]>
Commit | Line | Data |
---|---|---|
e32d52ba | 1 | ## <summary>System initialization programs (init and init scripts).</summary> |
e181fe05 | 2 | |
6cc3f356 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## Create a file type used for init scripts. | |
6 | ## </summary> | |
7 | ## <desc> | |
8 | ## <p> | |
13f000d2 CP |
9 | ## Create a file type used for init scripts. It can not be |
10 | ## used in conjunction with init_script_domain(). These | |
11 | ## script files are typically stored in the /etc/init.d directory. | |
12 | ## </p> | |
13 | ## <p> | |
14 | ## Typically this is used to constrain what services an | |
15 | ## admin can start/stop. For example, a policy writer may want | |
16 | ## to constrain a web administrator to only being able to | |
17 | ## restart the web server, not other services. This special type | |
18 | ## will help address that goal. | |
19 | ## </p> | |
20 | ## <p> | |
21 | ## This also makes the type usable for files; thus an | |
22 | ## explicit call to files_type() is redundant. | |
6cc3f356 CP |
23 | ## </p> |
24 | ## </desc> | |
25 | ## <param name="script_file"> | |
26 | ## <summary> | |
13f000d2 | 27 | ## Type to be used for a script file. |
6cc3f356 CP |
28 | ## </summary> |
29 | ## </param> | |
13f000d2 | 30 | ## <infoflow type="none"/> |
6cc3f356 CP |
31 | # |
32 | interface(`init_script_file',` | |
33 | gen_require(` | |
34 | type initrc_t; | |
35 | attribute init_script_file_type, init_run_all_scripts_domain; | |
36 | ') | |
37 | ||
38 | typeattribute $1 init_script_file_type; | |
39 | ||
40 | domain_entry_file(initrc_t, $1) | |
41 | ||
42 | domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) | |
43 | ') | |
44 | ||
45 | ######################################## | |
46 | ## <summary> | |
47 | ## Create a domain used for init scripts. | |
48 | ## </summary> | |
49 | ## <desc> | |
50 | ## <p> | |
51 | ## Create a domain used for init scripts. | |
52 | ## Can not be used in conjunction with | |
53 | ## init_script_file(). | |
54 | ## </p> | |
55 | ## </desc> | |
56 | ## <param name="domain"> | |
57 | ## <summary> | |
58 | ## Type to be used as an init script domain. | |
59 | ## </summary> | |
60 | ## </param> | |
61 | ## <param name="script_file"> | |
62 | ## <summary> | |
63 | ## Type of the script file used as an entry point to this domain. | |
64 | ## </summary> | |
65 | ## </param> | |
66 | # | |
67 | interface(`init_script_domain',` | |
68 | gen_require(` | |
69 | attribute init_script_domain_type, init_script_file_type; | |
70 | attribute init_run_all_scripts_domain; | |
71 | ') | |
72 | ||
73 | typeattribute $1 init_script_domain_type; | |
74 | typeattribute $2 init_script_file_type; | |
75 | ||
76 | domain_type($1) | |
77 | domain_entry_file($1, $2) | |
78 | ||
79 | domtrans_pattern(init_run_all_scripts_domain, $2, $1) | |
80 | ') | |
81 | ||
c18322f4 MG |
82 | |
83 | ####################################### | |
84 | ## <summary> | |
85 | ## Create a domain which can be started by init. | |
86 | ## </summary> | |
87 | ## <param name="domain"> | |
88 | ## <summary> | |
89 | ## Type to be used as a domain. | |
90 | ## </summary> | |
91 | ## </param> | |
92 | ## <param name="entry_point"> | |
93 | ## <summary> | |
94 | ## Type of the program to be used as an entry point to this domain. | |
95 | ## </summary> | |
96 | ## </param> | |
97 | # | |
98 | interface(`init_systemd_domain',` | |
99 | gen_require(` | |
100 | type init_t; | |
101 | role system_r; | |
102 | ') | |
103 | ||
104 | domain_type($1) | |
105 | domain_entry_file($1,$2) | |
106 | ||
107 | role system_r types $1; | |
108 | ||
109 | tunable_policy(`init_systemd',` | |
110 | domtrans_pattern(init_t,$2,$1) | |
111 | allow init_t $1:unix_stream_socket create_stream_socket_perms; | |
70eb8318 | 112 | allow init_t $1:unix_dgram_socket create_socket_perms; |
bb7a62be | 113 | allow $1 init_t:unix_stream_socket ioctl; |
c18322f4 | 114 | allow $1 init_t:unix_dgram_socket sendto; |
bb7a62be MG |
115 | # need write to /var/run/systemd/notify |
116 | init_write_pid_socket($1) | |
c18322f4 MG |
117 | ') |
118 | ') | |
119 | ||
ff313860 | 120 | ######################################## |
e5f80603 CP |
121 | ## <summary> |
122 | ## Create a domain which can be started by init. | |
123 | ## </summary> | |
124 | ## <param name="domain"> | |
885b83ec | 125 | ## <summary> |
e5f80603 | 126 | ## Type to be used as a domain. |
885b83ec | 127 | ## </summary> |
e5f80603 CP |
128 | ## </param> |
129 | ## <param name="entry_point"> | |
885b83ec | 130 | ## <summary> |
e5f80603 | 131 | ## Type of the program to be used as an entry point to this domain. |
885b83ec | 132 | ## </summary> |
e5f80603 | 133 | ## </param> |
ff313860 | 134 | # |
199895e2 | 135 | interface(`init_domain',` |
139520a2 CP |
136 | gen_require(` |
137 | type init_t; | |
138 | role system_r; | |
139520a2 | 139 | ') |
3b857eae | 140 | |
c9428d33 | 141 | domain_type($1) |
7a15ba8b | 142 | domain_entry_file($1, $2) |
3b857eae CP |
143 | |
144 | role system_r types $1; | |
145 | ||
3eaa9939 | 146 | tunable_policy(`init_systemd',`', ` |
442a14fe | 147 | domtrans_pattern(init_t, $2, $1) |
3eaa9939 DW |
148 | allow init_t $1:unix_stream_socket create_stream_socket_perms; |
149 | allow $1 init_t:unix_dgram_socket sendto; | |
150 | ') | |
8fa49430 CP |
151 | |
152 | ifdef(`hide_broken_symptoms',` | |
153 | # RHEL4 systems seem to have a stray | |
154 | # fds open from the initrd | |
155 | ifdef(`distro_rhel4',` | |
263721b9 | 156 | kernel_dontaudit_use_fds($1) |
8fa49430 CP |
157 | ') |
158 | ') | |
ff313860 CP |
159 | ') |
160 | ||
e070dd2d CP |
161 | ######################################## |
162 | ## <summary> | |
163 | ## Create a domain which can be started by init, | |
164 | ## with a range transition. | |
165 | ## </summary> | |
166 | ## <param name="domain"> | |
167 | ## <summary> | |
168 | ## Type to be used as a domain. | |
169 | ## </summary> | |
170 | ## </param> | |
171 | ## <param name="entry_point"> | |
172 | ## <summary> | |
173 | ## Type of the program to be used as an entry point to this domain. | |
174 | ## </summary> | |
175 | ## </param> | |
176 | ## <param name="range"> | |
177 | ## <summary> | |
178 | ## Range for the domain. | |
179 | ## </summary> | |
180 | ## </param> | |
181 | # | |
182 | interface(`init_ranged_domain',` | |
183 | gen_require(` | |
184 | type init_t; | |
185 | ') | |
186 | ||
7a15ba8b | 187 | init_domain($1, $2) |
e070dd2d CP |
188 | |
189 | ifdef(`enable_mcs',` | |
190 | range_transition init_t $2:process $3; | |
191 | ') | |
192 | ||
193 | ifdef(`enable_mls',` | |
194 | range_transition init_t $2:process $3; | |
2d0c9cec | 195 | mls_rangetrans_target($1) |
e070dd2d CP |
196 | ') |
197 | ') | |
198 | ||
ff313860 | 199 | ######################################## |
e5f80603 CP |
200 | ## <summary> |
201 | ## Create a domain for long running processes | |
13f000d2 | 202 | ## (daemons/services) which are started by init scripts. |
e5f80603 | 203 | ## </summary> |
13f000d2 CP |
204 | ## <desc> |
205 | ## <p> | |
206 | ## Create a domain for long running processes (daemons/services) | |
207 | ## which are started by init scripts. Short running processes | |
208 | ## should use the init_system_domain() interface instead. | |
209 | ## Typically all long running processes started by an init | |
210 | ## script (usually in /etc/init.d) will need to use this | |
211 | ## interface. | |
212 | ## </p> | |
213 | ## <p> | |
214 | ## The types will be made usable as a domain and file, making | |
215 | ## calls to domain_type() and files_type() redundant. | |
216 | ## </p> | |
217 | ## <p> | |
218 | ## If the process must also run in a specific MLS/MCS level, | |
219 | ## the init_ranged_daemon_domain() should be used instead. | |
220 | ## </p> | |
221 | ## </desc> | |
e5f80603 | 222 | ## <param name="domain"> |
885b83ec | 223 | ## <summary> |
13f000d2 | 224 | ## Type to be used as a daemon domain. |
885b83ec | 225 | ## </summary> |
e5f80603 CP |
226 | ## </param> |
227 | ## <param name="entry_point"> | |
885b83ec | 228 | ## <summary> |
e5f80603 | 229 | ## Type of the program to be used as an entry point to this domain. |
885b83ec | 230 | ## </summary> |
e5f80603 | 231 | ## </param> |
13f000d2 | 232 | ## <infoflow type="read" weight="10"/> |
ff313860 | 233 | # |
199895e2 | 234 | interface(`init_daemon_domain',` |
139520a2 | 235 | gen_require(` |
e5f80603 | 236 | attribute direct_run_init, direct_init, direct_init_entry; |
139520a2 | 237 | type initrc_t; |
3eaa9939 | 238 | type init_t; |
139520a2 | 239 | role system_r; |
693d4aed | 240 | attribute daemon; |
3eaa9939 | 241 | attribute initrc_transition_domain; |
139520a2 | 242 | ') |
3b857eae | 243 | |
693d4aed CP |
244 | typeattribute $1 daemon; |
245 | ||
c9428d33 | 246 | domain_type($1) |
7a15ba8b | 247 | domain_entry_file($1, $2) |
3b857eae | 248 | |
ab514d6a | 249 | domtrans_pattern(initrc_t,$2,$1) |
a5f5eba4 | 250 | |
e5f80603 | 251 | ifdef(`direct_sysadm_daemon',` |
7a15ba8b | 252 | domtrans_pattern(direct_run_init, $2, $1) |
e5f80603 CP |
253 | |
254 | typeattribute $1 direct_init; | |
255 | typeattribute $2 direct_init_entry; | |
296273a7 | 256 | |
ae68f77d | 257 | # userdom_dontaudit_use_user_terminals($1) |
8fa49430 CP |
258 | ') |
259 | ||
ae68f77d DW |
260 | tunable_policy(`init_upstart || init_systemd',` |
261 | # Handle upstart direct transition to a executable | |
262 | domtrans_pattern(init_t,$2,$1) | |
98a8ead4 | 263 | ') |
ff313860 CP |
264 | ') |
265 | ||
e070dd2d CP |
266 | ######################################## |
267 | ## <summary> | |
268 | ## Create a domain for long running processes | |
13f000d2 CP |
269 | ## (daemons/services) which are started by init scripts, |
