1 ## <summary>System initialization programs (init and init scripts).</summary>
3 ########################################
5 ## Create a file type used for init scripts.
9 ## Create a file type used for init scripts. It can not be
10 ## used in conjunction with init_script_domain(). These
11 ## script files are typically stored in the /etc/init.d directory.
14 ## Typically this is used to constrain what services an
15 ## admin can start/stop. For example, a policy writer may want
16 ## to constrain a web administrator to only being able to
17 ## restart the web server, not other services. This special type
18 ## will help address that goal.
21 ## This also makes the type usable for files; thus an
22 ## explicit call to files_type() is redundant.
25 ## <param name="script_file">
27 ## Type to be used for a script file.
30 ## <infoflow type="none"/>
32 interface(`init_script_file',`
35 attribute init_script_file_type, init_run_all_scripts_domain;
38 typeattribute $1 init_script_file_type;
40 domain_entry_file(initrc_t, $1)
42 domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
45 ########################################
47 ## Create a domain used for init scripts.
51 ## Create a domain used for init scripts.
52 ## Can not be used in conjunction with
53 ## init_script_file().
56 ## <param name="domain">
58 ## Type to be used as an init script domain.
61 ## <param name="script_file">
63 ## Type of the script file used as an entry point to this domain.
67 interface(`init_script_domain',`
69 attribute init_script_domain_type, init_script_file_type;
70 attribute init_run_all_scripts_domain;
73 typeattribute $1 init_script_domain_type;
74 typeattribute $2 init_script_file_type;
77 domain_entry_file($1, $2)
79 domtrans_pattern(init_run_all_scripts_domain, $2, $1)
83 #######################################
85 ## Create a domain which can be started by init.
87 ## <param name="domain">
89 ## Type to be used as a domain.
92 ## <param name="entry_point">
94 ## Type of the program to be used as an entry point to this domain.
98 interface(`init_systemd_domain',`
105 domain_entry_file($1,$2)
107 role system_r types $1;
109 tunable_policy(`init_systemd',`
110 domtrans_pattern(init_t,$2,$1)
111 allow init_t $1:unix_stream_socket create_stream_socket_perms;
112 allow init_t $1:unix_dgram_socket create_socket_perms;
113 allow $1 init_t:unix_stream_socket ioctl;
114 allow $1 init_t:unix_dgram_socket sendto;
118 ########################################
120 ## Create a domain which can be started by init.
122 ## <param name="domain">
124 ## Type to be used as a domain.
127 ## <param name="entry_point">
129 ## Type of the program to be used as an entry point to this domain.
133 interface(`init_domain',`
140 domain_entry_file($1, $2)
142 role system_r types $1;
144 tunable_policy(`init_systemd',`', `
145 domtrans_pattern(init_t, $2, $1)
146 allow init_t $1:unix_stream_socket create_stream_socket_perms;
147 allow $1 init_t:unix_dgram_socket sendto;
150 ifdef(`hide_broken_symptoms',`
151 # RHEL4 systems seem to have a stray
152 # fds open from the initrd
153 ifdef(`distro_rhel4',`
154 kernel_dontaudit_use_fds($1)
159 ########################################
161 ## Create a domain which can be started by init,
162 ## with a range transition.
164 ## <param name="domain">
166 ## Type to be used as a domain.
169 ## <param name="entry_point">
171 ## Type of the program to be used as an entry point to this domain.
174 ## <param name="range">
176 ## Range for the domain.
180 interface(`init_ranged_domain',`
188 range_transition init_t $2:process $3;
192 range_transition init_t $2:process $3;
193 mls_rangetrans_target($1)
197 ########################################
199 ## Create a domain for long running processes
200 ## (daemons/services) which are started by init scripts.
204 ## Create a domain for long running processes (daemons/services)
205 ## which are started by init scripts. Short running processes
206 ## should use the init_system_domain() interface instead.
207 ## Typically all long running processes started by an init
208 ## script (usually in /etc/init.d) will need to use this
212 ## The types will be made usable as a domain and file, making
213 ## calls to domain_type() and files_type() redundant.
216 ## If the process must also run in a specific MLS/MCS level,
217 ## the init_ranged_daemon_domain() should be used instead.
220 ## <param name="domain">
222 ## Type to be used as a daemon domain.
225 ## <param name="entry_point">
227 ## Type of the program to be used as an entry point to this domain.
