2 policy_module(init,1.0)
4 ########################################
10 # init_t is the domain of the init process.
14 role system_r types init_t;
17 # init_exec_t is the type of the init program.
20 kernel_userland_entry(init_t,init_exec_t)
21 domain_entry_file(init_t,init_exec_t)
24 # init_var_run_t is the type for /var/run/shutdown.pid.
27 files_pid_file(init_var_run_t)
30 # initctl_t is the type of the named pipe created
31 # by init during initialization. This pipe is used
32 # to communicate with init.
35 files_file_type(initctl_t)
39 role system_r types initrc_t;
42 domain_entry_file(initrc_t,initrc_exec_t)
45 fs_associate(initrc_devpts_t)
46 fs_associate_noxattr(initrc_devpts_t)
47 term_pty(initrc_devpts_t)
49 type initrc_var_run_t;
50 files_pid_file(initrc_var_run_t)
53 files_file_type(initrc_state_t)
56 files_tmp_file(initrc_tmp_t)
58 ########################################
63 # Use capabilities. old rule:
64 allow init_t self:capability ~sys_module;
65 # is ~sys_module really needed? observed:
68 # kill: now provided by domain_kill_all_domains()
69 # setuid (from /sbin/shutdown)
70 # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
72 allow init_t self:fifo_file rw_file_perms;
75 allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
77 # For /var/run/shutdown.pid.
78 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
79 files_create_pid(init_t,init_var_run_t)
81 allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
82 fs_associate_tmpfs(initctl_t)
83 dev_create_dev_node(init_t,initctl_t,fifo_file)
86 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
89 domain_auto_trans(init_t,initrc_exec_t,initrc_t)
91 kernel_read_system_state(init_t)
92 kernel_share_state(init_t)
94 dev_read_sysfs(init_t)
96 selinux_set_boolean(init_t)
98 term_use_all_terms(init_t)
100 corecmd_chroot_exec_chroot(init_t)
101 corecmd_exec_bin(init_t)
102 corecmd_exec_sbin(init_t)
104 domain_kill_all_domains(init_t)
105 domain_signal_all_domains(init_t)
106 domain_signull_all_domains(init_t)
107 domain_sigstop_all_domains(init_t)
108 domain_sigstop_all_domains(init_t)
109 domain_sigchld_all_domains(init_t)
111 files_read_generic_etc_files(init_t)
112 files_rw_generic_pids(init_t)
113 files_dontaudit_search_isid_type_dir(init_t)
114 files_manage_etc_runtime_files(init_t)
115 # Run /etc/X11/prefdm:
116 files_exec_generic_etc_files(init_t)
117 # file descriptors inherited from the rootfs:
118 files_dontaudit_rw_root_file(init_t)
119 files_dontaudit_rw_root_chr_dev(init_t)
121 libs_use_ld_so(init_t)
122 libs_use_shared_libs(init_t)
123 libs_rw_ld_so_cache(init_t)
125 logging_send_syslog_msg(init_t)
126 logging_rw_generic_logs(init_t)
128 seutil_read_config(init_t)
130 miscfiles_read_localization(init_t)
132 ifdef(`distro_redhat',`
133 fs_use_tmpfs_character_devices(init_t)
134 fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
137 optional_policy(`authlogin.te',`
138 auth_rw_login_records(init_t)
141 # Run the shell in the sysadm_t domain for single-user mode.
