selinux-refpolicy/policy/modules/system/init.if

3290 lines
65 KiB
Plaintext
Raw Normal View History

2005-06-01 14:17:43 +00:00
## <summary>System initialization programs (init and init scripts).</summary>
2005-04-20 19:07:16 +00:00
########################################
## <summary>
## Create a file type used for init scripts.
## </summary>
## <desc>
## <p>
## Create a file type used for init scripts. It can not be
## used in conjunction with init_script_domain(). These
## script files are typically stored in the /etc/init.d directory.
## </p>
## <p>
## Typically this is used to constrain what services an
## admin can start/stop. For example, a policy writer may want
## to constrain a web administrator to only being able to
## restart the web server, not other services. This special type
## will help address that goal.
## </p>
## <p>
## This also makes the type usable for files; thus an
## explicit call to files_type() is redundant.
## </p>
## </desc>
## <param name="script_file">
## <summary>
## Type to be used for a script file.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`init_script_file',`
gen_require(`
type initrc_t;
attribute init_script_file_type, init_run_all_scripts_domain;
')
typeattribute $1 init_script_file_type;
domain_entry_file(initrc_t, $1)
domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
')
########################################
## <summary>
## Make the specified type usable for
## systemd unit files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd unit files.
## </summary>
## </param>
#
interface(`init_unit_file',`
gen_require(`
attribute systemdunit;
')
files_type($1)
typeattribute $1 systemdunit;
')
########################################
## <summary>
## Create a domain used for init scripts.
## </summary>
## <desc>
## <p>
## Create a domain used for init scripts.
## Can not be used in conjunction with
## init_script_file().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as an init script domain.
## </summary>
## </param>
## <param name="script_file">
## <summary>
## Type of the script file used as an entry point to this domain.
## </summary>
## </param>
#
interface(`init_script_domain',`
gen_require(`
attribute init_script_domain_type, init_script_file_type;
attribute init_run_all_scripts_domain;
')
typeattribute $1 init_script_domain_type;
typeattribute $2 init_script_file_type;
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
')
########################################
2005-07-07 15:25:28 +00:00
## <summary>
## Create a domain which can be started by init.
## </summary>
## <param name="domain">
## <summary>
2005-07-07 15:25:28 +00:00
## Type to be used as a domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <param name="entry_point">
## <summary>
2005-07-07 15:25:28 +00:00
## Type of the program to be used as an entry point to this domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
#
interface(`init_domain',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t;
role system_r;
')
2005-06-13 17:35:46 +00:00
domain_type($1)
2010-12-15 19:50:28 +00:00
domain_entry_file($1, $2)
role system_r types $1;
2010-12-15 19:50:28 +00:00
domtrans_pattern(init_t, $2, $1)
allow init_t $1:process rlimitinh;
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
')
########################################
## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_domain',`
gen_require(`
type init_t;
')
init_domain($1, $2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
')
########################################
## <summary>
## Setup a domain which can be manually transitioned to from init.
## </summary>
## <desc>
## <p>
## Create a domain used for systemd services where the SELinuxContext
## option is specified in the .service file. This allows for the
## manual transition from systemd into the new domain. This is used
## when automatic transitions won't work. Used for the case where the
## same binary is used for multiple target domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program being executed when starting this domain.
## </summary>
## </param>
#
interface(`init_spec_daemon_domain',`
gen_require(`
type init_t;
role system_r;
attribute daemon;
')
typeattribute $1 daemon;
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
spec_domtrans_pattern(init_t, $2, $1)
allow init_t $1:process rlimitinh;
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_user_terminals($1)
')
')