230 ## <infoflow type="read" weight="10"/>
232 interface(`init_daemon_domain',`
234 attribute direct_run_init, direct_init, direct_init_entry;
239 attribute initrc_transition_domain;
242 typeattribute $1 daemon;
245 domain_entry_file($1, $2)
247 domtrans_pattern(initrc_t,$2,$1)
249 ifdef(`direct_sysadm_daemon',`
250 domtrans_pattern(direct_run_init, $2, $1)
252 typeattribute $1 direct_init;
253 typeattribute $2 direct_init_entry;
255 # userdom_dontaudit_use_user_terminals($1)
258 tunable_policy(`init_upstart || init_systemd',`
259 # Handle upstart direct transition to a executable
260 domtrans_pattern(init_t,$2,$1)
264 ########################################
266 ## Create a domain for long running processes
267 ## (daemons/services) which are started by init scripts,
268 ## running at a specified MLS/MCS range.
272 ## Create a domain for long running processes (daemons/services)
273 ## which are started by init scripts, running at a specified
274 ## MLS/MCS range. Short running processes
275 ## should use the init_ranged_system_domain() interface instead.
276 ## Typically all long running processes started by an init
277 ## script (usually in /etc/init.d) will need to use this
278 ## interface if they need to run in a specific MLS/MCS range.
281 ## The types will be made usable as a domain and file, making
282 ## calls to domain_type() and files_type() redundant.
285 ## If the policy build option TYPE is standard (MLS and MCS disabled),
286 ## this interface has the same behavior as init_daemon_domain().
289 ## <param name="domain">
291 ## Type to be used as a daemon domain.
294 ## <param name="entry_point">
296 ## Type of the program to be used as an entry point to this domain.
299 ## <param name="range">
301 ## MLS/MCS range for the domain.
304 ## <infoflow type="read" weight="10"/>
306 interface(`init_ranged_daemon_domain',`
312 # init_daemon_domain($1, $2)
315 range_transition initrc_t $2:process $3;
316 range_transition init_t $2:process $3;
320 range_transition initrc_t $2:process $3;
321 mls_rangetrans_target($1)
322 range_transition init_t $2:process $3;
326 ########################################
328 ## Create a domain for short running processes
329 ## which are started by init scripts.
333 ## Create a domain for short running processes
334 ## which are started by init scripts. These are generally applications that
335 ## are used to initialize the system during boot.
336 ## Long running processes, such as daemons/services
337 ## should use the init_daemon_domain() interface instead.
338 ## Typically all short running processes started by an init
339 ## script (usually in /etc/init.d) will need to use this
343 ## The types will be made usable as a domain and file, making
344 ## calls to domain_type() and files_type() redundant.
347 ## If the process must also run in a specific MLS/MCS level,
348 ## the init_ranged_system_domain() should be used instead.
351 ## <param name="domain">
353 ## Type to be used as a system domain.
356 ## <param name="entry_point">
358 ## Type of the program to be used as an entry point to this domain.
361 ## <infoflow type="read" weight="10"/>
363 interface(`init_system_domain',`
368 attribute initrc_transition_domain;
369 attribute systemprocess;
372 typeattribute $1 systemprocess;
373 application_domain($1, $2)
375 role system_r types $1;
377 domtrans_pattern(initrc_t,$2,$1)
379 tunable_policy(`init_systemd',`
380 # Handle upstart/systemd direct transition to a executable
381 domtrans_pattern(init_t,$2,$1)
385 ########################################
387 ## Create a domain for short running processes
388 ## which are started by init scripts.
392 ## Create a domain for long running processes (daemons/services)
393 ## which are started by init scripts.
394 ## These are generally applications that
395 ## are used to initialize the system during boot.
396 ## Long running processes
397 ## should use the init_ranged_system_domain() interface instead.
398 ## Typically all short running processes started by an init
399 ## script (usually in /etc/init.d) will need to use this
400 ## interface if they need to run in a specific MLS/MCS range.
403 ## The types will be made usable as a domain and file, making
404 ## calls to domain_type() and files_type() redundant.
407 ## If the policy build option TYPE is standard (MLS and MCS disabled),
408 ## this interface has the same behavior as init_system_domain().
411 ## <param name="domain">
413 ## Type to be used as a system domain.
416 ## <param name="entry_point">
418 ## Type of the program to be used as an entry point to this domain.
421 ## <param name="range">
423 ## Range for the domain.
426 ## <infoflow type="read" weight="10"/>
428 interface(`init_ranged_system_domain',`
434 init_system_domain($1, $2)
437 range_transition initrc_t $2:process $3;
438 range_transition init_t $2:process $3;
442 range_transition initrc_t $2:process $3;
443 range_transition init_t $2:process $3;
447 ########################################
449 ## Execute init (/sbin/init) with a domain transition.
