;
139520a2 1851 ')
0c73cd25
CP		 1852
1853 dontaudit $1 initrc_var_run_t:file { write lock };
7bba9d31
CP		 1854')
1855
18963117
CP		 1856########################################
1857## <summary>
1858## Write to utmp.
1859## </summary>
1860## <param name="domain">
1861## <summary>
1862## Domain allowed access.
1863## </summary>
1864## </param>
1865#
1866interface(`init_write_utmp',`
1867 gen_require(`
1868 type initrc_var_run_t;
1869 ')
1870
1871 files_list_pids($1)
82d2775c 1872 allow $1 initrc_var_run_t:file { getattr open write };
18963117
CP		 1873')
1874
8cffa788
CP		 1875########################################
1876## <summary>
7a15ba8b 1877## Do not audit attempts to lock
8cffa788
CP		 1878## init script pid files.
1879## </summary>
1880## <param name="domain">
885b83ec 1881## <summary>
a0546c9d 1882## Domain to not audit.
885b83ec 1883## </summary>
8cffa788
CP		 1884## </param>
1885#
68228b33 1886interface(`init_dontaudit_lock_utmp',`
8cffa788
CP		 1887 gen_require(`
1888 type initrc_var_run_t;
1889 ')
1890
1891 dontaudit $1 initrc_var_run_t:file lock;
1892')
1893
3ce6cb4a 1894########################################
ac9db9b5
CP		 1895## <summary>
1896## Read and write utmp.
1897## </summary>
1898## <param name="domain">
1899## <summary>
1900## Domain allowed access.
1901## </summary>
1902## </param>
3ce6cb4a 1903#
68228b33 1904interface(`init_rw_utmp',`
139520a2
CP		 1905 gen_require(`
1906 type initrc_var_run_t;
139520a2 1907 ')
0c73cd25 1908
c9428d33 1909 files_list_pids($1)
dd822947 1910 allow $1 initrc_var_run_t:file rw_file_perms;
3ce6cb4a
CP		 1911')
1912
3ce6cb4a 1913########################################
ac9db9b5
CP		 1914## <summary>
1915## Do not audit attempts to read and write utmp.
1916## </summary>
1917## <param name="domain">
1918## <summary>
a0546c9d 1919## Domain to not audit.
ac9db9b5
CP		 1920## </summary>
1921## </param>
3ce6cb4a 1922#
68228b33 1923interface(`init_dontaudit_rw_utmp',`
139520a2
CP		 1924 gen_require(`
1925 type initrc_var_run_t;
139520a2 1926 ')
0c73cd25 1927
3eaa9939 1928 dontaudit $1 initrc_var_run_t:file rw_file_perms;
3ce6cb4a
CP		 1929')
1930
7c2f5a82
CP		 1931########################################
1932## <summary>
ff8f0a63 1933## Create, read, write, and delete utmp.
7c2f5a82
CP		 1934## </summary>
1935## <param name="domain">
885b83ec 1936## <summary>
a0546c9d 1937## Domain allowed access.
885b83ec 1938## </summary>
7c2f5a82
CP		 1939## </param>
1940#
1941interface(`init_manage_utmp',`
1942 gen_require(`
1943 type initrc_var_run_t;
1944 ')
1945
1946 files_search_pids($1)
c0868a7a 1947 allow $1 initrc_var_run_t:file manage_file_perms;
7c2f5a82 1948')
dc1920b2 1949
296273a7
CP		 1950########################################
1951## <summary>
1952## Create files in /var/run with the
1953## utmp file type.
1954## </summary>
1955## <param name="domain">
1956## <summary>
a0546c9d 1957## Domain allowed access.
296273a7
CP		 1958## </summary>
1959## </param>
1960#
1961interface(`init_pid_filetrans_utmp',`
1962 gen_require(`
1963 type initrc_var_run_t;
1964 ')
1965
1966 files_pid_filetrans($1, initrc_var_run_t, file)
1967')
1968
e4547030
MG		 1969######################################
1970## <summary>
1971## Allow search directory in the /run/systemd directory.
1972## </summary>
1973## <param name="domain">
1974## <summary>
1975## Domain allowed access.
1976## </summary>
1977## </param>
1978#
1979interface(`init_search_pid_dirs',`
1980 gen_require(`
1981 type init_var_run_t;
1982 ')
1983
e76e17ed
DW		 1984 allow $1 init_var_run_t:dir search_dir_perms;
1985')
1986
1987######################################
1988## <summary>
1989## Allow listing of the /run/systemd directory.