142 optional_policy(`userdomain.te',`
143 userdom_shell_domtrans_sysadm(init_t)
146 ########################################
148 # Init script local policy
151 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
152 allow initrc_t self:capability ~{ sys_admin sys_module };
153 allow initrc_t self:passwd rootok;
155 # Allow IPC with self
156 allow initrc_t self:unix_dgram_socket create_socket_perms;
157 allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
158 allow initrc_t self:tcp_socket create_stream_socket_perms;
159 allow initrc_t self:udp_socket create_socket_perms;
160 allow initrc_t self:fifo_file rw_file_perms;
161 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
163 allow initrc_t init_t:fd use;
165 allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
167 allow initrc_t initrc_state_t:dir create_dir_perms;
168 allow initrc_t initrc_state_t:file create_file_perms;
169 allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
171 allow initrc_t initrc_var_run_t:file create_file_perms;
172 files_create_pid(initrc_t,initrc_var_run_t)
174 allow initrc_t initrc_tmp_t:file create_file_perms;
175 allow initrc_t initrc_tmp_t:dir create_dir_perms;
176 files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
178 kernel_read_system_state(initrc_t)
179 kernel_read_software_raid_state(initrc_t)
180 kernel_read_network_state(initrc_t)
181 kernel_read_ring_buffer(initrc_t)
182 kernel_change_ring_buffer_level(initrc_t)
183 kernel_clear_ring_buffer(initrc_t)
184 kernel_get_sysvipc_info(initrc_t)
185 dev_read_sysfs(initrc_t)
186 dev_rw_sysfs(initrc_t)
187 kernel_read_all_sysctl(initrc_t)
188 kernel_rw_all_sysctl(initrc_t)
189 selinux_get_enforce_mode(initrc_t)
190 dev_list_usbfs(initrc_t)
191 # for lsof which is used by alsa shutdown:
192 kernel_dontaudit_getattr_message_if(initrc_t)
194 bootloader_read_kernel_symbol_table(initrc_t)
196 corenet_tcp_sendrecv_all_if(initrc_t)
197 corenet_raw_sendrecv_all_if(initrc_t)
198 corenet_udp_sendrecv_all_if(initrc_t)
199 corenet_tcp_sendrecv_all_nodes(initrc_t)
200 corenet_raw_sendrecv_all_nodes(initrc_t)
201 corenet_udp_sendrecv_all_nodes(initrc_t)
202 corenet_tcp_sendrecv_all_ports(initrc_t)
203 corenet_udp_sendrecv_all_ports(initrc_t)
204 corenet_tcp_bind_all_nodes(initrc_t)
205 corenet_udp_bind_all_nodes(initrc_t)
207 dev_read_rand(initrc_t)
208 dev_read_urand(initrc_t)
209 dev_write_rand(initrc_t)
210 dev_write_urand(initrc_t)
211 dev_read_framebuffer(initrc_t)
212 dev_read_realtime_clock(initrc_t)
213 dev_read_snd_mixer_dev(initrc_t)
214 dev_write_snd_mixer_dev(initrc_t)
215 dev_setattr_all_chr_files(initrc_t)
216 dev_read_lvm_control(initrc_t)
217 dev_delete_lvm_control(initrc_t)
218 # Wants to remove udev.tbl:
219 dev_del_generic_symlinks(initrc_t)
221 fs_register_binary_executable_type(initrc_t)
222 # cjp: not sure why these are here; should use mount policy
223 fs_mount_all_fs(initrc_t)
224 fs_unmount_all_fs(initrc_t)
225 fs_remount_all_fs(initrc_t)
226 fs_getattr_all_fs(initrc_t)
228 storage_getattr_fixed_disk(initrc_t)
229 storage_setattr_fixed_disk(initrc_t)
230 storage_setattr_removable_device(initrc_t)
232 term_use_all_terms(initrc_t)
233 term_reset_tty_labels(initrc_t)
235 auth_rw_login_records(initrc_t)
236 auth_rw_lastlog(initrc_t)
237 auth_read_pam_pid(initrc_t)
238 auth_delete_pam_pid(initrc_t)
239 auth_list_pam_console_data(initrc_t)
241 corecmd_exec_bin(initrc_t)
242 corecmd_exec_sbin(initrc_t)
243 corecmd_exec_shell(initrc_t)
244 corecmd_exec_ls(initrc_t)
246 domain_kill_all_domains(initrc_t)
247 domain_signal_all_domains(initrc_t)
248 domain_signull_all_domains(initrc_t)
249 domain_sigstop_all_domains(initrc_t)
250 domain_sigstop_all_domains(initrc_t)
251 domain_sigchld_all_domains(initrc_t)
252 domain_read_all_domains_state(initrc_t)
253 domain_getsession_all_domains(initrc_t)
254 domain_use_wide_inherit_fd(initrc_t)
255 # for lsof which is used by alsa shutdown:
256 domain_dontaudit_getattr_all_udp_sockets(initrc_t)
257 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
258 domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
259 domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
261 files_getattr_all_files(initrc_t)
262 files_delete_all_tmp_files(initrc_t)
263 files_delete_all_lock_files(initrc_t)
264 files_read_all_pids(initrc_t)
265 files_delete_all_pids(initrc_t)
266 files_read_generic_etc_files(initrc_t)
267 files_manage_etc_runtime_files(initrc_t)
268 files_manage_generic_lock_files(initrc_t)
269 files_exec_generic_etc_files(initrc_t)
270 files_read_usr_files(initrc_t)
271 files_manage_urandom_seed(initrc_t)
272 files_manage_spools(initrc_t)
274 libs_rw_ld_so_cache(initrc_t)
275 libs_use_ld_so(initrc_t)
276 libs_use_shared_libs(initrc_t)
277 libs_exec_lib_files(initrc_t)
279 logging_send_syslog_msg(initrc_t)
280 logging_rw_generic_logs(initrc_t)
281 logging_read_all_logs(initrc_t)
282 logging_append_all_logs(initrc_t)
284 miscfiles_read_localization(initrc_t)
286 modutils_read_module_conf(initrc_t)
288 seutil_read_config(initrc_t)
290 sysnet_read_config(initrc_t)
294 userdom_read_all_user_data(initrc_t)
295 # Allow access to the sysadm TTYs. Note that this will give access to the
296 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
297 # started from init should be placed in their own domain.