451 ## <param name="domain">
453 ## Domain allowed to transition.
457 interface(`init_domtrans',`
459 type init_t, init_exec_t;
462 domtrans_pattern($1, init_exec_t, init_t)
465 ########################################
467 ## Execute the init program in the caller domain.
469 ## <param name="domain">
471 ## Domain allowed access.
476 interface(`init_exec',`
481 corecmd_search_bin($1)
482 can_exec($1, init_exec_t)
484 tunable_policy(`init_systemd',`
485 systemd_exec_systemctl($1)
489 ########################################
491 ## Get the process group of init.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`init_getpgid',`
504 allow $1 init_t:process getpgid;
507 ########################################
509 ## Send init a null signal.
511 ## <param name="domain">
513 ## Domain allowed access.
517 interface(`init_signull',`
522 allow $1 init_t:process signull;
525 ########################################
527 ## Send init a SIGCHLD signal.
529 ## <param name="domain">
531 ## Domain allowed access.
535 interface(`init_sigchld',`
540 allow $1 init_t:process sigchld;
543 ########################################
545 ## Send generic signals to init.
547 ## <param name="domain">
549 ## Domain allowed access.
553 interface(`init_signal',`
558 allow $1 init_t:process signal;
561 ########################################
563 ## Connect to init with a unix socket.
565 ## <param name="domain">
567 ## Domain allowed access.
571 interface(`init_stream_connect',`
573 type init_t, init_var_run_t;
576 files_search_pids($1)
577 stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
580 #######################################
582 ## Dontaudit Connect to init with a unix socket.
584 ## <param name="domain">
586 ## Domain to not audit.
590 interface(`init_dontaudit_stream_connect',`
595 dontaudit $1 init_t:unix_stream_socket connectto;
598 ########################################
600 ## Inherit and use file descriptors from init.
604 ## Allow the specified domain to inherit file
605 ## descriptors from the init program (process ID 1).
606 ## Typically the only file descriptors to be
607 ## inherited from init are for the console.
608 ## This does not allow the domain any access to
609 ## the object to which the file descriptors references.
612 ## Related interfaces:
615 ## <li>init_dontaudit_use_fds()</li>
616 ## <li>term_dontaudit_use_console()</li>
617 ## <li>term_use_console()</li>
623 ## init_use_fds(mydomain_t)
624 ## term_use_console(mydomain_t)
627 ## Normally, processes that can inherit these file
628 ## descriptors (usually services) write messages to the
629 ## system log instead of writing to the console.
630 ## Therefore, in many cases, this access should
631 ## dontaudited instead.
634 ## Example dontaudit usage:
637 ## init_dontaudit_use_fds(mydomain_t)
638 ## term_dontaudit_use_console(mydomain_t)
641 ## <param name="domain">
643 ## Domain allowed access.
646 ## <infoflow type="read" weight="1"/>
648 interface(`init_use_fds',`
653 allow $1 init_t:fd use;
656 ########################################
658 ## Do not audit attempts to inherit file
659 ## descriptors from init.
661 ## <param name="domain">
663 ## Domain to not audit.
667 interface(`init_dontaudit_use_fds',`
672 dontaudit $1 init_t:fd use;
675 ########################################
677 ## Send UDP network traffic to init. (Deprecated)
679 ## <param name="domain">
681 ## Domain allowed access.
685 interface(`init_udp_send',`
686 refpolicywarn(`$0($*) has been deprecated.')
689 ########################################
691 ## Get the attributes of initctl.
693 ## <param name="domain">
695 ## Domain allowed access.
699 interface(`init_getattr_initctl',`
704 allow $1 initctl_t:fifo_file getattr;
707 ########################################
709 ## Do not audit attempts to get the
710 ## attributes of initctl.
712 ## <param name="domain">
714 ## Domain to not audit.
718 interface(`init_dontaudit_getattr_initctl',`
723 dontaudit $1 initctl_t:fifo_file getattr;
726 ########################################
730 ## <param name="domain">
732 ## Domain allowed access.
736 interface(`init_write_initctl',`
741 dev_list_all_dev_nodes($1)
742 allow $1 initctl_t:fifo_file write;
745 ########################################
747 ## Use telinit (Read and write initctl).
749 ## <param name="domain">
751 ## Domain allowed access.
