refpolicy/policy/modules/system/init.te

   1
   2 policy_module(init,1.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 #
  10 # init_t is the domain of the init process.
  11 #
  12 type init_t;
  13 domain_type(init_t)
  14 role system_r types init_t;
  15
  16 #
  17 # init_exec_t is the type of the init program.
  18 #
  19 type init_exec_t;
  20 kernel_userland_entry(init_t,init_exec_t)
  21 domain_entry_file(init_t,init_exec_t)
  22
  23 #
  24 # init_var_run_t is the type for /var/run/shutdown.pid.
  25 #
  26 type init_var_run_t;
  27 files_pid_file(init_var_run_t)
  28
  29 #
  30 # initctl_t is the type of the named pipe created
  31 # by init during initialization.  This pipe is used
  32 # to communicate with init.
  33 #
  34 type initctl_t;
  35 files_file_type(initctl_t)
  36
  37 type initrc_t;
  38 domain_type(initrc_t)
  39 role system_r types initrc_t;
  40
  41 type initrc_exec_t;
  42 domain_entry_file(initrc_t,initrc_exec_t)
  43
  44 type initrc_devpts_t;
  45 fs_associate(initrc_devpts_t)
  46 fs_associate_noxattr(initrc_devpts_t)
  47 term_pty(initrc_devpts_t)
  48
  49 type initrc_var_run_t;
  50 files_pid_file(initrc_var_run_t)
  51
  52 type initrc_state_t;
  53 files_file_type(initrc_state_t)
  54
  55 type initrc_tmp_t;
  56 files_tmp_file(initrc_tmp_t)
  57
  58 ########################################
  59 #
  60 # Init local policy
  61 #
  62
  63 # Use capabilities. old rule:
  64 allow init_t self:capability ~sys_module;
  65 # is ~sys_module really needed? observed:
  66 # sys_boot
  67 # sys_tty_config
  68 # kill: now provided by domain_kill_all_domains()
  69 # setuid (from /sbin/shutdown)
  70 # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
  71
  72 allow init_t self:fifo_file rw_file_perms;
  73
  74 # Re-exec itself
  75 allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
  76
  77 # For /var/run/shutdown.pid.
  78 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
  79 files_create_pid(init_t,init_var_run_t)
  80
  81 allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
  82 fs_associate_tmpfs(initctl_t)
  83 dev_create_dev_node(init_t,initctl_t,fifo_file)
  84
  85 # Modify utmp.
  86 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  87
  88 # Run init scripts.
  89 domain_auto_trans(init_t,initrc_exec_t,initrc_t)
  90
  91 kernel_read_system_state(init_t)
  92 kernel_share_state(init_t)
  93
  94 dev_read_sysfs(init_t)
  95
  96 selinux_set_boolean(init_t)
  97
  98 term_use_all_terms(init_t)
  99
 100 corecmd_chroot_exec_chroot(init_t)
 101 corecmd_exec_bin(init_t)
 102 corecmd_exec_sbin(init_t)
 103
 104 domain_kill_all_domains(init_t)
 105 domain_signal_all_domains(init_t)
 106 domain_signull_all_domains(init_t)
 107 domain_sigstop_all_domains(init_t)
 108 domain_sigstop_all_domains(init_t)
 109 domain_sigchld_all_domains(init_t)
 110
 111 files_read_generic_etc_files(init_t)
 112 files_rw_generic_pids(init_t)
 113 files_dontaudit_search_isid_type_dir(init_t)
 114 files_manage_etc_runtime_files(init_t)
 115 # Run /etc/X11/prefdm:
 116 files_exec_generic_etc_files(init_t)
 117 # file descriptors inherited from the rootfs:
 118 files_dontaudit_rw_root_file(init_t)
 119 files_dontaudit_rw_root_chr_dev(init_t)
 120
 121 libs_use_ld_so(init_t)
 122 libs_use_shared_libs(init_t)
 123 libs_rw_ld_so_cache(init_t)
 124
 125 logging_send_syslog_msg(init_t)
 126 logging_rw_generic_logs(init_t)
 127
 128 seutil_read_config(init_t)
 129
 130 miscfiles_read_localization(init_t)
 131
 132 ifdef(`distro_redhat',`
 133         fs_use_tmpfs_character_devices(init_t)
 134         fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
 135 ')
 136
 137 optional_policy(`authlogin.te',`
 138         auth_rw_login_records(init_t)
 139 ')
 140
 141 # Run the shell in the sysadm_t domain for single-user mode.