270 | ## running at a specified MLS/MCS range. | |
e070dd2d | 271 | ## </summary> |
13f000d2 CP |
272 | ## <desc> |
273 | ## <p> | |
274 | ## Create a domain for long running processes (daemons/services) | |
275 | ## which are started by init scripts, running at a specified | |
276 | ## MLS/MCS range. Short running processes | |
277 | ## should use the init_ranged_system_domain() interface instead. | |
278 | ## Typically all long running processes started by an init | |
279 | ## script (usually in /etc/init.d) will need to use this | |
280 | ## interface if they need to run in a specific MLS/MCS range. | |
281 | ## </p> | |
282 | ## <p> | |
283 | ## The types will be made usable as a domain and file, making | |
284 | ## calls to domain_type() and files_type() redundant. | |
285 | ## </p> | |
286 | ## <p> | |
287 | ## If the policy build option TYPE is standard (MLS and MCS disabled), | |
288 | ## this interface has the same behavior as init_daemon_domain(). | |
289 | ## </p> | |
290 | ## </desc> | |
e070dd2d CP |
291 | ## <param name="domain"> |
292 | ## <summary> | |
13f000d2 | 293 | ## Type to be used as a daemon domain. |
e070dd2d CP |
294 | ## </summary> |
295 | ## </param> | |
296 | ## <param name="entry_point"> | |
297 | ## <summary> | |
298 | ## Type of the program to be used as an entry point to this domain. | |
299 | ## </summary> | |
300 | ## </param> | |
301 | ## <param name="range"> | |
302 | ## <summary> | |
13f000d2 | 303 | ## MLS/MCS range for the domain. |
e070dd2d CP |
304 | ## </summary> |
305 | ## </param> | |
13f000d2 | 306 | ## <infoflow type="read" weight="10"/> |
e070dd2d CP |
307 | # |
308 | interface(`init_ranged_daemon_domain',` | |
309 | gen_require(` | |
310 | type initrc_t; | |
060d0f18 | 311 | type init_t; |
e070dd2d CP |
312 | ') |
313 | ||
442a14fe | 314 | # init_daemon_domain($1, $2) |
e070dd2d CP |
315 | |
316 | ifdef(`enable_mcs',` | |
317 | range_transition initrc_t $2:process $3; | |
060d0f18 | 318 | range_transition init_t $2:process $3; |
e070dd2d CP |
319 | ') |
320 | ||
321 | ifdef(`enable_mls',` | |
322 | range_transition initrc_t $2:process $3; | |
2d0c9cec | 323 | mls_rangetrans_target($1) |
060d0f18 | 324 | range_transition init_t $2:process $3; |
e070dd2d CP |
325 | ') |
326 | ') | |
327 | ||
ff313860 | 328 | ######################################## |
e5f80603 CP |
329 | ## <summary> |
330 | ## Create a domain for short running processes | |
13f000d2 | 331 | ## which are started by init scripts. |
e5f80603 | 332 | ## </summary> |
13f000d2 CP |
333 | ## <desc> |
334 | ## <p> | |
3979c688 | 335 | ## Create a domain for short running processes |
13f000d2 CP |
336 | ## which are started by init scripts. These are generally applications that |
337 | ## are used to initialize the system during boot. | |
3979c688 | 338 | ## Long running processes, such as daemons/services |
13f000d2 CP |
339 | ## should use the init_daemon_domain() interface instead. |
340 | ## Typically all short running processes started by an init | |
341 | ## script (usually in /etc/init.d) will need to use this | |
7a15ba8b | 342 | ## interface. |
13f000d2 CP |
343 | ## </p> |
344 | ## <p> | |
345 | ## The types will be made usable as a domain and file, making | |
346 | ## calls to domain_type() and files_type() redundant. | |
347 | ## </p> | |
348 | ## <p> | |
349 | ## If the process must also run in a specific MLS/MCS level, | |
350 | ## the init_ranged_system_domain() should be used instead. | |
351 | ## </p> | |
352 | ## </desc> | |
e5f80603 | 353 | ## <param name="domain"> |
885b83ec | 354 | ## <summary> |
13f000d2 | 355 | ## Type to be used as a system domain. |
885b83ec | 356 | ## </summary> |
e5f80603 CP |
357 | ## </param> |
358 | ## <param name="entry_point"> | |
885b83ec | 359 | ## <summary> |
e5f80603 | 360 | ## Type of the program to be used as an entry point to this domain. |
885b83ec | 361 | ## </summary> |
e5f80603 | 362 | ## </param> |
13f000d2 | 363 | ## <infoflow type="read" weight="10"/> |
ff313860 | 364 | # |
199895e2 | 365 | interface(`init_system_domain',` |
139520a2 | 366 | gen_require(` |
3eaa9939 | 367 | type init_t; |
139520a2 CP |
368 | type initrc_t; |
369 | role system_r; | |
3eaa9939 | 370 | attribute initrc_transition_domain; |
ae68f77d | 371 | attribute systemprocess; |
139520a2 | 372 | ') |
d115b247 | 373 | |
ae68f77d | 374 | typeattribute $1 systemprocess; |
7a15ba8b | 375 | application_domain($1, $2) |
d115b247 CP |
376 | |
377 | role system_r types $1; | |
378 | ||
c0868a7a | 379 | domtrans_pattern(initrc_t,$2,$1) |
3f335a42 | 380 | |
3eaa9939 DW |
381 | tunable_policy(`init_systemd',` |
382 | # Handle upstart/systemd direct transition to a executable | |
383 | domtrans_pattern(init_t,$2,$1) | |
3eaa9939 | 384 | ') |
ff313860 CP |
385 | ') |
386 | ||
e070dd2d CP |
387 | ######################################## |
388 | ## <summary> | |
389 | ## Create a domain for short running processes | |
13f000d2 | 390 | ## which are started by init scripts. |
e070dd2d | 391 | ## </summary> |
13f000d2 CP |
392 | ## <desc> |
393 | ## <p> | |
394 | ## Create a domain for long running processes (daemons/services) | |
395 | ## which are started by init scripts. | |
396 | ## These are generally applications that | |
397 | ## are used to initialize the system during boot. | |
398 | ## Long running processes | |
399 | ## should use the init_ranged_system_domain() interface instead. | |
400 | ## Typically all short running processes started by an init | |
401 | ## script (usually in /etc/init.d) will need to use this | |
402 | ## interface if they need to run in a specific MLS/MCS range. | |
403 | ## </p> | |
404 | ## <p> | |
405 | ## The types will be made usable as a domain and file, making | |
406 | ## calls to domain_type() and files_type() redundant. | |
407 | ## </p> | |
408 | ## <p> | |
409 | ## If the policy build option TYPE is standard (MLS and MCS disabled), | |
410 | ## this interface has the same behavior as init_system_domain(). | |
411 | ## </p> | |
412 | ## </desc> | |
e070dd2d CP |
413 | ## <param name="domain"> |
414 | ## <summary> | |
13f000d2 | 415 | ## Type to be used as a system domain. |
e070dd2d CP |
416 | ## </summary> |
417 | ## </param> | |
418 | ## <param name="entry_point"> | |
419 | ## <summary> | |
420 | ## Type of the program to be used as an entry point to this domain. | |
421 | ## </summary> | |
422 | ## </param> | |
423 | ## <param name="range"> | |
424 | ## <summary> | |
425 | ## Range for the domain. | |
426 | ## </summary> | |
427 | ## </param> | |
13f000d2 | 428 | ## <infoflow type="read" weight="10"/> |
e070dd2d CP |
429 | # |
430 | interface(`init_ranged_system_domain',` | |
431 | gen_require(` | |
432 | type initrc_t; | |
060d0f18 | 433 | type init_t; |
e070dd2d CP |
434 | ') |
435 | ||
7a15ba8b | 436 | init_system_domain($1, $2) |
e070dd2d CP |
437 | |
438 | ifdef(`enable_mcs',` | |
3ece1180 | 439 | range_transition initrc_t $2:process $3; |
060d0f18 | 440 | range_transition init_t $2:process $3; |
e070dd2d CP |
441 | ') |
442 | ||
443 | ifdef(`enable_mls',` | |
3ece1180 | 444 | range_transition initrc_t $2:process $3; |
060d0f18 | 445 | range_transition init_t $2:process $3; |
9f8a7729 | 446 | mls_rangetrans_target($1) |
e070dd2d CP |
447 | ') |
448 | ') | |
449 | ||
6e54263f MG |
450 | ###################################### |
451 | ## <summary> | |
452 | ## Allow domain dyntransition to init_t domain. | |
453 | ## </summary> | |
454 | ## <param name="domain"> | |
455 | ## <summary> | |
456 | ## Domain allowed to transition. | |
457 | ## </summary> | |
458 | ## </param> | |
459 | # | |
460 | interface(`init_dyntrans',` | |
461 | gen_require(` | |
7a6b3619 | 462 | type init_t; |
6e54263f MG |
463 | ') |
464 | ||
465 | dyntrans_pattern($1, init_t) | |
466 | ') | |
467 | ||
b4cd1533 | 468 | ######################################## |
ac9db9b5 CP |
469 | ## <summary> |
470 | ## Execute init (/sbin/init) with a domain transition. | |
471 | ## </summary> | |
472 | ## <param name="domain"> | |
473 | ## <summary> | |
a0546c9d | 474 | ## Domain allowed to transition. |
ac9db9b5 CP |
475 | ## </summary> |
476 | ## </param> | |
b4cd1533 | 477 | # |
199895e2 | 478 | interface(`init_domtrans',` |
139520a2 CP |
479 | gen_require(` |
480 | type init_t, init_exec_t; | |
139520a2 | 481 | ') |
0c73cd25 | 482 | |
3f67f722 | 483 | domtrans_pattern($1, init_exec_t, init_t) |
b4cd1533 CP |
484 | ') |
485 | ||
605ba285 CP |
486 | ######################################## |
487 | ## <summary> | |
488 | ## Execute the init program in the caller domain. | |
489 | ## </summary> | |
490 | ## <param name="domain"> | |
885b83ec | 491 | ## <summary> |
605ba285 | 492 | ## Domain allowed access. |
885b83ec | 493 | ## </summary> |
605ba285 | 494 | ## </param> |
bbcd3c97 | 495 | ## <rolecap/> |
605ba285 CP |
496 | # |
497 | interface(`init_exec',` | |
498 | gen_require(` | |
499 | type init_exec_t; | |
500 | ') | |
501 | ||
8021cb4f | 502 | corecmd_search_bin($1) |
3f67f722 | 503 | can_exec($1, init_exec_t) |
fe6315a6 DW |
504 | |
505 | tunable_policy(`init_systemd',` | |
506 | systemd_exec_systemctl($1) | |
507 | ') | |
605ba285 CP |
508 | ') |
509 | ||
5d7e8ba6 | 510 | ######################################## |
ac9db9b5 CP |
511 | ## <summary> |
512 | ## Get the process group of init. | |
513 | ## </summary> | |
514 | ## <param name="domain"> | |
515 | ## <summary> | |
516 | ## Domain allowed access. | |
517 | ## </summary> | |
518 | ## </param> | |
5d7e8ba6 | 519 | # |
1815bad1 | 520 | interface(`init_getpgid',` |
139520a2 CP |
521 | gen_require(` |
522 | type init_t; | |
139520a2 | 523 | ') |
0c73cd25 | 524 | |
bcdcc55c | 525 | allow $1 init_t:process getpgid; |
d0b6abeb CP |
526 | ') |
527 | ||