756 interface(`init_telinit',`
763 dev_list_all_dev_nodes($1)
764 allow $1 initctl_t:fifo_file rw_fifo_file_perms;
768 tunable_policy(`init_upstart || init_systemd',`
773 ps_process_pattern($1, init_t)
774 allow $1 init_t:process signal;
775 # upstart uses a datagram socket instead of initctl pipe
776 allow $1 self:unix_dgram_socket create_socket_perms;
777 allow $1 init_t:unix_dgram_socket sendto;
779 allow $1 init_t:unix_stream_socket connectto;
783 ########################################
785 ## Read and write initctl.
787 ## <param name="domain">
789 ## Domain allowed access.
793 interface(`init_rw_initctl',`
798 dev_list_all_dev_nodes($1)
799 allow $1 initctl_t:fifo_file rw_fifo_file_perms;
802 ########################################
804 ## Do not audit attempts to read and
807 ## <param name="domain">
809 ## Domain to not audit.
813 interface(`init_dontaudit_rw_initctl',`
818 dontaudit $1 initctl_t:fifo_file { read write };
821 ########################################
823 ## Make init scripts an entry point for
824 ## the specified domain.
826 ## <param name="domain">
828 ## Domain allowed access.
831 # cjp: added for gentoo integrated run_init
832 interface(`init_script_file_entry_type',`
837 domain_entry_file($1, initrc_exec_t)
840 ########################################
842 ## Execute init scripts with a specified domain transition.
844 ## <param name="domain">
846 ## Domain allowed to transition.
850 interface(`init_spec_domtrans_script',`
853 attribute init_script_file_type;
857 spec_domtrans_pattern($1, init_script_file_type, initrc_t)
860 range_transition $1 init_script_file_type:process s0;
864 range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
868 ########################################
870 ## Execute init scripts with an automatic domain transition.
872 ## <param name="domain">
874 ## Domain allowed to transition.
878 interface(`init_domtrans_script',`
881 attribute init_script_file_type;
882 attribute initrc_transition_domain;
884 typeattribute $1 initrc_transition_domain;
887 domtrans_pattern($1, init_script_file_type, initrc_t)
890 range_transition $1 init_script_file_type:process s0;
894 range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
898 ########################################
900 ## Execute a file in a bin directory
901 ## in the initrc_t domain
903 ## <param name="domain">
905 ## Domain allowed access.
909 interface(`init_bin_domtrans_spec',`
914 corecmd_bin_domtrans($1, initrc_t)
917 ########################################
919 ## Execute a init script in a specified domain.
923 ## Execute a init script in a specified domain.
926 ## No interprocess communication (signals, pipes,
927 ## etc.) is provided by this interface since
928 ## the domains are not owned by this module.
931 ## <param name="source_domain">
933 ## Domain allowed to transition.
936 ## <param name="target_domain">
938 ## Domain to transition to.
941 # cjp: added for gentoo integrated run_init
942 interface(`init_script_file_domtrans',`
948 domain_auto_trans($1, initrc_exec_t, $2)
951 ########################################
953 ## Transition to the init script domain
954 ## on a specified labeled init script.
956 ## <param name="domain">
958 ## Domain allowed to transition.
961 ## <param name="init_script_file">
963 ## Labeled init script file.
967 interface(`init_labeled_script_domtrans',`
970 attribute initrc_transition_domain;
973 typeattribute $1 initrc_transition_domain;
974 # service script searches all filesystems via mountpoint
976 domtrans_pattern($1, $2, initrc_t)
977 allow $1 $2:file ioctl;
981 #########################################
983 ## Transition to the init script domain
984 ## for all labeled init script types
986 ## <param name="domain">
988 ## Domain allowed to transition.
992 interface(`init_all_labeled_script_domtrans',`
994 attribute init_script_file_type;
997 init_labeled_script_domtrans($1, init_script_file_type)
1000 ########################################
1002 ## Start and stop daemon programs directly.
1006 ## Start and stop daemon programs directly
1007 ## in the traditional "/etc/init.d/daemon start"
1008 ## style, and do not require run_init.
1011 ## <param name="domain">
1013 ## Domain allowed access.
1016 ## <param name="role">
1018 ## The role to be performing this action.
1022 interface(`init_run_daemon',`
1024 attribute direct_run_init, direct_init, direct_init_entry;
1028 typeattribute $1 direct_run_init;
1029 role_transition $2 direct_init_entry system_r;
1032 ########################################
1034 ## Read the process state (/proc/pid) of init.