1990## </summary>
1991## <param name="domain">
1992## <summary>
1993## Domain allowed access.
1994## </summary>
1995## </param>
1996#
1997interface(`init_list_pid_dirs',`
1998 gen_require(`
1999 type init_var_run_t;
2000 ')
2001
e4547030
MG		 2002 allow $1 init_var_run_t:dir list_dir_perms;
2003')
2004
1b220452
MG		 2005#######################################
2006## <summary>
2007## Create a directory in the /run/systemd directory.
2008## </summary>
2009## <param name="domain">
2010## <summary>
2011## Domain allowed access.
2012## </summary>
2013## </param>
2014#
2015interface(`init_create_pid_dirs',`
2016 gen_require(`
bf7821d3 2017 type init_var_run_t;
1b220452
MG		 2018 ')
2019
2020 allow $1 init_var_run_t:dir list_dir_perms;
2021 create_dirs_pattern($1, init_var_run_t, init_var_run_t)
2022')
2023
a1f5ccee
MG		 2024#######################################
2025## <summary>
96051d97 2026## Create objects in /run/systemd directory
a1f5ccee
MG		 2027## with an automatic type transition to
2028## a specified private type.
2029## </summary>
2030## <param name="domain">
2031## <summary>
2032## Domain allowed access.
2033## </summary>
2034## </param>
2035## <param name="private_type">
2036## <summary>
2037## The type of the object to create.
2038## </summary>
2039## </param>
2040## <param name="object_class">
2041## <summary>
2042## The class of the object to be created.
2043## </summary>
2044## </param>
2045#
2046interface(`init_pid_filetrans',`
2047 gen_require(`
2048 type init_var_run_t;
2049 ')
2050
ac679c2f 2051 files_search_pids($1)
a1f5ccee 2052 filetrans_pattern($1, init_var_run_t, $2, $3)
ac679c2f
DG		 2053')
2054
2055#######################################
2056## <summary>
2057## Create objects in /run/systemd directory
2058## with an automatic type transition to
2059## a specified private type.
2060## </summary>
2061## <param name="domain">
2062## <summary>
2063## Domain allowed access.
2064## </summary>
2065## </param>
2066## <param name="private_type">
2067## <summary>
2068## The type of the object to create.
2069## </summary>
2070## </param>
2071## <param name="object_class">
2072## <summary>
2073## The class of the object to be created.
2074## </summary>
2075## </param>
2076## <param name="object_name">
2077## <summary>
2078## The name of the object to be created.
2079## </summary>
2080## </param>
2081#
2082interface(`init_named_pid_filetrans',`
2083 gen_require(`
2084 type init_var_run_t;
2085 ')
2086
2087 files_search_pids($1)
2088 filetrans_pattern($1, init_var_run_t, $2, $3, $4)
a1f5ccee
MG		 2089')
2090
dc1920b2
CP		 2091########################################
2092## <summary>
2093## Allow the specified domain to connect to daemon with a tcp socket
2094## </summary>
2095## <param name="domain">
2096## <summary>
2097## Domain allowed access.
2098## </summary>
2099## </param>
2100#
2101interface(`init_tcp_recvfrom_all_daemons',`
2102 gen_require(`
2103 attribute daemon;
2104 ')
2105
2106 corenet_tcp_recvfrom_labeled($1, daemon)
2107')
2108
2109########################################
2110## <summary>
2111## Allow the specified domain to connect to daemon with a udp socket
2112## </summary>
2113## <param name="domain">
2114## <summary>
2115## Domain allowed access.
2116## </summary>
2117## </param>
2118#
2119interface(`init_udp_recvfrom_all_daemons',`
2120 gen_require(`
2121 attribute daemon;
2122 ')
2123 corenet_udp_recvfrom_labeled($1, daemon)
2124')
3eaa9939
DW		 2125
2126########################################
2127## <summary>
2128## Transition to system_r when execute an init script
2129## </summary>
2130## <desc>
2131## <p>
2132## Execute a init script in a specified role
2133## </p>
2134## <p>
2135## No interprocess communication (signals, pipes,
2136## etc.) is provided by this interface since
2137## the domains are not owned by this module.
2138## </p>
2139## </desc>
2140## <param name="source_role">
2141## <summary>
2142## Role to transition from.