b4cd1533 | 528 | ######################################## |
6e61566d CP |
529 | ## <summary> |
530 | ## Send init a null signal. | |
531 | ## </summary> | |
532 | ## <param name="domain"> | |
885b83ec | 533 | ## <summary> |
6e61566d | 534 | ## Domain allowed access. |
885b83ec | 535 | ## </summary> |
6e61566d | 536 | ## </param> |
b4cd1533 | 537 | # |
6e61566d CP |
538 | interface(`init_signull',` |
539 | gen_require(` | |
540 | type init_t; | |
6e61566d CP |
541 | ') |
542 | ||
543 | allow $1 init_t:process signull; | |
544 | ') | |
545 | ||
546 | ######################################## | |
547 | ## <summary> | |
548 | ## Send init a SIGCHLD signal. | |
549 | ## </summary> | |
550 | ## <param name="domain"> | |
885b83ec | 551 | ## <summary> |
6e61566d | 552 | ## Domain allowed access. |
885b83ec | 553 | ## </summary> |
6e61566d | 554 | ## </param> |
b4cd1533 | 555 | # |
199895e2 | 556 | interface(`init_sigchld',` |
139520a2 CP |
557 | gen_require(` |
558 | type init_t; | |
139520a2 | 559 | ') |
0c73cd25 CP |
560 | |
561 | allow $1 init_t:process sigchld; | |
b4cd1533 CP |
562 | ') |
563 | ||
d98b86a3 DW |
564 | ######################################## |
565 | ## <summary> | |
566 | ## Send generic signals to init. | |
567 | ## </summary> | |
568 | ## <param name="domain"> | |
569 | ## <summary> | |
570 | ## Domain allowed access. | |
571 | ## </summary> | |
572 | ## </param> | |
573 | # | |
574 | interface(`init_signal',` | |
575 | gen_require(` | |
576 | type init_t; | |
577 | ') | |
578 | ||
579 | allow $1 init_t:process signal; | |
580 | ') | |
581 | ||
5718c0a5 DG |
582 | ######################################## |
583 | ## <summary> | |
584 | ## Connect to init with a unix socket. | |
585 | ## </summary> | |
586 | ## <param name="domain"> | |
587 | ## <summary> | |
588 | ## Domain allowed access. | |
589 | ## </summary> | |
590 | ## </param> | |
591 | # | |
592 | interface(`init_stream_connect',` | |
593 | gen_require(` | |
8b1eddf4 | 594 | type init_t, init_var_run_t; |
5718c0a5 DG |
595 | ') |
596 | ||
8b1eddf4 | 597 | files_search_pids($1) |
1f685fa6 | 598 | stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) |
395df07f | 599 | allow $1 init_t:unix_stream_socket getattr; |
5718c0a5 DG |
600 | ') |
601 | ||
17ebfc37 MG |
602 | ####################################### |
603 | ## <summary> | |
604 | ## Dontaudit Connect to init with a unix socket. | |
605 | ## </summary> | |
606 | ## <param name="domain"> | |
607 | ## <summary> | |
24280f35 | 608 | ## Domain to not audit. |
17ebfc37 MG |
609 | ## </summary> |
610 | ## </param> | |
611 | # | |
612 | interface(`init_dontaudit_stream_connect',` | |
613 | gen_require(` | |
614 | type init_t; | |
615 | ') | |
616 | ||
617 | dontaudit $1 init_t:unix_stream_socket connectto; | |
618 | ') | |
619 | ||
4b3dce9b DW |
620 | ###################################### |
621 | ## <summary> | |
622 | ## Dontaudit getattr to init with a unix socket. | |
623 | ## </summary> | |
624 | ## <param name="domain"> | |
625 | ## <summary> | |
626 | ## Domain to not audit. | |
627 | ## </summary> | |
628 | ## </param> | |
629 | # | |
630 | interface(`init_dontaudit_getattr_stream_socket',` | |
631 | gen_require(` | |
632 | type init_t; | |
633 | ') | |
634 | ||
635 | dontaudit $1 init_t:unix_stream_socket getattr; | |
636 | ') | |
637 | ||
1f685fa6 MG |
638 | ###################################### |
639 | ## <summary> | |
640 | ## Dontaudit read and write to init with a unix socket. | |
641 | ## </summary> | |
642 | ## <param name="domain"> | |
643 | ## <summary> | |
644 | ## Domain to not audit. | |
645 | ## </summary> | |
646 | ## </param> | |
647 | # | |
fa55a8d5 MG |
648 | interface(`init_dontaudit_rw_stream_socket',` |
649 | gen_require(` | |
650 | type init_t; | |
651 | ') | |
652 | ||
653 | dontaudit $1 init_t:unix_stream_socket { read write }; | |
654 | ') | |
655 | ||
889c9a97 | 656 | ######################################## |
ac9db9b5 CP |
657 | ## <summary> |
658 | ## Inherit and use file descriptors from init. | |
659 | ## </summary> | |
13f000d2 CP |
660 | ## <desc> |
661 | ## <p> | |
662 | ## Allow the specified domain to inherit file | |
663 | ## descriptors from the init program (process ID 1). | |
664 | ## Typically the only file descriptors to be | |
665 | ## inherited from init are for the console. | |
666 | ## This does not allow the domain any access to | |
667 | ## the object to which the file descriptors references. | |
668 | ## </p> | |
669 | ## <p> | |
670 | ## Related interfaces: | |
671 | ## </p> | |
672 | ## <ul> | |
673 | ## <li>init_dontaudit_use_fds()</li> | |
674 | ## <li>term_dontaudit_use_console()</li> | |
675 | ## <li>term_use_console()</li> | |
676 | ## </ul> | |
677 | ## <p> | |
678 | ## Example usage: | |
679 | ## </p> | |
680 | ## <p> | |
681 | ## init_use_fds(mydomain_t) | |
682 | ## term_use_console(mydomain_t) | |
683 | ## </p> | |
684 | ## <p> | |
685 | ## Normally, processes that can inherit these file | |
686 | ## descriptors (usually services) write messages to the | |
687 | ## system log instead of writing to the console. | |
688 | ## Therefore, in many cases, this access should | |
689 | ## dontaudited instead. | |
690 | ## </p> | |
691 | ## <p> | |
692 | ## Example dontaudit usage: | |
693 | ## </p> | |
694 | ## <p> | |
695 | ## init_dontaudit_use_fds(mydomain_t) | |
696 | ## term_dontaudit_use_console(mydomain_t) | |
697 | ## </p> | |
698 | ## </desc> | |
ac9db9b5 CP |
699 | ## <param name="domain"> |
700 | ## <summary> | |
701 | ## Domain allowed access. | |
702 | ## </summary> | |
703 | ## </param> | |
13f000d2 | 704 | ## <infoflow type="read" weight="1"/> |
889c9a97 | 705 | # |
1c1ac67f | 706 | interface(`init_use_fds',` |
139520a2 CP |
707 | gen_require(` |
708 | type init_t; | |
139520a2 | 709 | ') |
0c73cd25 CP |
710 | |
711 | allow $1 init_t:fd use; | |
889c9a97 CP |
712 | ') |
713 | ||
07efe969 | 714 | ######################################## |
ac9db9b5 CP |
715 | ## <summary> |
716 | ## Do not audit attempts to inherit file | |
717 | ## descriptors from init. | |
718 | ## </summary> | |
719 | ## <param name="domain"> | |
720 | ## <summary> | |
a0546c9d | 721 | ## Domain to not audit. |
ac9db9b5 CP |
722 | ## </summary> |
723 | ## </param> | |
07efe969 | 724 | # |
1c1ac67f | 725 | interface(`init_dontaudit_use_fds',` |
139520a2 CP |
726 | gen_require(` |
727 | type init_t; | |
139520a2 | 728 | ') |
0c73cd25 CP |
729 | |
730 | dontaudit $1 init_t:fd use; | |
07efe969 CP |
731 | ') |
732 | ||
eb3cb682 CP |
733 | ######################################## |
734 | ## <summary> | |
33c7e6b4 | 735 | ## Send UDP network traffic to init. (Deprecated) |
eb3cb682 CP |
736 | ## </summary> |
737 | ## <param name="domain"> | |
885b83ec | 738 | ## <summary> |
725926c5 | 739 | ## Domain allowed access. |
885b83ec | 740 | ## </summary> |
eb3cb682 CP |
741 | ## </param> |
742 | # | |
1815bad1 | 743 | interface(`init_udp_send',` |
33c7e6b4 | 744 | refpolicywarn(`$0($*) has been deprecated.') |
eb3cb682 CP |
745 | ') |
746 | ||
bcdcc55c | 747 | ######################################## |
ac9db9b5 CP |
748 | ## <summary> |
749 | ## Get the attributes of initctl. | |
750 | ## </summary> | |
751 | ## <param name="domain"> | |
752 | ## <summary> | |
753 | ## Domain allowed access. | |
754 | ## </summary> | |
755 | ## </param> | |
bcdcc55c CP |
756 | # |
757 | interface(`init_getattr_initctl',` | |
758 | gen_require(` | |
759 | type initctl_t; | |
760 | ') | |
761 | ||
762 | allow $1 initctl_t:fifo_file getattr; | |
763 | ') | |
764 | ||
765 | ######################################## | |
ac9db9b5 CP |
766 | ## <summary> |
767 | ## Do not audit attempts to get the | |
768 | ## attributes of initctl. | |
769 | ## </summary> | |
770 | ## <param name="domain"> | |
771 | ## <summary> | |
772 | ## Domain to not audit. | |
773 | ## </summary> | |
774 | ## </param> | |
bcdcc55c CP |
775 | # |
776 | interface(`init_dontaudit_getattr_initctl',` | |
777 | gen_require(` | |
778 | type initctl_t; | |
779 | ') | |
780 | ||
781 | dontaudit $1 initctl_t:fifo_file getattr; | |
782 | ') | |
783 | ||
784 | ######################################## | |
ac9db9b5 CP |
785 | ## <summary> |
786 | ## Write to initctl. | |
787 | ## </summary> | |
788 | ## <param name="domain"> | |
789 | ## <summary> | |
790 | ## Domain allowed access. | |
791 | ## </summary> | |
792 | ## </param> | |
bcdcc55c CP |
793 | # |
794 | interface(`init_write_initctl',` | |
795 | gen_require(` | |
796 | type initctl_t; | |
797 | ') | |
798 | ||
799 | dev_list_all_dev_nodes($1) | |
800 | allow $1 initctl_t:fifo_file write; | |
801 | ') | |
802 | ||
bbcd3c97 CP |
803 | ######################################## |
804 | ## <summary> | |
805 | ## Use telinit (Read and write initctl). | |
806 | ## </summary> | |
807 | ## <param name="domain"> | |
808 | ## <summary> | |
809 | ## Domain allowed access. | |
810 | ## </summary> | |
811 | ## </param> | |
812 | ## <rolecap/> | |
813 | # | |
814 | interface(`init_telinit',` | |
815 | gen_require(` | |
816 | type initctl_t; | |
817 | ') | |
818 | ||
3eaa9939 DW |
819 | corecmd_exec_bin($1) |
820 | ||
bbcd3c97 | 821 | dev_list_all_dev_nodes($1) |
c0868a7a | 822 | allow $1 initctl_t:fifo_file rw_fifo_file_perms; |
ca448bd6 CP |
823 | |
824 | init_exec($1) | |
4459a7c0 | 825 | |
3eaa9939 | 826 | tunable_policy(`init_upstart || init_systemd',` |
4459a7c0 CP |
827 | gen_require(` |
828 | type init_t; | |
829 | ') | |
830 | ||
5d919a57 | 831 | ps_process_pattern($1, init_t) |
f5b49a5e | 832 | allow $1 init_t:process signal; |
4459a7c0 CP |
833 | # upstart uses a datagram socket instead of initctl pipe |
834 | allow $1 self:unix_dgram_socket create_socket_perms; | |
835 | allow $1 init_t:unix_dgram_socket sendto; | |