1036 ## <param name="domain">
1038 ## Domain allowed access.
1042 interface(`init_read_state',`
1047 allow $1 init_t:dir search_dir_perms;
1048 allow $1 init_t:file read_file_perms;
1049 allow $1 init_t:lnk_file read_lnk_file_perms;
1052 ########################################
1056 ## <param name="domain">
1058 ## Domain allowed access.
1063 interface(`init_ptrace',`
1068 allow $1 init_t:process ptrace;
1071 ########################################
1073 ## Write an init script unnamed pipe.
1075 ## <param name="domain">
1077 ## Domain allowed access.
1081 interface(`init_write_script_pipes',`
1086 allow $1 initrc_t:fifo_file write;
1089 ########################################
1091 ## Get the attribute of init script entrypoint files.
1093 ## <param name="domain">
1095 ## Domain allowed access.
1099 interface(`init_getattr_script_files',`
1105 allow $1 initrc_exec_t:file getattr;
1108 ########################################
1110 ## Read init scripts.
1112 ## <param name="domain">
1114 ## Domain allowed access.
1118 interface(`init_read_script_files',`
1123 files_search_etc($1)
1124 allow $1 initrc_exec_t:file read_file_perms;
1127 ########################################
1129 ## Execute init scripts in the caller domain.
1131 ## <param name="domain">
1133 ## Domain allowed access.
1137 interface(`init_exec_script_files',`
1143 can_exec($1, initrc_exec_t)
1146 ########################################
1148 ## Get the attribute of all init script entrypoint files.
1150 ## <param name="domain">
1152 ## Domain allowed access.
1156 interface(`init_getattr_all_script_files',`
1158 attribute init_script_file_type;
1162 allow $1 init_script_file_type:file getattr;
1165 ########################################
1167 ## Read all init script files.
1169 ## <param name="domain">
1171 ## Domain allowed access.
1175 interface(`init_read_all_script_files',`
1177 attribute init_script_file_type;
1180 files_search_etc($1)
1181 allow $1 init_script_file_type:file read_file_perms;
1184 #######################################
1186 ## Dontaudit getattr all init script files.
1188 ## <param name="domain">
1190 ## Domain to not audit.
1194 interface(`init_dontaudit_getattr_all_script_files',`
1196 attribute init_script_file_type;
1199 dontaudit $1 init_script_file_type:file getattr;
1202 #######################################
1204 ## Dontaudit read all init script files.
1206 ## <param name="domain">
1208 ## Domain to not audit.
1212 interface(`init_dontaudit_read_all_script_files',`
1214 attribute init_script_file_type;
1217 dontaudit $1 init_script_file_type:file read_file_perms;
1220 ########################################
1222 ## Execute all init scripts in the caller domain.
1224 ## <param name="domain">
1226 ## Domain allowed access.
1230 interface(`init_exec_all_script_files',`
1232 attribute init_script_file_type;
1236 can_exec($1, init_script_file_type)
1239 ########################################
1241 ## Read the process state (/proc/pid) of the init scripts.
1243 ## <param name="domain">
1245 ## Domain allowed access.
1249 interface(`init_read_script_state',`
1254 kernel_search_proc($1)
1255 ps_process_pattern($1, initrc_t)
1258 ########################################
1260 ## Inherit and use init script file descriptors.
1262 ## <param name="domain">
1264 ## Domain allowed access.
1268 interface(`init_use_script_fds',`
1273 allow $1 initrc_t:fd use;
1276 ########################################
1278 ## Do not audit attempts to inherit
1279 ## init script file descriptors.
1281 ## <param name="domain">
1283 ## Domain to not audit.
1287 interface(`init_dontaudit_use_script_fds',`
1292 dontaudit $1 initrc_t:fd use;
1295 ########################################
1297 ## Search init script keys.
1299 ## <param name="domain">
1301 ## Domain allowed access.
1305 interface(`init_search_script_keys',`
1310 allow $1 initrc_t:key search;
1313 ########################################
1315 ## Get the process group ID of init scripts.
1317 ## <param name="domain">
1319 ## Domain allowed access.
1323 interface(`init_getpgid_script',`
1328 allow $1 initrc_t:process getpgid;
1331 ########################################
1333 ## Send SIGCHLD signals to init scripts.
1335 ## <param name="domain">
1337 ## Domain allowed access.
1341 interface(`init_sigchld_script',`
1346 allow $1 initrc_t:process sigchld;
1349 ########################################
1351 ## Send generic signals to init scripts.