 142 optional_policy(`userdomain.te',`
 143         userdom_shell_domtrans_sysadm(init_t)
 144 ')
 145
 146 ########################################
 147 #
 148 # Init script local policy
 149 #
 150
 151 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 152 allow initrc_t self:capability ~{ sys_admin sys_module };
 153 allow initrc_t self:passwd rootok;
 154
 155 # Allow IPC with self
 156 allow initrc_t self:unix_dgram_socket create_socket_perms;
 157 allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
 158 allow initrc_t self:tcp_socket create_stream_socket_perms;
 159 allow initrc_t self:udp_socket create_socket_perms;
 160 allow initrc_t self:fifo_file rw_file_perms;
 161 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 162
 163 allow initrc_t init_t:fd use;
 164
 165 allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
 166
 167 allow initrc_t initrc_state_t:dir create_dir_perms;
 168 allow initrc_t initrc_state_t:file create_file_perms;
 169 allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
 170
 171 allow initrc_t initrc_var_run_t:file create_file_perms;
 172 files_create_pid(initrc_t,initrc_var_run_t)
 173
 174 allow initrc_t initrc_tmp_t:file create_file_perms;
 175 allow initrc_t initrc_tmp_t:dir create_dir_perms;
 176 files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
 177
 178 kernel_read_system_state(initrc_t)
 179 kernel_read_software_raid_state(initrc_t)
 180 kernel_read_network_state(initrc_t)
 181 kernel_read_ring_buffer(initrc_t)
 182 kernel_change_ring_buffer_level(initrc_t)
 183 kernel_clear_ring_buffer(initrc_t)
 184 kernel_get_sysvipc_info(initrc_t)
 185 dev_read_sysfs(initrc_t)
 186 dev_rw_sysfs(initrc_t)
 187 kernel_read_all_sysctl(initrc_t)
 188 kernel_rw_all_sysctl(initrc_t)
 189 selinux_get_enforce_mode(initrc_t)
 190 dev_list_usbfs(initrc_t)
 191 # for lsof which is used by alsa shutdown:
 192 kernel_dontaudit_getattr_message_if(initrc_t)
 193
 194 bootloader_read_kernel_symbol_table(initrc_t)
 195
 196 corenet_tcp_sendrecv_all_if(initrc_t)
 197 corenet_raw_sendrecv_all_if(initrc_t)
 198 corenet_udp_sendrecv_all_if(initrc_t)
 199 corenet_tcp_sendrecv_all_nodes(initrc_t)
 200 corenet_raw_sendrecv_all_nodes(initrc_t)
 201 corenet_udp_sendrecv_all_nodes(initrc_t)
 202 corenet_tcp_sendrecv_all_ports(initrc_t)
 203 corenet_udp_sendrecv_all_ports(initrc_t)
 204 corenet_tcp_bind_all_nodes(initrc_t)
 205 corenet_udp_bind_all_nodes(initrc_t)
 206
 207 dev_read_rand(initrc_t)
 208 dev_read_urand(initrc_t)
 209 dev_write_rand(initrc_t)
 210 dev_write_urand(initrc_t)
 211 dev_read_framebuffer(initrc_t)
 212 dev_read_realtime_clock(initrc_t)
 213 dev_read_snd_mixer_dev(initrc_t)
 214 dev_write_snd_mixer_dev(initrc_t)
 215 dev_setattr_all_chr_files(initrc_t)
 216 dev_read_lvm_control(initrc_t)
 217 dev_delete_lvm_control(initrc_t)
 218 # Wants to remove udev.tbl:
 219 dev_del_generic_symlinks(initrc_t)
 220
 221 fs_register_binary_executable_type(initrc_t)
 222 # cjp: not sure why these are here; should use mount policy
 223 fs_mount_all_fs(initrc_t)
 224 fs_unmount_all_fs(initrc_t)
 225 fs_remount_all_fs(initrc_t)