########################################
2005-07-07 15:25:28 +00:00
## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
2005-07-07 15:25:28 +00:00
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts. Short running processes
## should use the init_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_daemon_domain() should be used instead.
## </p>
## </desc>
2005-07-07 15:25:28 +00:00
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <param name="entry_point">
## <summary>
2005-07-07 15:25:28 +00:00
## Type of the program to be used as an entry point to this domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_daemon_domain',`
2005-06-17 17:59:26 +00:00
gen_require(`
2017-02-24 01:03:23 +00:00
type init_t, initrc_t;
2005-06-17 17:59:26 +00:00
role system_r;
attribute daemon;
2005-06-17 17:59:26 +00:00
')
typeattribute $1 daemon;
2005-06-13 17:35:46 +00:00
domain_type($1)
2010-12-15 19:50:28 +00:00
domain_entry_file($1, $2)
role system_r types $1;
2010-12-15 19:50:28 +00:00
domtrans_pattern(initrc_t, $2, $1)
2007-03-23 21:01:49 +00:00
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
2010-12-15 19:50:28 +00:00
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
allow init_t $1:process rlimitinh;
2005-07-07 15:25:28 +00:00
ifdef(`direct_sysadm_daemon',`
2008-11-05 16:10:46 +00:00
userdom_dontaudit_use_user_terminals($1)
2005-07-07 15:25:28 +00:00
')
ifdef(`init_systemd',`
init_domain($1, $2)
2017-02-24 01:03:23 +00:00
allow $1 init_t:unix_dgram_socket sendto;
')
optional_policy(`
nscd_use($1)
2005-09-15 21:03:29 +00:00
')
')
########################################
## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts,
## running at a specified MLS/MCS range.
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts, running at a specified
## MLS/MCS range. Short running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_daemon_domain().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## MLS/MCS range for the domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
')
ifdef(`init_systemd',`
init_ranged_domain($1, $2, $3)
',`
init_daemon_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
')
#########################################
## <summary>
## Abstract socket service activation (systemd).
## </summary>
## <param name="domain">
## <summary>
## The domain to be started by systemd socket activation.
## </summary>
## </param>
#
interface(`init_abstract_socket_activation',`
ifdef(`init_systemd',`
gen_require(`
type init_t;
')
allow init_t $1:unix_stream_socket create_stream_socket_perms;
')
')
#########################################
## <summary>
## Named socket service activation (systemd).
## </summary>
## <param name="domain">
## <summary>
## The domain to be started by systemd socket activation.
## </summary>
## </param>
## <param name="sock_file">
## <summary>
## The domain socket file type.
## </summary>
## </param>
#
interface(`init_named_socket_activation',`
ifdef(`init_systemd',`
gen_require(`
type init_t;
')
allow init_t $1:unix_dgram_socket create_socket_perms;
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow init_t $2:dir manage_dir_perms;
allow init_t $2:fifo_file manage_fifo_file_perms;
allow init_t $2:sock_file manage_sock_file_perms;
')
')
########################################
2005-07-07 15:25:28 +00:00
## <summary>
## Create a domain for short running processes
## which are started by init scripts.
2005-07-07 15:25:28 +00:00
## </summary>
## <desc>
## <p>
## Create a domain for short running processes
## which are started by init scripts. These are generally applications that
## are used to initialize the system during boot.
## Long running processes, such as daemons/services
## should use the init_daemon_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
2010-12-15 19:50:28 +00:00
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_system_domain() should be used instead.
## </p>
## </desc>
2005-07-07 15:25:28 +00:00
## <param name="domain">
## <summary>
## Type to be used as a system domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <param name="entry_point">
## <summary>
2005-07-07 15:25:28 +00:00
## Type of the program to be used as an entry point to this domain.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_system_domain',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t;
role system_r;
2017-02-24 01:03:23 +00:00
attribute systemprocess;
2005-06-17 17:59:26 +00:00
')
2005-05-31 23:02:11 +00:00
2017-02-24 01:03:23 +00:00
typeattribute $1 systemprocess;
2010-12-15 19:50:28 +00:00
application_domain($1, $2)
2005-05-31 23:02:11 +00:00
role system_r types $1;
2010-12-15 19:50:28 +00:00
domtrans_pattern(initrc_t, $2, $1)
ifdef(`init_systemd',`
init_domain($1, $2)
')
')
########################################
## <summary>
## Create a domain for short running processes
## which are started by init scripts.
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts.