1353 ## <param name="domain">
1355 ## Domain allowed access.
1359 interface(`init_signal_script',`
1364 allow $1 initrc_t:process signal;
1367 ########################################
1369 ## Send null signals to init scripts.
1371 ## <param name="domain">
1373 ## Domain allowed access.
1377 interface(`init_signull_script',`
1382 allow $1 initrc_t:process signull;
1385 ########################################
1387 ## Read and write init script unnamed pipes.
1389 ## <param name="domain">
1391 ## Domain allowed access.
1395 interface(`init_rw_script_pipes',`
1400 allow $1 initrc_t:fifo_file { read write };
1403 ########################################
1405 ## Send UDP network traffic to init scripts. (Deprecated)
1407 ## <param name="domain">
1409 ## Domain allowed access.
1413 interface(`init_udp_send_script',`
1414 refpolicywarn(`$0($*) has been deprecated.')
1417 ########################################
1419 ## Allow the specified domain to connect to
1420 ## init scripts with a unix socket.
1422 ## <param name="domain">
1424 ## Domain allowed access.
1428 interface(`init_stream_connect_script',`
1433 allow $1 initrc_t:unix_stream_socket connectto;
1436 ########################################
1438 ## Allow the specified domain to read/write to
1439 ## init scripts with a unix domain stream sockets.
1441 ## <param name="domain">
1443 ## Domain allowed access.
1447 interface(`init_rw_script_stream_sockets',`
1452 allow $1 initrc_t:unix_stream_socket rw_socket_perms;
1455 ########################################
1457 ## Dont audit the specified domain connecting to
1458 ## init scripts with a unix domain stream socket.
1460 ## <param name="domain">
1462 ## Domain to not audit.
1466 interface(`init_dontaudit_stream_connect_script',`
1471 dontaudit $1 initrc_t:unix_stream_socket connectto;
1473 ########################################
1475 ## Send messages to init scripts over dbus.
1477 ## <param name="domain">
1479 ## Domain allowed access.
1483 interface(`init_dbus_send_script',`
1486 class dbus send_msg;
1489 allow $1 initrc_t:dbus send_msg;
1492 ########################################
1494 ## Send and receive messages from
1497 ## <param name="domain">
1499 ## Domain allowed access.
1503 interface(`init_dbus_chat',`
1506 class dbus send_msg;
1509 allow $1 init_t:dbus send_msg;
1510 allow init_t $1:dbus send_msg;
1513 ########################################
1515 ## Send and receive messages from
1516 ## init scripts over dbus.
1518 ## <param name="domain">
1520 ## Domain allowed access.
1524 interface(`init_dbus_chat_script',`
1527 class dbus send_msg;
1530 allow $1 initrc_t:dbus send_msg;
1531 allow initrc_t $1:dbus send_msg;
1534 ########################################
1536 ## Read and write the init script pty.
1540 ## Read and write the init script pty. This
1541 ## pty is generally opened by the open_init_pty
1542 ## portion of the run_init program so that the
1543 ## daemon does not require direct access to
1544 ## the administrator terminal.
1547 ## <param name="domain">
1549 ## Domain allowed access.
1553 interface(`init_use_script_ptys',`
1555 type initrc_devpts_t;
1559 allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
1562 ########################################
1564 ## Do not audit attempts to read and
1565 ## write the init script pty.
1567 ## <param name="domain">
1569 ## Domain to not audit.
1573 interface(`init_dontaudit_use_script_ptys',`
1575 type initrc_devpts_t;
1578 dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
1581 ########################################
1583 ## Get the attributes of init script
1586 ## <param name="domain">
1588 ## Domain allowed access.
1592 interface(`init_getattr_script_status_files',`
1594 type initrc_state_t;
1597 getattr_files_pattern($1, initrc_state_t, initrc_state_t)
1600 ########################################
1602 ## Manage init script
1605 ## <param name="domain">
1607 ## Domain allowed access.
1611 interface(`init_manage_script_status_files',`
1613 type initrc_state_t;
1616 manage_files_pattern($1, initrc_state_t, initrc_state_t)
1619 ########################################
1621 ## Do not audit attempts to read init script
1624 ## <param name="domain">
1626 ## Domain to not audit.
1630 interface(`init_dontaudit_read_script_status_files',`
1632 type initrc_state_t;
1635 dontaudit $1 initrc_state_t:dir search_dir_perms;
1636 dontaudit $1 initrc_state_t:file read_file_perms;
1639 ########################################
1641 ## Read init script temporary data.