3eaa9939 DW |
836 | #576913 |
837 | allow $1 init_t:unix_stream_socket connectto; | |
4459a7c0 | 838 | ') |
bbcd3c97 CP |
839 | ') |
840 | ||
bcdcc55c | 841 | ######################################## |
ac9db9b5 CP |
842 | ## <summary> |
843 | ## Read and write initctl. | |
844 | ## </summary> | |
845 | ## <param name="domain"> | |
846 | ## <summary> | |
847 | ## Domain allowed access. | |
848 | ## </summary> | |
849 | ## </param> | |
bcdcc55c CP |
850 | # |
851 | interface(`init_rw_initctl',` | |
852 | gen_require(` | |
853 | type initctl_t; | |
854 | ') | |
855 | ||
856 | dev_list_all_dev_nodes($1) | |
c0868a7a | 857 | allow $1 initctl_t:fifo_file rw_fifo_file_perms; |
bcdcc55c CP |
858 | ') |
859 | ||
860 | ######################################## | |
ac9db9b5 CP |
861 | ## <summary> |
862 | ## Do not audit attempts to read and | |
863 | ## write initctl. | |
864 | ## </summary> | |
865 | ## <param name="domain"> | |
866 | ## <summary> | |
24280f35 | 867 | ## Domain to not audit. |
ac9db9b5 CP |
868 | ## </summary> |
869 | ## </param> | |
bcdcc55c CP |
870 | # |
871 | interface(`init_dontaudit_rw_initctl',` | |
872 | gen_require(` | |
873 | type initctl_t; | |
874 | ') | |
875 | ||
876 | dontaudit $1 initctl_t:fifo_file { read write }; | |
877 | ') | |
878 | ||
2283dc74 CP |
879 | ######################################## |
880 | ## <summary> | |
881 | ## Make init scripts an entry point for | |
882 | ## the specified domain. | |
883 | ## </summary> | |
884 | ## <param name="domain"> | |
885 | ## <summary> | |
a0546c9d | 886 | ## Domain allowed access. |
2283dc74 CP |
887 | ## </summary> |
888 | ## </param> | |
889 | # cjp: added for gentoo integrated run_init | |
890 | interface(`init_script_file_entry_type',` | |
891 | gen_require(` | |
892 | type initrc_exec_t; | |
893 | ') | |
894 | ||
3f67f722 | 895 | domain_entry_file($1, initrc_exec_t) |
2283dc74 CP |
896 | ') |
897 | ||
b4cd1533 | 898 | ######################################## |
ac9db9b5 | 899 | ## <summary> |
93ddc669 CP |
900 | ## Execute init scripts with a specified domain transition. |
901 | ## </summary> | |
902 | ## <param name="domain"> | |
903 | ## <summary> | |
a0546c9d | 904 | ## Domain allowed to transition. |
93ddc669 CP |
905 | ## </summary> |
906 | ## </param> | |
907 | # | |
908 | interface(`init_spec_domtrans_script',` | |
909 | gen_require(` | |
3eaa9939 DW |
910 | type initrc_t; |
911 | attribute init_script_file_type; | |
93ddc669 CP |
912 | ') |
913 | ||
914 | files_list_etc($1) | |
3eaa9939 | 915 | spec_domtrans_pattern($1, init_script_file_type, initrc_t) |
93ddc669 CP |
916 | |
917 | ifdef(`enable_mcs',` | |
3eaa9939 | 918 | range_transition $1 init_script_file_type:process s0; |
93ddc669 CP |
919 | ') |
920 | ||
921 | ifdef(`enable_mls',` | |
3eaa9939 | 922 | range_transition $1 init_script_file_type:process s0 - mls_systemhigh; |
93ddc669 CP |
923 | ') |
924 | ') | |
925 | ||
926 | ######################################## | |
927 | ## <summary> | |
928 | ## Execute init scripts with an automatic domain transition. | |
ac9db9b5 CP |
929 | ## </summary> |
930 | ## <param name="domain"> | |
931 | ## <summary> | |
a0546c9d | 932 | ## Domain allowed to transition. |
ac9db9b5 CP |
933 | ## </summary> |
934 | ## </param> | |
b4cd1533 | 935 | # |
199895e2 | 936 | interface(`init_domtrans_script',` |
139520a2 | 937 | gen_require(` |
3eaa9939 DW |
938 | type initrc_t; |
939 | attribute init_script_file_type; | |
940 | attribute initrc_transition_domain; | |
139520a2 | 941 | ') |
3eaa9939 | 942 | typeattribute $1 initrc_transition_domain; |
0c73cd25 | 943 | |
139520a2 | 944 | files_list_etc($1) |
3eaa9939 | 945 | domtrans_pattern($1, init_script_file_type, initrc_t) |
e070dd2d CP |
946 | |
947 | ifdef(`enable_mcs',` | |
3eaa9939 | 948 | range_transition $1 init_script_file_type:process s0; |
e070dd2d CP |
949 | ') |
950 | ||
951 | ifdef(`enable_mls',` | |
3eaa9939 | 952 | range_transition $1 init_script_file_type:process s0 - mls_systemhigh; |
e070dd2d | 953 | ') |
b4cd1533 CP |
954 | ') |
955 | ||
3eaa9939 DW |
956 | ######################################## |
957 | ## <summary> | |
958 | ## Execute a file in a bin directory | |
959 | ## in the initrc_t domain | |
960 | ## </summary> | |
961 | ## <param name="domain"> | |
962 | ## <summary> | |
963 | ## Domain allowed access. | |
964 | ## </summary> | |
965 | ## </param> | |
966 | # | |
967 | interface(`init_bin_domtrans_spec',` | |
968 | gen_require(` | |
969 | type initrc_t; | |
970 | ') | |
971 | ||
972 | corecmd_bin_domtrans($1, initrc_t) | |
973 | ') | |
974 | ||
2283dc74 CP |
975 | ######################################## |
976 | ## <summary> | |
977 | ## Execute a init script in a specified domain. | |
978 | ## </summary> | |
979 | ## <desc> | |
ff8f0a63 | 980 | ## <p> |
2283dc74 | 981 | ## Execute a init script in a specified domain. |
ff8f0a63 CP |
982 | ## </p> |
983 | ## <p> | |
984 | ## No interprocess communication (signals, pipes, | |
985 | ## etc.) is provided by this interface since | |
986 | ## the domains are not owned by this module. | |
987 | ## </p> | |
2283dc74 CP |
988 | ## </desc> |
989 | ## <param name="source_domain"> | |
990 | ## <summary> | |
a0546c9d | 991 | ## Domain allowed to transition. |
2283dc74 CP |
992 | ## </summary> |
993 | ## </param> | |
994 | ## <param name="target_domain"> | |
995 | ## <summary> | |
996 | ## Domain to transition to. | |
997 | ## </summary> | |
998 | ## </param> | |
999 | # cjp: added for gentoo integrated run_init | |
1000 | interface(`init_script_file_domtrans',` | |
1001 | gen_require(` | |
1002 | type initrc_exec_t; | |
1003 | ') | |
1004 | ||
1005 | files_list_etc($1) | |
7a15ba8b | 1006 | domain_auto_trans($1, initrc_exec_t, $2) |
2283dc74 CP |
1007 | ') |
1008 | ||
64c5b997 CP |
1009 | ######################################## |
1010 | ## <summary> | |
1011 | ## Transition to the init script domain | |
1012 | ## on a specified labeled init script. | |
1013 | ## </summary> | |
1014 | ## <param name="domain"> | |
1015 | ## <summary> | |
a0546c9d | 1016 | ## Domain allowed to transition. |
64c5b997 CP |
1017 | ## </summary> |
1018 | ## </param> | |
1019 | ## <param name="init_script_file"> | |
1020 | ## <summary> | |
1021 | ## Labeled init script file. | |
1022 | ## </summary> | |
1023 | ## </param> | |
1024 | # | |
1025 | interface(`init_labeled_script_domtrans',` | |
1026 | gen_require(` | |
1027 | type initrc_t; | |
3eaa9939 | 1028 | attribute initrc_transition_domain; |
64c5b997 CP |
1029 | ') |
1030 | ||
3eaa9939 | 1031 | typeattribute $1 initrc_transition_domain; |
81873430 DW |
1032 | # service script searches all filesystems via mountpoint |
1033 | fs_search_all($1) | |
64c5b997 | 1034 | domtrans_pattern($1, $2, initrc_t) |
5a1cc7f0 | 1035 | allow $1 $2:file ioctl; |
64c5b997 CP |
1036 | files_search_etc($1) |
1037 | ') | |
1038 | ||
e8779130 CG |
1039 | ######################################### |
1040 | ## <summary> | |
1041 | ## Transition to the init script domain | |
1042 | ## for all labeled init script types | |
1043 | ## </summary> | |
1044 | ## <param name="domain"> | |
1045 | ## <summary> | |
a0546c9d | 1046 | ## Domain allowed to transition. |
e8779130 CG |
1047 | ## </summary> |
1048 | ## </param> | |
e6d8fd1e | 1049 | # |
e8779130 CG |
1050 | interface(`init_all_labeled_script_domtrans',` |
1051 | gen_require(` | |
1052 | attribute init_script_file_type; | |
1053 | ') | |
1054 | ||
1055 | init_labeled_script_domtrans($1, init_script_file_type) | |
1056 | ') | |
1057 | ||
e5f80603 | 1058 | ######################################## |
f7ebea06 | 1059 | ## <summary> |
e5f80603 | 1060 | ## Start and stop daemon programs directly. |
f7ebea06 | 1061 | ## </summary> |
57a96cbd CP |
1062 | ## <desc> |
1063 | ## <p> | |
1064 | ## Start and stop daemon programs directly | |
1065 | ## in the traditional "/etc/init.d/daemon start" | |
1066 | ## style, and do not require run_init. | |
1067 | ## </p> | |
1068 | ## </desc> | |
e5f80603 | 1069 | ## <param name="domain"> |
885b83ec | 1070 | ## <summary> |
725926c5 | 1071 | ## Domain allowed access. |
885b83ec | 1072 | ## </summary> |
e5f80603 CP |
1073 | ## </param> |
1074 | ## <param name="role"> | |
885b83ec | 1075 | ## <summary> |
e5f80603 | 1076 | ## The role to be performing this action. |
885b83ec | 1077 | ## </summary> |
e5f80603 | 1078 | ## </param> |
e5f80603 CP |
1079 | # |
1080 | interface(`init_run_daemon',` | |
1081 | gen_require(` | |
1082 | attribute direct_run_init, direct_init, direct_init_entry; | |
1083 | role system_r; | |
e5f80603 CP |
1084 | ') |
1085 | ||
1086 | typeattribute $1 direct_run_init; | |
1087 | role_transition $2 direct_init_entry system_r; | |
e5f80603 CP |
1088 | ') |
1089 | ||
36095d11 CP |
1090 | ######################################## |
1091 | ## <summary> | |
1092 | ## Read the process state (/proc/pid) of init. | |
1093 | ## </summary> | |
1094 | ## <param name="domain"> | |
1095 | ## <summary> | |
1096 | ## Domain allowed access. | |
1097 | ## </summary> | |
1098 | ## </param> | |
1099 | # | |
1100 | interface(`init_read_state',` | |
1101 | gen_require(` | |
756c96b5 | 1102 | type init_t; |
36095d11 CP |
1103 | ') |
1104 | ||
1105 | allow $1 init_t:dir search_dir_perms; | |
1106 | allow $1 init_t:file read_file_perms; | |
0b36a214 | 1107 | allow $1 init_t:lnk_file read_lnk_file_perms; |
36095d11 CP |
1108 | ') |
1109 | ||
1110 | ######################################## | |
1111 | ## <summary> | |
1112 | ## Ptrace init | |
1113 | ## </summary> | |
1114 | ## <param name="domain"> | |
1115 | ## <summary> | |
1116 | ## Domain allowed access. | |
1117 | ## </summary> | |
1118 | ## </param> | |
1119 | ## <rolecap/> | |
1120 | # | |