## These are generally applications that
## are used to initialize the system during boot.
## Long running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_system_domain().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a system domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
')
ifdef(`init_systemd',`
init_ranged_domain($1, $2, $3)
',`
init_system_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
')
2017-02-24 01:03:23 +00:00
######################################
## <summary>
## Allow domain dyntransition to init_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_dyntrans',`
gen_require(`
type init_t;
')
dyntrans_pattern($1, init_t)
')
########################################
## <summary>
## Mark the file type as a daemon pid file, allowing initrc_t
## to create it
## </summary>
## <param name="filetype">
## <summary>
## Type to mark as a daemon pid file
## </summary>
## </param>
## <param name="class">
## <summary>
## Class on which the type is applied
## </summary>
## </param>
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
#
interface(`init_daemon_pid_file',`
gen_require(`
attribute daemonpidfile;
type initrc_t;
')
typeattribute $1 daemonpidfile;
files_pid_file($1)
files_pid_filetrans(initrc_t, $1, $2, $3)
')
########################################
## <summary>
## Mark the file type as a daemon lock file, allowing initrc_t
## to create it
## </summary>
## <param name="filetype">
## <summary>
## Type to mark as a daemon lock file
## </summary>
## </param>
## <param name="class">
## <summary>
## Class on which the type is applied
## </summary>
## </param>
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
#
interface(`init_daemon_lock_file',`
gen_require(`
type initrc_t;
')
files_lock_file($1)
files_lock_filetrans(initrc_t, $1, $2, $3)
allow initrc_t $1:dir manage_dir_perms;
allow initrc_t $1:file manage_file_perms;
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`init_domtrans',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t, init_exec_t;
')
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, init_exec_t, init_t)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition
## to the provided domain.
## </summary>
## <desc>
## Execute init (/sbin/init) with a domain transition
## to the provided domain. This is used by systemd
## to execute the systemd user session.
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="domain">
## <summary>
## New domain.
## </summary>
## </param>
#
interface(`init_pgm_spec_user_daemon_domain',`
gen_require(`
type init_t, init_exec_t;
')
domain_type($1)
domain_entry_file($1, init_exec_t)
spec_domtrans_pattern(init_t, init_exec_t, $1)
allow init_t $1:process { setsched rlimitinh noatsecure };
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
')
')
2005-09-15 15:34:31 +00:00
########################################
## <summary>
## Execute the init program in the caller domain.
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-15 15:34:31 +00:00
#
interface(`init_exec',`
gen_require(`
type init_exec_t;
')
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
can_exec($1, init_exec_t)
2005-09-15 15:34:31 +00:00
')
########################################
## <summary>
## Allow the init program to be an entrypoint
## for the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_pgm_entrypoint',`
gen_require(`
type init_exec_t;
')
allow $1 init_exec_t:file entrypoint;
')
########################################
## <summary>
## Execute the rc application in the caller domain.
## </summary>
## <desc>
## <p>
2011-09-06 18:00:58 +00:00
## This is only applicable to Gentoo or distributions that use the OpenRC
## init system.
## </p>
## <p>
2011-09-06 18:00:58 +00:00
## The OpenRC /sbin/rc binary is used for both init scripts as well as
## management applications and tools. When used for management purposes,
## calling /sbin/rc should never cause a transition to initrc_t.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_exec_rc',`
gen_require(`
type rc_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rc_exec_t)
')
2005-05-09 15:38:06 +00:00
########################################
## <summary>
## Get the process group of init.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-09 15:38:06 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`init_getpgid',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t;
')
allow $1 init_t:process getpgid;
')
########################################
## <summary>
## Send init a generic signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_signal',`
gen_require(`
type init_t;
')
allow $1 init_t:process signal;
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Send init a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`init_signull',`
gen_require(`
type init_t;
')
allow $1 init_t:process signull;
')
########################################
## <summary>
## Send init a SIGCHLD signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`init_sigchld',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t;
')
allow $1 init_t:process sigchld;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stream_connect',`
gen_require(`
type init_t, init_var_run_t;
')
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
2017-02-24 01:03:23 +00:00
allow $1 init_t:unix_stream_socket getattr;
')