2143## </summary>
2144## </param>
2145#
2146interface(`init_script_role_transition',`
2147 gen_require(`
2148 attribute init_script_file_type;
2149 ')
2150
2151 role_transition $1 init_script_file_type system_r;
2152')
2153
2154########################################
2155## <summary>
2156## dontaudit read and write an leaked init scrip file descriptors
2157## </summary>
2158## <param name="domain">
2159## <summary>
24280f35 2160## Domain to not audit.
3eaa9939
DW		 2161## </summary>
2162## </param>
2163#
2164interface(`init_dontaudit_script_leaks',`
2165 gen_require(`
2166 type initrc_t;
2167 ')
2168
2169 dontaudit $1 initrc_t:tcp_socket { read write };
2170 dontaudit $1 initrc_t:udp_socket { read write };
2171 dontaudit $1 initrc_t:unix_dgram_socket { read write };
2172 dontaudit $1 initrc_t:unix_stream_socket { read write };
2173 dontaudit $1 initrc_t:shm rw_shm_perms;
2174 init_dontaudit_use_script_ptys($1)
2175 init_dontaudit_use_script_fds($1)
2176')
2177
4c3a6f86
MG		 2178#######################################
2179## <summary>
2180## Allow the specified domain to ioctl an
2181## init with a unix domain stream sockets.
2182## </summary>
2183## <param name="domain">
2184## <summary>
2185## Domain allowed access.
2186## </summary>
2187## </param>
2188#
2189interface(`init_ioctl_stream_sockets',`
2190 gen_require(`
2191 type init_t;
2192 ')
2193
2194 allow $1 init_t:unix_stream_socket ioctl;
2195')
2196
3eaa9939
DW		 2197########################################
2198## <summary>
2199## Allow the specified domain to read/write to
2200## init with a unix domain stream sockets.
2201## </summary>
2202## <param name="domain">
2203## <summary>
2204## Domain allowed access.
2205## </summary>
2206## </param>
2207#
2208interface(`init_rw_stream_sockets',`
2209 gen_require(`
2210 type init_t;
2211 ')
2212
2213 allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
2214')
fb216244 2215
063c2b78
MG		 2216#######################################
2217## <summary>
2218## Allow the specified domain to write to
2219## init sock file.
2220## </summary>
2221## <param name="domain">
2222## <summary>
2223## Domain allowed access.
2224## </summary>
2225## </param>
2226#
2227interface(`init_write_pid_socket',`
2228 gen_require(`
2229 type init_var_run_t;
2230 ')
2231
2232 allow $1 init_var_run_t:sock_file write;
2233')
2234
fb216244
DW		 2235########################################
2236## <summary>
2237## Send a message to init over a unix domain
2238## datagram socket.
2239## </summary>
2240## <param name="domain">
2241## <summary>
2242## Domain allowed access.
2243## </summary>
2244## </param>
2245#
2246interface(`init_dgram_send',`
2247 gen_require(`
2248 type init_t;
2249 ')
2250
2251 allow $1 init_t:unix_dgram_socket sendto;
2252')
f6ae5b73 2253
4a529812
DW		 2254########################################
2255## <summary>
2256## Send a message to init over a unix domain
2257## stream socket.
2258## </summary>
2259## <param name="domain">
2260## <summary>
2261## Domain allowed access.
2262## </summary>
2263## </param>
2264#
2265interface(`init_stream_send',`
2266 gen_require(`
2267 type init_t;
2268 ')
2269
2270 allow $1 init_t:unix_stream_socket sendto;
2271')
2272
f6ae5b73
DW		 2273########################################
2274## <summary>
2275## Create a file type used for init socket files.
2276## </summary>
2277## <desc>
2278## <p>
2279## This defines a type that init can create sock_file within for
2280## impersonation purposes
2281## </p>
2282## </desc>
2283## <param name="script_file">
2284## <summary>
2285## Type to be used for a sock file.
2286## </summary>
2287## </param>
2288## <infoflow type="none"/>
2289#
2290interface(`init_sock_file',`
2291 gen_require(`
ad02e8bb 2292 attribute init_sock_file_type;
f6ae5b73
DW		 2293 ')
2294
ad02e8bb 2295 typeattribute $1 init_sock_file_type;
f6ae5b73
DW		 2296
2297')
2298
29049a05
DW		 2299########################################
2300## <summary>
2301## Read init unnamed pipes.
2302## </summary>
2303## <param name="domain">
2304## <summary>
2305## Domain allowed access.
2306## </summary>
2307## </param>
2308#
2309interface(`init_read_pipes',`
2310 gen_require(`
2311 type init_var_run_t;
2312 ')
2313
5c339835 2314 read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
29049a05 2315')
The IPFire selinux policy.