1121 | interface(`init_ptrace',` | |
1122 | gen_require(` | |
756c96b5 | 1123 | type init_t; |
36095d11 CP |
1124 | ') |
1125 | ||
1126 | allow $1 init_t:process ptrace; | |
1127 | ') | |
1128 | ||
725926c5 CP |
1129 | ######################################## |
1130 | ## <summary> | |
1131 | ## Write an init script unnamed pipe. | |
1132 | ## </summary> | |
1133 | ## <param name="domain"> | |
885b83ec | 1134 | ## <summary> |
725926c5 | 1135 | ## Domain allowed access. |
885b83ec | 1136 | ## </summary> |
725926c5 CP |
1137 | ## </param> |
1138 | # | |
1815bad1 | 1139 | interface(`init_write_script_pipes',` |
725926c5 CP |
1140 | gen_require(` |
1141 | type initrc_t; | |
1142 | ') | |
1143 | ||
1144 | allow $1 initrc_t:fifo_file write; | |
1145 | ') | |
1146 | ||
9fd4b818 CP |
1147 | ######################################## |
1148 | ## <summary> | |
1149 | ## Get the attribute of init script entrypoint files. | |
1150 | ## </summary> | |
1151 | ## <param name="domain"> | |
885b83ec | 1152 | ## <summary> |
9fd4b818 | 1153 | ## Domain allowed access. |
885b83ec | 1154 | ## </summary> |
9fd4b818 CP |
1155 | ## </param> |
1156 | # | |
f7547934 | 1157 | interface(`init_getattr_script_files',` |
9fd4b818 CP |
1158 | gen_require(` |
1159 | type initrc_exec_t; | |
1160 | ') | |
1161 | ||
1162 | files_list_etc($1) | |
1163 | allow $1 initrc_exec_t:file getattr; | |
1164 | ') | |
1165 | ||
6cc3f356 CP |
1166 | ######################################## |
1167 | ## <summary> | |
1168 | ## Read init scripts. | |
1169 | ## </summary> | |
1170 | ## <param name="domain"> | |
1171 | ## <summary> | |
1172 | ## Domain allowed access. | |
1173 | ## </summary> | |
1174 | ## </param> | |
1175 | # | |
1176 | interface(`init_read_script_files',` | |
1177 | gen_require(` | |
1178 | type initrc_exec_t; | |
1179 | ') | |
1180 | ||
1181 | files_search_etc($1) | |
1182 | allow $1 initrc_exec_t:file read_file_perms; | |
1183 | ') | |
1184 | ||
bd202fe1 | 1185 | ######################################## |
ac9db9b5 CP |
1186 | ## <summary> |
1187 | ## Execute init scripts in the caller domain. | |
1188 | ## </summary> | |
1189 | ## <param name="domain"> | |
1190 | ## <summary> | |
1191 | ## Domain allowed access. | |
1192 | ## </summary> | |
1193 | ## </param> | |
bd202fe1 | 1194 | # |
f7547934 | 1195 | interface(`init_exec_script_files',` |
139520a2 CP |
1196 | gen_require(` |
1197 | type initrc_exec_t; | |
1198 | ') | |
0c73cd25 | 1199 | |
139520a2 | 1200 | files_list_etc($1) |
3f67f722 | 1201 | can_exec($1, initrc_exec_t) |
bd202fe1 CP |
1202 | ') |
1203 | ||
6cc3f356 CP |
1204 | ######################################## |
1205 | ## <summary> | |
1206 | ## Get the attribute of all init script entrypoint files. | |
1207 | ## </summary> | |
1208 | ## <param name="domain"> | |
1209 | ## <summary> | |
1210 | ## Domain allowed access. | |
1211 | ## </summary> | |
1212 | ## </param> | |
1213 | # | |
1214 | interface(`init_getattr_all_script_files',` | |
1215 | gen_require(` | |
1216 | attribute init_script_file_type; | |
1217 | ') | |
1218 | ||
1219 | files_list_etc($1) | |
1220 | allow $1 init_script_file_type:file getattr; | |
1221 | ') | |
1222 | ||
1223 | ######################################## | |
1224 | ## <summary> | |
1225 | ## Read all init script files. | |
1226 | ## </summary> | |
1227 | ## <param name="domain"> | |
1228 | ## <summary> | |
1229 | ## Domain allowed access. | |
1230 | ## </summary> | |
1231 | ## </param> | |
1232 | # | |
1233 | interface(`init_read_all_script_files',` | |
1234 | gen_require(` | |
1235 | attribute init_script_file_type; | |
1236 | ') | |
1237 | ||
1238 | files_search_etc($1) | |
1239 | allow $1 init_script_file_type:file read_file_perms; | |
1240 | ') | |
1241 | ||
ddd786e4 | 1242 | ####################################### |
12367e67 DW |
1243 | ## <summary> |
1244 | ## Dontaudit getattr all init script files. | |
1245 | ## </summary> | |
1246 | ## <param name="domain"> | |
1247 | ## <summary> | |
1248 | ## Domain to not audit. | |
1249 | ## </summary> | |
1250 | ## </param> | |
1251 | # | |
1252 | interface(`init_dontaudit_getattr_all_script_files',` | |
1253 | gen_require(` | |
1254 | attribute init_script_file_type; | |
1255 | ') | |
1256 | ||
1257 | dontaudit $1 init_script_file_type:file getattr; | |
1258 | ') | |
1259 | ||
1260 | ####################################### | |
ddd786e4 CP |
1261 | ## <summary> |
1262 | ## Dontaudit read all init script files. | |
1263 | ## </summary> | |
1264 | ## <param name="domain"> | |
1265 | ## <summary> | |
a0546c9d | 1266 | ## Domain to not audit. |
ddd786e4 CP |
1267 | ## </summary> |
1268 | ## </param> | |
1269 | # | |
1270 | interface(`init_dontaudit_read_all_script_files',` | |
1271 | gen_require(` | |
1272 | attribute init_script_file_type; | |
1273 | ') | |
1274 | ||
1275 | dontaudit $1 init_script_file_type:file read_file_perms; | |
1276 | ') | |
1277 | ||
6cc3f356 CP |
1278 | ######################################## |
1279 | ## <summary> | |
1280 | ## Execute all init scripts in the caller domain. | |
1281 | ## </summary> | |
1282 | ## <param name="domain"> | |
1283 | ## <summary> | |
1284 | ## Domain allowed access. | |
1285 | ## </summary> | |
1286 | ## </param> | |
1287 | # | |
1288 | interface(`init_exec_all_script_files',` | |
1289 | gen_require(` | |
1290 | attribute init_script_file_type; | |
1291 | ') | |
1292 | ||
1293 | files_list_etc($1) | |
1294 | can_exec($1, init_script_file_type) | |
1295 | ') | |
1296 | ||
daa0e0b0 | 1297 | ######################################## |
e88003ff | 1298 | ## <summary> |
414e4151 | 1299 | ## Read the process state (/proc/pid) of the init scripts. |
e88003ff | 1300 | ## </summary> |
414e4151 | 1301 | ## <param name="domain"> |
885b83ec | 1302 | ## <summary> |
725926c5 | 1303 | ## Domain allowed access. |
885b83ec | 1304 | ## </summary> |
414e4151 | 1305 | ## </param> |
daa0e0b0 | 1306 | # |
1815bad1 | 1307 | interface(`init_read_script_state',` |
139520a2 CP |
1308 | gen_require(` |
1309 | type initrc_t; | |
139520a2 | 1310 | ') |
0c73cd25 | 1311 | |
c0868a7a | 1312 | kernel_search_proc($1) |
6cd6ed35 | 1313 | ps_process_pattern($1, initrc_t) |
daa0e0b0 CP |
1314 | ') |
1315 | ||
3ce6cb4a | 1316 | ######################################## |
ac9db9b5 CP |
1317 | ## <summary> |
1318 | ## Inherit and use init script file descriptors. | |
1319 | ## </summary> | |
1320 | ## <param name="domain"> | |
1321 | ## <summary> | |
1322 | ## Domain allowed access. | |
1323 | ## </summary> | |
1324 | ## </param> | |
ee5772e4 | 1325 | # |
15722ec9 | 1326 | interface(`init_use_script_fds',` |
139520a2 CP |
1327 | gen_require(` |
1328 | type initrc_t; | |
139520a2 | 1329 | ') |
0c73cd25 CP |
1330 | |
1331 | allow $1 initrc_t:fd use; | |
ee5772e4 CP |
1332 | ') |
1333 | ||
daa0e0b0 | 1334 | ######################################## |
ac9db9b5 CP |
1335 | ## <summary> |
1336 | ## Do not audit attempts to inherit | |
1337 | ## init script file descriptors. | |
1338 | ## </summary> | |
1339 | ## <param name="domain"> | |
1340 | ## <summary> | |
a0546c9d | 1341 | ## Domain to not audit. |
ac9db9b5 CP |
1342 | ## </summary> |
1343 | ## </param> | |
daa0e0b0 | 1344 | # |
15722ec9 | 1345 | interface(`init_dontaudit_use_script_fds',` |
139520a2 CP |
1346 | gen_require(` |
1347 | type initrc_t; | |
139520a2 | 1348 | ') |
0c73cd25 CP |
1349 | |
1350 | dontaudit $1 initrc_t:fd use; | |
daa0e0b0 CP |
1351 | ') |
1352 | ||
b2184659 DG |
1353 | ######################################## |
1354 | ## <summary> | |
1355 | ## Search init script keys. | |
1356 | ## </summary> | |
1357 | ## <param name="domain"> | |
1358 | ## <summary> | |
1359 | ## Domain allowed access. | |
1360 | ## </summary> | |
1361 | ## </param> | |
1362 | # | |
8d387b32 | 1363 | interface(`init_search_script_keys',` |
b2184659 DG |
1364 | gen_require(` |
1365 | type initrc_t; | |
1366 | ') | |
1367 | ||
1368 | allow $1 initrc_t:key search; | |
1369 | ') | |
1370 | ||
b16c6b8c | 1371 | ######################################## |
ac9db9b5 CP |
1372 | ## <summary> |
1373 | ## Get the process group ID of init scripts. | |
1374 | ## </summary> | |
1375 | ## <param name="domain"> | |
1376 | ## <summary> | |
1377 | ## Domain allowed access. | |
1378 | ## </summary> | |
1379 | ## </param> | |
b16c6b8c | 1380 | # |
1815bad1 | 1381 | interface(`init_getpgid_script',` |
139520a2 CP |
1382 | gen_require(` |
1383 | type initrc_t; | |
139520a2 | 1384 | ') |
0c73cd25 CP |
1385 | |
1386 | allow $1 initrc_t:process getpgid; | |
b16c6b8c CP |
1387 | ') |
1388 | ||
04926d07 CP |
1389 | ######################################## |
1390 | ## <summary> | |
1391 | ## Send SIGCHLD signals to init scripts. | |
1392 | ## </summary> | |
1393 | ## <param name="domain"> | |
885b83ec | 1394 | ## <summary> |
725926c5 | 1395 | ## Domain allowed access. |
885b83ec | 1396 | ## </summary> |
04926d07 CP |
1397 | ## </param> |
1398 | # | |
1399 | interface(`init_sigchld_script',` | |
1400 | gen_require(` | |
1401 | type initrc_t; | |
1402 | ') | |
1403 | ||
1404 | allow $1 initrc_t:process sigchld; | |
1405 | ') | |
1406 | ||
4b9516c1 CP |
1407 | ######################################## |
1408 | ## <summary> | |
1409 | ## Send generic signals to init scripts. | |
1410 | ## </summary> | |
1411 | ## <param name="domain"> | |
885b83ec | 1412 | ## <summary> |
4b9516c1 | 1413 | ## Domain allowed access. |
885b83ec | 1414 | ## </summary> |
4b9516c1 CP |
1415 | ## </param> |
1416 | # | |
1417 | interface(`init_signal_script',` | |
1418 | gen_require(` | |
1419 | type initrc_t; | |
1420 | ') | |
1421 | ||
1422 | allow $1 initrc_t:process signal; | |
1423 | ') | |
1424 | ||
1425 | ######################################## | |
1426 | ## <summary> | |