 226 fs_getattr_all_fs(initrc_t)
 227
 228 storage_getattr_fixed_disk(initrc_t)
 229 storage_setattr_fixed_disk(initrc_t)
 230 storage_setattr_removable_device(initrc_t)
 231
 232 term_use_all_terms(initrc_t)
 233 term_reset_tty_labels(initrc_t)
 234
 235 auth_rw_login_records(initrc_t)
 236 auth_rw_lastlog(initrc_t)
 237 auth_read_pam_pid(initrc_t)
 238 auth_delete_pam_pid(initrc_t)
 239 auth_list_pam_console_data(initrc_t)
 240
 241 corecmd_exec_bin(initrc_t)
 242 corecmd_exec_sbin(initrc_t)
 243 corecmd_exec_shell(initrc_t)
 244 corecmd_exec_ls(initrc_t)
 245
 246 domain_kill_all_domains(initrc_t)
 247 domain_signal_all_domains(initrc_t)
 248 domain_signull_all_domains(initrc_t)
 249 domain_sigstop_all_domains(initrc_t)
 250 domain_sigstop_all_domains(initrc_t)
 251 domain_sigchld_all_domains(initrc_t)
 252 domain_read_all_domains_state(initrc_t)
 253 domain_getsession_all_domains(initrc_t)
 254 domain_use_wide_inherit_fd(initrc_t)
 255 # for lsof which is used by alsa shutdown:
 256 domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 257 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 258 domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
 259 domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
 260
 261 files_getattr_all_files(initrc_t)
 262 files_delete_all_tmp_files(initrc_t)
 263 files_delete_all_lock_files(initrc_t)
 264 files_read_all_pids(initrc_t)
 265 files_delete_all_pids(initrc_t)
 266 files_read_generic_etc_files(initrc_t)
 267 files_manage_etc_runtime_files(initrc_t)
 268 files_manage_generic_lock_files(initrc_t)
 269 files_exec_generic_etc_files(initrc_t)
 270 files_read_usr_files(initrc_t)
 271 files_manage_urandom_seed(initrc_t)
 272 files_manage_spools(initrc_t)
 273
 274 libs_rw_ld_so_cache(initrc_t)
 275 libs_use_ld_so(initrc_t)
 276 libs_use_shared_libs(initrc_t)
 277 libs_exec_lib_files(initrc_t)
 278
 279 logging_send_syslog_msg(initrc_t)
 280 logging_rw_generic_logs(initrc_t)
 281 logging_read_all_logs(initrc_t)
 282 logging_append_all_logs(initrc_t)
 283
 284 miscfiles_read_localization(initrc_t)
 285
 286 modutils_read_module_conf(initrc_t)
 287
 288 seutil_read_config(initrc_t)
 289
 290 sysnet_read_config(initrc_t)
 291
 292 udev_rw_db(initrc_t)
 293
 294 userdom_read_all_user_data(initrc_t)
 295 # Allow access to the sysadm TTYs. Note that this will give access to the
 296 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 297 # started from init should be placed in their own domain.
 298 userdom_use_sysadm_terms(initrc_t)
 299
 300 ifdef(`distro_debian', `
 301         fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
 302 ')
 303
 304 ifdef(`distro_redhat',`
 305         # this is from kmodule, which should get its own policy:
 306         allow initrc_t self:capability sys_admin;
 307
 308         # Red Hat systems seem to have a stray
 309         # fd open from the initrd
 310         kernel_dontaudit_use_fd(initrc_t)
 311         files_dontaudit_read_root_file(initrc_t)
 312
 313         selinux_set_enforce_mode(initrc_t)
 314
 315         # Create and read /boot/kernel.h and /boot/System.map.