298 userdom_use_sysadm_terms(initrc_t)
300 ifdef(`distro_debian', `
301 fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
304 ifdef(`distro_redhat',`
305 # this is from kmodule, which should get its own policy:
306 allow initrc_t self:capability sys_admin;
308 # Red Hat systems seem to have a stray
309 # fd open from the initrd
310 kernel_dontaudit_use_fd(initrc_t)
311 files_dontaudit_read_root_file(initrc_t)
313 selinux_set_enforce_mode(initrc_t)
315 # Create and read /boot/kernel.h and /boot/System.map.
316 # Redhat systems typically create this file at boot time.
317 bootloader_create_runtime_file(initrc_t)
318 bootloader_rw_boot_symlinks(initrc_t)
320 # These seem to be from the initrd
321 # during device initialization:
322 dev_create_dir(initrc_t)
323 dev_rwx_zero_dev(initrc_t)
324 dev_rx_raw_memory(initrc_t)
325 dev_wx_raw_memory(initrc_t)
326 storage_raw_read_fixed_disk(initrc_t)
327 storage_raw_write_fixed_disk(initrc_t)
329 fs_use_tmpfs_character_devices(initrc_t)
331 files_create_boot_flag(initrc_t)
333 # readahead asks for these
334 mta_read_aliases(initrc_t)
337 optional_policy(`hotplug.te',`
338 dev_read_usbfs(initrc_t)
340 # init scripts run /etc/hotplug/usb.rc
341 hotplug_read_config(initrc_t)
343 modutils_read_kernel_module_dependencies(initrc_t)
346 optional_policy(`lvm.te',`
347 #allow initrc_t lvm_control_t:chr_file unlink;
349 dev_read_lvm_control(initrc_t)
350 dev_create_generic_chr_file(initrc_t)
353 optional_policy(`rhgb.te',`
354 corecmd_shell_entry_type(initrc_t)
357 optional_policy(`rpm.te',`
358 # bash tries to access a block device in the initrd
359 kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
362 files_dontaudit_write_all_pids(initrc_t)
364 # bash tries ioctl for some reason
365 files_dontaudit_ioctl_all_pids(initrc_t)
367 # why is this needed:
368 rpm_manage_db(initrc_t)
371 optional_policy(`ssh.te',`
372 optional_policy(`inetd.te',`
373 tunable_policy(`run_ssh_inetd',`',`
374 ssh_dontaudit_read_server_keys(initrc_t)
377 ssh_dontaudit_read_server_keys(initrc_t)
383 # Mount and unmount file systems.
384 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
386 # Set device ownerships/modes.
387 allow initrc_t xconsole_device_t:fifo_file setattr;
389 # for lsof in shutdown scripts
390 can_kerberos(initrc_t)
391 dontaudit initrc_t krb5_conf_t:file write;
392 allow initrc_t krb5_conf_t:file r_file_perms;
395 # These rules are here to allow init scripts to su
397 optional_policy(`su.te', `
398 su_restricted_domain(initrc,system)
399 role system_r types initrc_su_t;
402 ifdef(`distro_debian', `
403 allow initrc_t { etc_t device_t }:dir setattr;
405 # for storing state under /dev/shm
406 allow initrc_t tmpfs_t:dir setattr;
407 file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
410 ifdef(`distro_redhat', `
411 # readahead asks for these
412 allow initrc_t var_lib_nfs_t:file r_file_perms;
415 ifdef(`targeted_policy', `
416 domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
417 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
418 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
419 domain_trans(initrc_t, shell_exec_t, unconfined_t)
423 # Shutting down xinet causes these
426 dontaudit initrc_t mail_spool_t:lnk_file read;