1427 | ## Send null signals to init scripts. | |
1428 | ## </summary> | |
1429 | ## <param name="domain"> | |
885b83ec | 1430 | ## <summary> |
4b9516c1 | 1431 | ## Domain allowed access. |
885b83ec | 1432 | ## </summary> |
4b9516c1 CP |
1433 | ## </param> |
1434 | # | |
1435 | interface(`init_signull_script',` | |
1436 | gen_require(` | |
1437 | type initrc_t; | |
1438 | ') | |
1439 | ||
1440 | allow $1 initrc_t:process signull; | |
1441 | ') | |
1442 | ||
7a2f20a3 | 1443 | ######################################## |
e88003ff | 1444 | ## <summary> |
414e4151 | 1445 | ## Read and write init script unnamed pipes. |
e88003ff | 1446 | ## </summary> |
414e4151 | 1447 | ## <param name="domain"> |
885b83ec | 1448 | ## <summary> |
725926c5 | 1449 | ## Domain allowed access. |
885b83ec | 1450 | ## </summary> |
414e4151 | 1451 | ## </param> |
7a2f20a3 | 1452 | # |
1815bad1 | 1453 | interface(`init_rw_script_pipes',` |
7a2f20a3 CP |
1454 | gen_require(` |
1455 | type initrc_t; | |
7a2f20a3 CP |
1456 | ') |
1457 | ||
1458 | allow $1 initrc_t:fifo_file { read write }; | |
1459 | ') | |
1460 | ||
e88003ff CP |
1461 | ######################################## |
1462 | ## <summary> | |
33c7e6b4 | 1463 | ## Send UDP network traffic to init scripts. (Deprecated) |
e88003ff CP |
1464 | ## </summary> |
1465 | ## <param name="domain"> | |
885b83ec | 1466 | ## <summary> |
725926c5 | 1467 | ## Domain allowed access. |
885b83ec | 1468 | ## </summary> |
e88003ff CP |
1469 | ## </param> |
1470 | # | |
1815bad1 | 1471 | interface(`init_udp_send_script',` |
33c7e6b4 | 1472 | refpolicywarn(`$0($*) has been deprecated.') |
e88003ff CP |
1473 | ') |
1474 | ||
fc6524d7 CP |
1475 | ######################################## |
1476 | ## <summary> | |
1477 | ## Allow the specified domain to connect to | |
1478 | ## init scripts with a unix socket. | |
1479 | ## </summary> | |
1480 | ## <param name="domain"> | |
885b83ec | 1481 | ## <summary> |
fc6524d7 | 1482 | ## Domain allowed access. |
885b83ec | 1483 | ## </summary> |
fc6524d7 CP |
1484 | ## </param> |
1485 | # | |
1815bad1 | 1486 | interface(`init_stream_connect_script',` |
fc6524d7 CP |
1487 | gen_require(` |
1488 | type initrc_t; | |
1489 | ') | |
1490 | ||
1491 | allow $1 initrc_t:unix_stream_socket connectto; | |
1492 | ') | |
1493 | ||
165b42d2 CP |
1494 | ######################################## |
1495 | ## <summary> | |
1496 | ## Allow the specified domain to read/write to | |
1497 | ## init scripts with a unix domain stream sockets. | |
1498 | ## </summary> | |
1499 | ## <param name="domain"> | |
1500 | ## <summary> | |
1501 | ## Domain allowed access. | |
1502 | ## </summary> | |
1503 | ## </param> | |
1504 | # | |
1505 | interface(`init_rw_script_stream_sockets',` | |
1506 | gen_require(` | |
1507 | type initrc_t; | |
1508 | ') | |
1509 | ||
ddd786e4 | 1510 | allow $1 initrc_t:unix_stream_socket rw_socket_perms; |
165b42d2 CP |
1511 | ') |
1512 | ||
1470ffb0 CP |
1513 | ######################################## |
1514 | ## <summary> | |
1515 | ## Dont audit the specified domain connecting to | |
1516 | ## init scripts with a unix domain stream socket. | |
1517 | ## </summary> | |
1518 | ## <param name="domain"> | |
885b83ec | 1519 | ## <summary> |
a0546c9d | 1520 | ## Domain to not audit. |
885b83ec | 1521 | ## </summary> |
1470ffb0 CP |
1522 | ## </param> |
1523 | # | |
1815bad1 | 1524 | interface(`init_dontaudit_stream_connect_script',` |
1470ffb0 CP |
1525 | gen_require(` |
1526 | type initrc_t; | |
1527 | ') | |
1528 | ||
1529 | dontaudit $1 initrc_t:unix_stream_socket connectto; | |
1530 | ') | |
350b6ab7 CP |
1531 | ######################################## |
1532 | ## <summary> | |
1533 | ## Send messages to init scripts over dbus. | |
1534 | ## </summary> | |
1535 | ## <param name="domain"> | |
1536 | ## <summary> | |
1537 | ## Domain allowed access. | |
1538 | ## </summary> | |
1539 | ## </param> | |
1540 | # | |
1541 | interface(`init_dbus_send_script',` | |
1542 | gen_require(` | |
1543 | type initrc_t; | |
1544 | class dbus send_msg; | |
1545 | ') | |
1546 | ||
1547 | allow $1 initrc_t:dbus send_msg; | |
1548 | ') | |
1470ffb0 | 1549 | |
3eaa9939 DW |
1550 | ######################################## |
1551 | ## <summary> | |
1552 | ## Send and receive messages from | |
1553 | ## init over dbus. | |
1554 | ## </summary> | |
1555 | ## <param name="domain"> | |
1556 | ## <summary> | |
1557 | ## Domain allowed access. | |
1558 | ## </summary> | |
1559 | ## </param> | |
1560 | # | |
1561 | interface(`init_dbus_chat',` | |
1562 | gen_require(` | |
1563 | type init_t; | |
1564 | class dbus send_msg; | |
1565 | ') | |
1566 | ||
1567 | allow $1 init_t:dbus send_msg; | |
1568 | allow init_t $1:dbus send_msg; | |
1569 | ') | |
1570 | ||
6f81e1d3 CP |
1571 | ######################################## |
1572 | ## <summary> | |
1573 | ## Send and receive messages from | |
1574 | ## init scripts over dbus. | |
1575 | ## </summary> | |
1576 | ## <param name="domain"> | |
885b83ec | 1577 | ## <summary> |
6f81e1d3 | 1578 | ## Domain allowed access. |
885b83ec | 1579 | ## </summary> |
6f81e1d3 CP |
1580 | ## </param> |
1581 | # | |
1582 | interface(`init_dbus_chat_script',` | |
1583 | gen_require(` | |
1584 | type initrc_t; | |
1585 | class dbus send_msg; | |
1586 | ') | |
1587 | ||
1588 | allow $1 initrc_t:dbus send_msg; | |
1589 | allow initrc_t $1:dbus send_msg; | |
1590 | ') | |
1591 | ||
889c9a97 | 1592 | ######################################## |
57a96cbd CP |
1593 | ## <summary> |
1594 | ## Read and write the init script pty. | |
1595 | ## </summary> | |
1596 | ## <desc> | |
1597 | ## <p> | |
1598 | ## Read and write the init script pty. This | |
1599 | ## pty is generally opened by the open_init_pty | |
1600 | ## portion of the run_init program so that the | |
1601 | ## daemon does not require direct access to | |
1602 | ## the administrator terminal. | |
1603 | ## </p> | |
1604 | ## </desc> | |
1605 | ## <param name="domain"> | |
885b83ec | 1606 | ## <summary> |
725926c5 | 1607 | ## Domain allowed access. |
885b83ec | 1608 | ## </summary> |
57a96cbd | 1609 | ## </param> |
889c9a97 | 1610 | # |
1815bad1 | 1611 | interface(`init_use_script_ptys',` |
139520a2 CP |
1612 | gen_require(` |
1613 | type initrc_devpts_t; | |
139520a2 | 1614 | ') |
0c73cd25 | 1615 | |
0fd9dc55 | 1616 | term_list_ptys($1) |
da4fc9ce | 1617 | allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; |
889c9a97 CP |
1618 | ') |
1619 | ||
5d7e8ba6 | 1620 | ######################################## |
57a96cbd | 1621 | ## <summary> |
e6a2eaff CP |
1622 | ## Do not audit attempts to read and |
1623 | ## write the init script pty. | |
57a96cbd CP |
1624 | ## </summary> |
1625 | ## <param name="domain"> | |
885b83ec | 1626 | ## <summary> |
e6a2eaff | 1627 | ## Domain to not audit. |
885b83ec | 1628 | ## </summary> |
57a96cbd CP |
1629 | ## </param> |
1630 | # | |
1815bad1 | 1631 | interface(`init_dontaudit_use_script_ptys',` |
57a96cbd | 1632 | gen_require(` |
e6a2eaff | 1633 | type initrc_devpts_t; |
57a96cbd CP |
1634 | ') |
1635 | ||
e6a2eaff | 1636 | dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; |
57a96cbd CP |
1637 | ') |
1638 | ||
1639 | ######################################## | |
e6a2eaff | 1640 | ## <summary> |
ed38ca9f CP |
1641 | ## Get the attributes of init script |
1642 | ## status files. | |
1643 | ## </summary> | |
1644 | ## <param name="domain"> | |
1645 | ## <summary> | |
1646 | ## Domain allowed access. | |
1647 | ## </summary> | |
1648 | ## </param> | |
1649 | # | |
1650 | interface(`init_getattr_script_status_files',` | |
1651 | gen_require(` | |
1652 | type initrc_state_t; | |
1653 | ') | |
1654 | ||
3f67f722 | 1655 | getattr_files_pattern($1, initrc_state_t, initrc_state_t) |
ed38ca9f CP |
1656 | ') |
1657 | ||
3034a8d9 DW |
1658 | ######################################## |
1659 | ## <summary> | |
1660 | ## Manage init script | |
1661 | ## status files. | |
1662 | ## </summary> | |
1663 | ## <param name="domain"> | |
1664 | ## <summary> | |
1665 | ## Domain allowed access. | |
1666 | ## </summary> | |
1667 | ## </param> | |
1668 | # | |
1669 | interface(`init_manage_script_status_files',` | |
1670 | gen_require(` | |
1671 | type initrc_state_t; | |
1672 | ') | |
1673 | ||
1674 | manage_files_pattern($1, initrc_state_t, initrc_state_t) | |
1675 | ') | |
1676 | ||
ed38ca9f | 1677 | ######################################## |
5afdf0bc CP |
1678 | ## <summary> |
1679 | ## Do not audit attempts to read init script | |
1680 | ## status files. | |
1681 | ## </summary> | |
1682 | ## <param name="domain"> | |
1683 | ## <summary> | |
a0546c9d | 1684 | ## Domain to not audit. |
5afdf0bc CP |
1685 | ## </summary> |
1686 | ## </param> | |
1687 | # | |
1688 | interface(`init_dontaudit_read_script_status_files',` | |
1689 | gen_require(` | |
1690 | type initrc_state_t; | |
1691 | ') | |
1692 | ||
1693 | dontaudit $1 initrc_state_t:dir search_dir_perms; | |
1694 | dontaudit $1 initrc_state_t:file read_file_perms; | |
1695 | ') | |
1696 | ||
ddd786e4 CP |
1697 | ######################################## |
1698 | ## <summary> | |
1699 | ## Read init script temporary data. | |
1700 | ## </summary> | |
1701 | ## <param name="domain"> | |
1702 | ## <summary> | |
1703 | ## Domain allowed access. | |
1704 | ## </summary> | |
1705 | ## </param> | |
1706 | # | |
1707 | interface(`init_read_script_tmp_files',` | |
1708 | gen_require(` | |
1709 | type initrc_tmp_t; | |
1710 | ') | |
1711 | ||
1712 | files_search_tmp($1) | |
1713 | read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) | |
1714 | ') | |
1715 | ||
daa0e0b0 | 1716 | ######################################## |
e88003ff | 1717 | ## <summary> |