1643 ## <param name="domain">
1645 ## Domain allowed access.
1649 interface(`init_read_script_tmp_files',`
1654 files_search_tmp($1)
1655 read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
1658 ########################################
1660 ## Read and write init script temporary data.
1662 ## <param name="domain">
1664 ## Domain allowed access.
1668 interface(`init_rw_script_tmp_files',`
1673 files_search_tmp($1)
1674 rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
1677 ########################################
1679 ## Read and write init script inherited temporary data.
1681 ## <param name="domain">
1683 ## Domain allowed access.
1687 interface(`init_rw_inherited_script_tmp_files',`
1692 allow $1 initrc_tmp_t:file rw_inherited_file_perms;
1695 ########################################
1697 ## Create files in a init script
1698 ## temporary data directory.
1700 ## <param name="domain">
1702 ## Domain allowed access.
1705 ## <param name="file_type">
1707 ## The type of the object to be created
1710 ## <param name="object_class">
1712 ## The object class.
1716 interface(`init_script_tmp_filetrans',`
1721 files_search_tmp($1)
1722 filetrans_pattern($1, initrc_tmp_t, $2, $3)
1725 ########################################
1727 ## Get the attributes of init script process id files.
1729 ## <param name="domain">
1731 ## Domain allowed access.
1735 interface(`init_getattr_utmp',`
1737 type initrc_var_run_t;
1740 allow $1 initrc_var_run_t:file getattr;
1743 ########################################
1747 ## <param name="domain">
1749 ## Domain allowed access.
1753 interface(`init_read_utmp',`
1755 type initrc_var_run_t;
1759 allow $1 initrc_var_run_t:file read_file_perms;
1762 ########################################
1764 ## Do not audit attempts to write utmp.
1766 ## <param name="domain">
1768 ## Domain to not audit.
1772 interface(`init_dontaudit_write_utmp',`
1774 type initrc_var_run_t;
1777 dontaudit $1 initrc_var_run_t:file { write lock };
1780 ########################################
1784 ## <param name="domain">
1786 ## Domain allowed access.
1790 interface(`init_write_utmp',`
1792 type initrc_var_run_t;
1796 allow $1 initrc_var_run_t:file { getattr open write };
1799 ########################################
1801 ## Do not audit attempts to lock
1802 ## init script pid files.
1804 ## <param name="domain">
1806 ## Domain to not audit.
1810 interface(`init_dontaudit_lock_utmp',`
1812 type initrc_var_run_t;
1815 dontaudit $1 initrc_var_run_t:file lock;
1818 ########################################
1820 ## Read and write utmp.
1822 ## <param name="domain">
1824 ## Domain allowed access.
1828 interface(`init_rw_utmp',`
1830 type initrc_var_run_t;
1834 allow $1 initrc_var_run_t:file rw_file_perms;
1837 ########################################
1839 ## Do not audit attempts to read and write utmp.
1841 ## <param name="domain">
1843 ## Domain to not audit.
1847 interface(`init_dontaudit_rw_utmp',`
1849 type initrc_var_run_t;
1852 dontaudit $1 initrc_var_run_t:file rw_file_perms;
1855 ########################################
1857 ## Create, read, write, and delete utmp.
1859 ## <param name="domain">
1861 ## Domain allowed access.
1865 interface(`init_manage_utmp',`
1867 type initrc_var_run_t;
1870 files_search_pids($1)
1871 allow $1 initrc_var_run_t:file manage_file_perms;
1874 ########################################
1876 ## Create files in /var/run with the
1879 ## <param name="domain">
1881 ## Domain allowed access.
1885 interface(`init_pid_filetrans_utmp',`
1887 type initrc_var_run_t;
1890 files_pid_filetrans($1, initrc_var_run_t, file)
1893 ######################################
1895 ## Allow search directory in the /run/systemd directory.
1897 ## <param name="domain">
1899 ## Domain allowed access.
1903 interface(`init_search_pid_dirs',`
1905 type init_var_run_t;
1908 allow $1 init_var_run_t:dir search_dir_perms;
1911 ######################################
1913 ## Allow listing of the /run/systemd directory.
1915 ## <param name="domain">
1917 ## Domain allowed access.
1921 interface(`init_list_pid_dirs',`
1923 type init_var_run_t;
1926 allow $1 init_var_run_t:dir list_dir_perms;
1929 #######################################
1931 ## Create a directory in the /run/systemd directory.
1933 ## <param name="domain">
1935 ## Domain allowed access.