 316         # Redhat systems typically create this file at boot time.
 317         bootloader_create_runtime_file(initrc_t)
 318         bootloader_rw_boot_symlinks(initrc_t)
 319
 320         # These seem to be from the initrd
 321         # during device initialization:
 322         dev_create_dir(initrc_t)
 323         dev_rwx_zero_dev(initrc_t)
 324         dev_rx_raw_memory(initrc_t)
 325         dev_wx_raw_memory(initrc_t)
 326         storage_raw_read_fixed_disk(initrc_t)
 327         storage_raw_write_fixed_disk(initrc_t)
 328
 329         fs_use_tmpfs_character_devices(initrc_t)
 330
 331         files_create_boot_flag(initrc_t)
 332
 333         # readahead asks for these
 334         mta_read_aliases(initrc_t)
 335 ')
 336
 337 optional_policy(`hotplug.te',`
 338         dev_read_usbfs(initrc_t)
 339
 340         # init scripts run /etc/hotplug/usb.rc
 341         hotplug_read_config(initrc_t)
 342
 343         modutils_read_kernel_module_dependencies(initrc_t)
 344 ')
 345
 346 optional_policy(`lvm.te',`
 347         #allow initrc_t lvm_control_t:chr_file unlink;
 348
 349         dev_read_lvm_control(initrc_t)
 350         dev_create_generic_chr_file(initrc_t)
 351 ')
 352
 353 optional_policy(`rhgb.te',`
 354         corecmd_shell_entry_type(initrc_t)
 355 ')
 356
 357 optional_policy(`rpm.te',`
 358         # bash tries to access a block device in the initrd
 359         kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
 360
 361         # for a bug in rm
 362         files_dontaudit_write_all_pids(initrc_t)
 363
 364         # bash tries ioctl for some reason
 365         files_dontaudit_ioctl_all_pids(initrc_t)
 366
 367         # why is this needed:
 368         rpm_manage_db(initrc_t)
 369 ') dnl end rpm.te
 370
 371 optional_policy(`ssh.te',`
 372         optional_policy(`inetd.te',`
 373                 tunable_policy(`run_ssh_inetd',`',`
 374                         ssh_dontaudit_read_server_keys(initrc_t)
 375                 ')
 376         ',`
 377                 ssh_dontaudit_read_server_keys(initrc_t)
 378         ')
 379 ')
 380
 381 ifdef(`TODO',`
 382
 383 # Mount and unmount file systems.
 384 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
 385
 386 # Set device ownerships/modes.
 387 allow initrc_t xconsole_device_t:fifo_file setattr;
 388
 389 # for lsof in shutdown scripts
 390 can_kerberos(initrc_t)
 391 dontaudit initrc_t krb5_conf_t:file write;
 392 allow initrc_t krb5_conf_t:file r_file_perms;
 393
 394 #
 395 #  These rules are here to allow init scripts to su
 396 #
 397 optional_policy(`su.te', `
 398 su_restricted_domain(initrc,system)
 399 role system_r types initrc_su_t;
 400 ')
 401
 402 ifdef(`distro_debian', `
 403         allow initrc_t { etc_t device_t }:dir setattr;
 404
 405         # for storing state under /dev/shm
 406         allow initrc_t tmpfs_t:dir setattr;
 407         file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
 408 ')
 409
 410 ifdef(`distro_redhat', `
 411         # readahead asks for these
 412         allow initrc_t var_lib_nfs_t:file r_file_perms;
 413 ')
 414
 415 ifdef(`targeted_policy', `
 416         domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 417         allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 418         allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
 419         domain_trans(initrc_t, shell_exec_t, unconfined_t)
 420 ')
 421
 422 #
 423 # Shutting down xinet causes these
 424 #
 425 # Rsync
 426 dontaudit initrc_t mail_spool_t:lnk_file read;
 427 ') dnl end TODO