414e4151 | 1718 | ## Read and write init script temporary data. |
e88003ff | 1719 | ## </summary> |
414e4151 | 1720 | ## <param name="domain"> |
885b83ec | 1721 | ## <summary> |
725926c5 | 1722 | ## Domain allowed access. |
885b83ec | 1723 | ## </summary> |
414e4151 | 1724 | ## </param> |
daa0e0b0 | 1725 | # |
199895e2 | 1726 | interface(`init_rw_script_tmp_files',` |
139520a2 | 1727 | gen_require(` |
25c67461 | 1728 | type initrc_tmp_t; |
139520a2 | 1729 | ') |
0c73cd25 | 1730 | |
25c67461 | 1731 | files_search_tmp($1) |
3f67f722 | 1732 | rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) |
daa0e0b0 CP |
1733 | ') |
1734 | ||
30a4d4d5 DW |
1735 | ######################################## |
1736 | ## <summary> | |
1737 | ## Read and write init script inherited temporary data. | |
1738 | ## </summary> | |
1739 | ## <param name="domain"> | |
1740 | ## <summary> | |
1741 | ## Domain allowed access. | |
1742 | ## </summary> | |
1743 | ## </param> | |
1744 | # | |
1745 | interface(`init_rw_inherited_script_tmp_files',` | |
1746 | gen_require(` | |
1747 | type initrc_tmp_t; | |
1748 | ') | |
1749 | ||
1750 | allow $1 initrc_tmp_t:file rw_inherited_file_perms; | |
1751 | ') | |
1752 | ||
3f41889d CP |
1753 | ######################################## |
1754 | ## <summary> | |
1755 | ## Create files in a init script | |
1756 | ## temporary data directory. | |
1757 | ## </summary> | |
1758 | ## <param name="domain"> | |
885b83ec | 1759 | ## <summary> |
3f41889d | 1760 | ## Domain allowed access. |
885b83ec | 1761 | ## </summary> |
3f41889d CP |
1762 | ## </param> |
1763 | ## <param name="file_type"> | |
885b83ec | 1764 | ## <summary> |
3f41889d | 1765 | ## The type of the object to be created |
885b83ec | 1766 | ## </summary> |
3f41889d | 1767 | ## </param> |
1c1ac67f | 1768 | ## <param name="object_class"> |
885b83ec | 1769 | ## <summary> |
1c1ac67f | 1770 | ## The object class. |
885b83ec | 1771 | ## </summary> |
3f41889d CP |
1772 | ## </param> |
1773 | # | |
103fe280 | 1774 | interface(`init_script_tmp_filetrans',` |
3f41889d CP |
1775 | gen_require(` |
1776 | type initrc_tmp_t; | |
1777 | ') | |
1778 | ||
1779 | files_search_tmp($1) | |
3f67f722 | 1780 | filetrans_pattern($1, initrc_tmp_t, $2, $3) |
3f41889d CP |
1781 | ') |
1782 | ||
29ce0009 CP |
1783 | ######################################## |
1784 | ## <summary> | |
1785 | ## Get the attributes of init script process id files. | |
1786 | ## </summary> | |
1787 | ## <param name="domain"> | |
885b83ec | 1788 | ## <summary> |
29ce0009 | 1789 | ## Domain allowed access. |
885b83ec | 1790 | ## </summary> |
29ce0009 CP |
1791 | ## </param> |
1792 | # | |
68228b33 | 1793 | interface(`init_getattr_utmp',` |
29ce0009 CP |
1794 | gen_require(` |
1795 | type initrc_var_run_t; | |
29ce0009 CP |
1796 | ') |
1797 | ||
1798 | allow $1 initrc_var_run_t:file getattr; | |
1799 | ') | |
1800 | ||
5f38a65a | 1801 | ######################################## |
ac9db9b5 CP |
1802 | ## <summary> |
1803 | ## Read utmp. | |
1804 | ## </summary> | |
1805 | ## <param name="domain"> | |
1806 | ## <summary> | |
1807 | ## Domain allowed access. | |
1808 | ## </summary> | |
1809 | ## </param> | |
b4cd1533 | 1810 | # |
68228b33 | 1811 | interface(`init_read_utmp',` |
139520a2 CP |
1812 | gen_require(` |
1813 | type initrc_var_run_t; | |
139520a2 | 1814 | ') |
0c73cd25 | 1815 | |
c9428d33 | 1816 | files_list_pids($1) |
c0868a7a | 1817 | allow $1 initrc_var_run_t:file read_file_perms; |
b4cd1533 CP |
1818 | ') |
1819 | ||
2f85a0ca DW |
1820 | ######################################## |
1821 | ## <summary> | |
1822 | ## Do not audit attempts to read utmp. | |
1823 | ## </summary> | |
1824 | ## <param name="domain"> | |
1825 | ## <summary> | |
1826 | ## Domain to not audit. | |
1827 | ## </summary> | |
1828 | ## </param> | |
1829 | # | |
1830 | interface(`init_dontaudit_read_utmp',` | |
1831 | gen_require(` | |
1832 | type initrc_var_run_t; | |
1833 | ') | |
1834 | ||
1835 | dontaudit $1 initrc_var_run_t:file read_file_perms; | |
1836 | ') | |
1837 | ||
7bba9d31 | 1838 | ######################################## |
ac9db9b5 CP |
1839 | ## <summary> |
1840 | ## Do not audit attempts to write utmp. | |
1841 | ## </summary> | |
1842 | ## <param name="domain"> | |
1843 | ## <summary> | |
a0546c9d | 1844 | ## Domain to not audit. |
ac9db9b5 CP |
1845 | ## </summary> |
1846 | ## </param> | |
7bba9d31 | 1847 | # |
68228b33 | 1848 | interface(`init_dontaudit_write_utmp',` |
139520a2 CP |
1849 | gen_require(` |
1850 | type initrc_var_run_t; | |
139520a2 | 1851 | ') |
0c73cd25 CP |
1852 | |
1853 | dontaudit $1 initrc_var_run_t:file { write lock }; | |
7bba9d31 CP |
1854 | ') |
1855 | ||
18963117 CP |
1856 | ######################################## |
1857 | ## <summary> | |
1858 | ## Write to utmp. | |
1859 | ## </summary> | |
1860 | ## <param name="domain"> | |
1861 | ## <summary> | |
1862 | ## Domain allowed access. | |
1863 | ## </summary> | |
1864 | ## </param> | |
1865 | # | |
1866 | interface(`init_write_utmp',` | |
1867 | gen_require(` | |
1868 | type initrc_var_run_t; | |
1869 | ') | |
1870 | ||
1871 | files_list_pids($1) | |
82d2775c | 1872 | allow $1 initrc_var_run_t:file { getattr open write }; |
18963117 CP |
1873 | ') |
1874 | ||
8cffa788 CP |
1875 | ######################################## |
1876 | ## <summary> | |
7a15ba8b | 1877 | ## Do not audit attempts to lock |
8cffa788 CP |
1878 | ## init script pid files. |
1879 | ## </summary> | |
1880 | ## <param name="domain"> | |
885b83ec | 1881 | ## <summary> |
a0546c9d | 1882 | ## Domain to not audit. |
885b83ec | 1883 | ## </summary> |
8cffa788 CP |
1884 | ## </param> |
1885 | # | |
68228b33 | 1886 | interface(`init_dontaudit_lock_utmp',` |
8cffa788 CP |
1887 | gen_require(` |
1888 | type initrc_var_run_t; | |
1889 | ') | |
1890 | ||
1891 | dontaudit $1 initrc_var_run_t:file lock; | |
1892 | ') | |
1893 | ||
3ce6cb4a | 1894 | ######################################## |
ac9db9b5 CP |
1895 | ## <summary> |
1896 | ## Read and write utmp. | |
1897 | ## </summary> | |
1898 | ## <param name="domain"> | |
1899 | ## <summary> | |
1900 | ## Domain allowed access. | |
1901 | ## </summary> | |
1902 | ## </param> | |
3ce6cb4a | 1903 | # |
68228b33 | 1904 | interface(`init_rw_utmp',` |
139520a2 CP |
1905 | gen_require(` |
1906 | type initrc_var_run_t; | |
139520a2 | 1907 | ') |
0c73cd25 | 1908 | |
c9428d33 | 1909 | files_list_pids($1) |
dd822947 | 1910 | allow $1 initrc_var_run_t:file rw_file_perms; |
3ce6cb4a CP |
1911 | ') |
1912 | ||
3ce6cb4a | 1913 | ######################################## |
ac9db9b5 CP |
1914 | ## <summary> |
1915 | ## Do not audit attempts to read and write utmp. | |
1916 | ## </summary> | |
1917 | ## <param name="domain"> | |
1918 | ## <summary> | |
a0546c9d | 1919 | ## Domain to not audit. |
ac9db9b5 CP |
1920 | ## </summary> |
1921 | ## </param> | |
3ce6cb4a | 1922 | # |
68228b33 | 1923 | interface(`init_dontaudit_rw_utmp',` |
139520a2 CP |
1924 | gen_require(` |
1925 | type initrc_var_run_t; | |
139520a2 | 1926 | ') |
0c73cd25 | 1927 | |
3eaa9939 | 1928 | dontaudit $1 initrc_var_run_t:file rw_file_perms; |
3ce6cb4a CP |
1929 | ') |
1930 | ||
7c2f5a82 CP |
1931 | ######################################## |
1932 | ## <summary> | |
ff8f0a63 | 1933 | ## Create, read, write, and delete utmp. |
7c2f5a82 CP |
1934 | ## </summary> |
1935 | ## <param name="domain"> | |
885b83ec | 1936 | ## <summary> |
a0546c9d | 1937 | ## Domain allowed access. |
885b83ec | 1938 | ## </summary> |
7c2f5a82 CP |
1939 | ## </param> |
1940 | # | |
1941 | interface(`init_manage_utmp',` | |
1942 | gen_require(` | |
1943 | type initrc_var_run_t; | |
1944 | ') | |
1945 | ||
1946 | files_search_pids($1) | |
c0868a7a | 1947 | allow $1 initrc_var_run_t:file manage_file_perms; |
7c2f5a82 | 1948 | ') |
dc1920b2 | 1949 | |
296273a7 CP |
1950 | ######################################## |
1951 | ## <summary> | |
1952 | ## Create files in /var/run with the | |
1953 | ## utmp file type. | |
1954 | ## </summary> | |
1955 | ## <param name="domain"> | |
1956 | ## <summary> | |
a0546c9d | 1957 | ## Domain allowed access. |
296273a7 CP |
1958 | ## </summary> |
1959 | ## </param> | |
1960 | # | |
1961 | interface(`init_pid_filetrans_utmp',` | |
1962 | gen_require(` | |
1963 | type initrc_var_run_t; | |
1964 | ') | |
1965 | ||
1966 | files_pid_filetrans($1, initrc_var_run_t, file) | |
1967 | ') | |
1968 | ||
e4547030 MG |
1969 | ###################################### |
1970 | ## <summary> | |
1971 | ## Allow search directory in the /run/systemd directory. | |
1972 | ## </summary> | |
1973 | ## <param name="domain"> | |
1974 | ## <summary> | |
1975 | ## Domain allowed access. | |
1976 | ## </summary> | |
1977 | ## </param> | |
1978 | # | |
1979 | interface(`init_search_pid_dirs',` | |
1980 | gen_require(` | |
1981 | type init_var_run_t; | |
1982 | ') | |
1983 | ||
e76e17ed DW |
1984 | allow $1 init_var_run_t:dir search_dir_perms; |
1985 | ') | |
1986 | ||
1987 | ###################################### | |
1988 | ## <summary> | |
1989 | ## Allow listing of the /run/systemd directory. | |
1990 | ## </summary> | |
1991 | ## <param name="domain"> | |
1992 | ## <summary> | |
1993 | ## Domain allowed access. | |
1994 | ## </summary> | |
1995 | ## </param> | |
1996 | # | |
1997 | interface(`init_list_pid_dirs',` | |
1998 | gen_require(` | |
1999 | type init_var_run_t; | |
2000 | ') | |
2001 | ||
e4547030 MG |
2002 | allow $1 init_var_run_t:dir list_dir_perms; |
2003 | ') | |
2004 | ||
1b220452 MG |
2005 | ####################################### |
2006 | ## <summary> | |
2007 | ## Create a directory in the /run/systemd directory. | |
2008 | ## </summary> | |
2009 | ## <param name="domain"> | |
2010 | ## <summary> | |