1939 interface(`init_create_pid_dirs',`
1941 type init_var_run_t;
1944 allow $1 init_var_run_t:dir list_dir_perms;
1945 create_dirs_pattern($1, init_var_run_t, init_var_run_t)
1948 #######################################
1950 ## Create objects in /run/systemd directory
1951 ## with an automatic type transition to
1952 ## a specified private type.
1954 ## <param name="domain">
1956 ## Domain allowed access.
1959 ## <param name="private_type">
1961 ## The type of the object to create.
1964 ## <param name="object_class">
1966 ## The class of the object to be created.
1970 interface(`init_pid_filetrans',`
1972 type init_var_run_t;
1975 files_search_pids($1)
1976 filetrans_pattern($1, init_var_run_t, $2, $3)
1979 #######################################
1981 ## Create objects in /run/systemd directory
1982 ## with an automatic type transition to
1983 ## a specified private type.
1985 ## <param name="domain">
1987 ## Domain allowed access.
1990 ## <param name="private_type">
1992 ## The type of the object to create.
1995 ## <param name="object_class">
1997 ## The class of the object to be created.
2000 ## <param name="object_name">
2002 ## The name of the object to be created.
2006 interface(`init_named_pid_filetrans',`
2008 type init_var_run_t;
2011 files_search_pids($1)
2012 filetrans_pattern($1, init_var_run_t, $2, $3, $4)
2015 ########################################
2017 ## Allow the specified domain to connect to daemon with a tcp socket
2019 ## <param name="domain">
2021 ## Domain allowed access.
2025 interface(`init_tcp_recvfrom_all_daemons',`
2030 corenet_tcp_recvfrom_labeled($1, daemon)
2033 ########################################
2035 ## Allow the specified domain to connect to daemon with a udp socket
2037 ## <param name="domain">
2039 ## Domain allowed access.
2043 interface(`init_udp_recvfrom_all_daemons',`
2047 corenet_udp_recvfrom_labeled($1, daemon)
2050 ########################################
2052 ## Transition to system_r when execute an init script
2056 ## Execute a init script in a specified role
2059 ## No interprocess communication (signals, pipes,
2060 ## etc.) is provided by this interface since
2061 ## the domains are not owned by this module.
2064 ## <param name="source_role">
2066 ## Role to transition from.
2070 interface(`init_script_role_transition',`
2072 attribute init_script_file_type;
2075 role_transition $1 init_script_file_type system_r;
2078 ########################################
2080 ## dontaudit read and write an leaked init scrip file descriptors
2082 ## <param name="domain">
2084 ## Domain to not audit.
2088 interface(`init_dontaudit_script_leaks',`
2093 dontaudit $1 initrc_t:tcp_socket { read write };
2094 dontaudit $1 initrc_t:udp_socket { read write };
2095 dontaudit $1 initrc_t:unix_dgram_socket { read write };
2096 dontaudit $1 initrc_t:unix_stream_socket { read write };
2097 dontaudit $1 initrc_t:shm rw_shm_perms;
2098 init_dontaudit_use_script_ptys($1)
2099 init_dontaudit_use_script_fds($1)
2102 ########################################
2104 ## Allow the specified domain to read/write to
2105 ## init with a unix domain stream sockets.
2107 ## <param name="domain">
2109 ## Domain allowed access.
2113 interface(`init_rw_stream_sockets',`
2118 allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
2121 #######################################
2123 ## Allow the specified domain to write to
2126 ## <param name="domain">
2128 ## Domain allowed access.
2132 interface(`init_write_pid_socket',`
2134 type init_var_run_t;
2137 allow $1 init_var_run_t:sock_file write;
2140 ########################################
2142 ## Send a message to init over a unix domain
2145 ## <param name="domain">
2147 ## Domain allowed access.
2151 interface(`init_dgram_send',`
2156 allow $1 init_t:unix_dgram_socket sendto;
2159 ########################################
2161 ## Create a file type used for init socket files.
2165 ## This defines a type that init can create sock_file within for
2166 ## impersonation purposes
2169 ## <param name="script_file">
2171 ## Type to be used for a sock file.
2174 ## <infoflow type="none"/>
2176 interface(`init_sock_file',`
2178 attribute init_sock_file_type;
2181 typeattribute $1 init_sock_file_type;
2185 ########################################
2187 ## Read init unnamed pipes.
2189 ## <param name="domain">
2191 ## Domain allowed access.
2195 interface(`init_read_pipes',`
2197 type init_var_run_t;
2200 read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)