2011 | ## Domain allowed access. | |
2012 | ## </summary> | |
2013 | ## </param> | |
2014 | # | |
2015 | interface(`init_create_pid_dirs',` | |
2016 | gen_require(` | |
bf7821d3 | 2017 | type init_var_run_t; |
1b220452 MG |
2018 | ') |
2019 | ||
2020 | allow $1 init_var_run_t:dir list_dir_perms; | |
2021 | create_dirs_pattern($1, init_var_run_t, init_var_run_t) | |
2022 | ') | |
2023 | ||
a1f5ccee MG |
2024 | ####################################### |
2025 | ## <summary> | |
96051d97 | 2026 | ## Create objects in /run/systemd directory |
a1f5ccee MG |
2027 | ## with an automatic type transition to |
2028 | ## a specified private type. | |
2029 | ## </summary> | |
2030 | ## <param name="domain"> | |
2031 | ## <summary> | |
2032 | ## Domain allowed access. | |
2033 | ## </summary> | |
2034 | ## </param> | |
2035 | ## <param name="private_type"> | |
2036 | ## <summary> | |
2037 | ## The type of the object to create. | |
2038 | ## </summary> | |
2039 | ## </param> | |
2040 | ## <param name="object_class"> | |
2041 | ## <summary> | |
2042 | ## The class of the object to be created. | |
2043 | ## </summary> | |
2044 | ## </param> | |
2045 | # | |
2046 | interface(`init_pid_filetrans',` | |
2047 | gen_require(` | |
2048 | type init_var_run_t; | |
2049 | ') | |
2050 | ||
ac679c2f | 2051 | files_search_pids($1) |
a1f5ccee | 2052 | filetrans_pattern($1, init_var_run_t, $2, $3) |
ac679c2f DG |
2053 | ') |
2054 | ||
2055 | ####################################### | |
2056 | ## <summary> | |
2057 | ## Create objects in /run/systemd directory | |
2058 | ## with an automatic type transition to | |
2059 | ## a specified private type. | |
2060 | ## </summary> | |
2061 | ## <param name="domain"> | |
2062 | ## <summary> | |
2063 | ## Domain allowed access. | |
2064 | ## </summary> | |
2065 | ## </param> | |
2066 | ## <param name="private_type"> | |
2067 | ## <summary> | |
2068 | ## The type of the object to create. | |
2069 | ## </summary> | |
2070 | ## </param> | |
2071 | ## <param name="object_class"> | |
2072 | ## <summary> | |
2073 | ## The class of the object to be created. | |
2074 | ## </summary> | |
2075 | ## </param> | |
2076 | ## <param name="object_name"> | |
2077 | ## <summary> | |
2078 | ## The name of the object to be created. | |
2079 | ## </summary> | |
2080 | ## </param> | |
2081 | # | |
2082 | interface(`init_named_pid_filetrans',` | |
2083 | gen_require(` | |
2084 | type init_var_run_t; | |
2085 | ') | |
2086 | ||
2087 | files_search_pids($1) | |
2088 | filetrans_pattern($1, init_var_run_t, $2, $3, $4) | |
a1f5ccee MG |
2089 | ') |
2090 | ||
dc1920b2 CP |
2091 | ######################################## |
2092 | ## <summary> | |
2093 | ## Allow the specified domain to connect to daemon with a tcp socket | |
2094 | ## </summary> | |
2095 | ## <param name="domain"> | |
2096 | ## <summary> | |
2097 | ## Domain allowed access. | |
2098 | ## </summary> | |
2099 | ## </param> | |
2100 | # | |
2101 | interface(`init_tcp_recvfrom_all_daemons',` | |
2102 | gen_require(` | |
2103 | attribute daemon; | |
2104 | ') | |
2105 | ||
2106 | corenet_tcp_recvfrom_labeled($1, daemon) | |
2107 | ') | |
2108 | ||
2109 | ######################################## | |
2110 | ## <summary> | |
2111 | ## Allow the specified domain to connect to daemon with a udp socket | |
2112 | ## </summary> | |
2113 | ## <param name="domain"> | |
2114 | ## <summary> | |
2115 | ## Domain allowed access. | |
2116 | ## </summary> | |
2117 | ## </param> | |
2118 | # | |
2119 | interface(`init_udp_recvfrom_all_daemons',` | |
2120 | gen_require(` | |
2121 | attribute daemon; | |
2122 | ') | |
2123 | corenet_udp_recvfrom_labeled($1, daemon) | |
2124 | ') | |
3eaa9939 DW |
2125 | |
2126 | ######################################## | |
2127 | ## <summary> | |
2128 | ## Transition to system_r when execute an init script | |
2129 | ## </summary> | |
2130 | ## <desc> | |
2131 | ## <p> | |
2132 | ## Execute a init script in a specified role | |
2133 | ## </p> | |
2134 | ## <p> | |
2135 | ## No interprocess communication (signals, pipes, | |
2136 | ## etc.) is provided by this interface since | |
2137 | ## the domains are not owned by this module. | |
2138 | ## </p> | |
2139 | ## </desc> | |
2140 | ## <param name="source_role"> | |
2141 | ## <summary> | |
2142 | ## Role to transition from. | |
2143 | ## </summary> | |
2144 | ## </param> | |
2145 | # | |
2146 | interface(`init_script_role_transition',` | |
2147 | gen_require(` | |
2148 | attribute init_script_file_type; | |
2149 | ') | |
2150 | ||
2151 | role_transition $1 init_script_file_type system_r; | |
2152 | ') | |
2153 | ||
2154 | ######################################## | |
2155 | ## <summary> | |
2156 | ## dontaudit read and write an leaked init scrip file descriptors | |
2157 | ## </summary> | |
2158 | ## <param name="domain"> | |
2159 | ## <summary> | |
24280f35 | 2160 | ## Domain to not audit. |
3eaa9939 DW |
2161 | ## </summary> |
2162 | ## </param> | |
2163 | # | |
2164 | interface(`init_dontaudit_script_leaks',` | |
2165 | gen_require(` | |
2166 | type initrc_t; | |
2167 | ') | |
2168 | ||
2169 | dontaudit $1 initrc_t:tcp_socket { read write }; | |
2170 | dontaudit $1 initrc_t:udp_socket { read write }; | |
2171 | dontaudit $1 initrc_t:unix_dgram_socket { read write }; | |
2172 | dontaudit $1 initrc_t:unix_stream_socket { read write }; | |
2173 | dontaudit $1 initrc_t:shm rw_shm_perms; | |
2174 | init_dontaudit_use_script_ptys($1) | |
2175 | init_dontaudit_use_script_fds($1) | |
2176 | ') | |
2177 | ||
4c3a6f86 MG |
2178 | ####################################### |
2179 | ## <summary> | |
2180 | ## Allow the specified domain to ioctl an | |
2181 | ## init with a unix domain stream sockets. | |
2182 | ## </summary> | |
2183 | ## <param name="domain"> | |
2184 | ## <summary> | |
2185 | ## Domain allowed access. | |
2186 | ## </summary> | |
2187 | ## </param> | |
2188 | # | |
2189 | interface(`init_ioctl_stream_sockets',` | |
2190 | gen_require(` | |
2191 | type init_t; | |
2192 | ') | |
2193 | ||
2194 | allow $1 init_t:unix_stream_socket ioctl; | |
2195 | ') | |
2196 | ||
3eaa9939 DW |
2197 | ######################################## |
2198 | ## <summary> | |
2199 | ## Allow the specified domain to read/write to | |
2200 | ## init with a unix domain stream sockets. | |
2201 | ## </summary> | |
2202 | ## <param name="domain"> | |
2203 | ## <summary> | |
2204 | ## Domain allowed access. | |
2205 | ## </summary> | |
2206 | ## </param> | |
2207 | # | |
2208 | interface(`init_rw_stream_sockets',` | |
2209 | gen_require(` | |
2210 | type init_t; | |
2211 | ') | |
2212 | ||
2213 | allow $1 init_t:unix_stream_socket rw_stream_socket_perms; | |
2214 | ') | |
fb216244 | 2215 | |
063c2b78 MG |
2216 | ####################################### |
2217 | ## <summary> | |
2218 | ## Allow the specified domain to write to | |
2219 | ## init sock file. | |
2220 | ## </summary> | |
2221 | ## <param name="domain"> | |
2222 | ## <summary> | |
2223 | ## Domain allowed access. | |
2224 | ## </summary> | |
2225 | ## </param> | |
2226 | # | |
2227 | interface(`init_write_pid_socket',` | |
2228 | gen_require(` | |
2229 | type init_var_run_t; | |
2230 | ') | |
2231 | ||
2232 | allow $1 init_var_run_t:sock_file write; | |
2233 | ') | |
2234 | ||
fb216244 DW |
2235 | ######################################## |
2236 | ## <summary> | |
2237 | ## Send a message to init over a unix domain | |
2238 | ## datagram socket. | |
2239 | ## </summary> | |
2240 | ## <param name="domain"> | |
2241 | ## <summary> | |
2242 | ## Domain allowed access. | |
2243 | ## </summary> | |
2244 | ## </param> | |
2245 | # | |
2246 | interface(`init_dgram_send',` | |
2247 | gen_require(` | |
2248 | type init_t; | |
2249 | ') | |
2250 | ||
2251 | allow $1 init_t:unix_dgram_socket sendto; | |
2252 | ') | |
f6ae5b73 | 2253 | |
4a529812 DW |
2254 | ######################################## |
2255 | ## <summary> | |
2256 | ## Send a message to init over a unix domain | |
2257 | ## stream socket. | |
2258 | ## </summary> | |
2259 | ## <param name="domain"> | |
2260 | ## <summary> | |
2261 | ## Domain allowed access. | |
2262 | ## </summary> | |
2263 | ## </param> | |
2264 | # | |
2265 | interface(`init_stream_send',` | |
2266 | gen_require(` | |
2267 | type init_t; | |
2268 | ') | |
2269 | ||
2270 | allow $1 init_t:unix_stream_socket sendto; | |
2271 | ') | |
2272 | ||
f6ae5b73 DW |
2273 | ######################################## |
2274 | ## <summary> | |
2275 | ## Create a file type used for init socket files. | |
2276 | ## </summary> | |
2277 | ## <desc> | |
2278 | ## <p> | |
2279 | ## This defines a type that init can create sock_file within for | |
2280 | ## impersonation purposes | |
2281 | ## </p> | |
2282 | ## </desc> | |
2283 | ## <param name="script_file"> | |
2284 | ## <summary> | |
2285 | ## Type to be used for a sock file. | |
2286 | ## </summary> | |
2287 | ## </param> | |
2288 | ## <infoflow type="none"/> | |
2289 | # | |
2290 | interface(`init_sock_file',` | |
2291 | gen_require(` | |
ad02e8bb | 2292 | attribute init_sock_file_type; |
f6ae5b73 DW |
2293 | ') |
2294 | ||
ad02e8bb | 2295 | typeattribute $1 init_sock_file_type; |
f6ae5b73 DW |
2296 | |
2297 | ') | |
2298 | ||
29049a05 DW |
2299 | ######################################## |
2300 | ## <summary> | |
2301 | ## Read init unnamed pipes. | |
2302 | ## </summary> | |
2303 | ## <param name="domain"> | |
2304 | ## <summary> | |
2305 | ## Domain allowed access. | |
2306 | ## </summary> | |
2307 | ## </param> | |
2308 | # | |
2309 | interface(`init_read_pipes',` | |
2310 | gen_require(` | |
2311 | type init_var_run_t; | |
2312 | ') | |
2313 | ||
5c339835 | 2314 | read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) |
29049a05 | 2315 | ') |