########################################
## <summary>
## Inherit and use file descriptors from init.
## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit file
## descriptors from the init program (process ID 1).
## Typically the only file descriptors to be
## inherited from init are for the console.
## This does not allow the domain any access to
## the object to which the file descriptors references.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>init_dontaudit_use_fds()</li>
## <li>term_dontaudit_use_console()</li>
## <li>term_use_console()</li>
## </ul>
## <p>
## Example usage:
## </p>
## <p>
## init_use_fds(mydomain_t)
## term_use_console(mydomain_t)
## </p>
## <p>
## Normally, processes that can inherit these file
## descriptors (usually services) write messages to the
## system log instead of writing to the console.
## Therefore, in many cases, this access should
## dontaudited instead.
## </p>
## <p>
## Example dontaudit usage:
## </p>
## <p>
## init_dontaudit_use_fds(mydomain_t)
## term_dontaudit_use_console(mydomain_t)
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="1"/>
#
interface(`init_use_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t;
')
allow $1 init_t:fd use;
')
2005-04-28 19:50:58 +00:00
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from init.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
2005-04-28 19:50:58 +00:00
#
interface(`init_dontaudit_use_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type init_t;
')
dontaudit $1 init_t:fd use;
2005-04-28 19:50:58 +00:00
')
########################################
## <summary>
## Send messages to init unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_dgram_send',`
gen_require(`
type init_t, init_var_run_t;
')
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
allow $1 init_t:unix_stream_socket getattr;
')
########################################
## <summary>
## Read and write to inherited init unix streams.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_inherited_stream_socket',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
')
########################################
## <summary>
## Allow the specified domain to read/write to
## init with unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_stream_sockets',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
')
2017-02-19 21:13:14 +00:00
########################################
## <summary>
## start service (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system start;
')
########################################
## <summary>
## stop service (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stop_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system stop;
')
########################################
## <summary>
## Get all service status (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_system_status',`
gen_require(`
type init_t;
')
allow $1 init_t:system status;
')
########################################
## <summary>
## Enable all systemd services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_enable',`
gen_require(`
type init_t;
')
allow $1 init_t:system enable;
')
########################################
## <summary>
## Disable all services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_disable',`
gen_require(`
type init_t;
')
allow $1 init_t:system disable;
')
########################################
## <summary>
## Reload all services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload',`
gen_require(`
type init_t;
')
allow $1 init_t:system reload;
')
########################################
## <summary>
## Reboot the system (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reboot_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system reboot;
')
########################################
## <summary>
## Shutdown (halt) the system (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_shutdown_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system halt;
')
########################################
## <summary>
## Allow specified domain to get init status
## </summary>
## <param name="domain">
## <summary>
## Domain to allow access.
## </summary>
## </param>
#
interface(`init_service_status',`
gen_require(`
type init_t;
class service status;
')
allow $1 init_t:service status;
')
########################################
## <summary>
## Allow specified domain to get init start
## </summary>
## <param name="domain">
## <summary>
## Domain to allow access.
## </summary>
## </param>
#
interface(`init_service_start',`
gen_require(`
type init_t;
class service start;
')
allow $1 init_t:service start;
')
########################################
## <summary>
## Send and receive messages from
## systemd over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_dbus_chat',`
gen_require(`
type init_t;
class dbus send_msg;
')
allow $1 init_t:dbus send_msg;
allow init_t $1:dbus send_msg;
')
########################################
## <summary>
## read/follow symlinks under /var/lib/systemd/
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_var_lib_links',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir list_dir_perms;
allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## List /var/lib/systemd/ dir
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_var_lib_dirs',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir list_dir_perms;
')
########################################
## <summary>
## Relabel dirs in /var/lib/systemd/.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_relabel_var_lib_dirs',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir { relabelfrom relabelto };
')
########################################
## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
type init_var_lib_t;
')
manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="type">
## <summary>
## The type of object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_var_lib_filetrans',`
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
')
######################################
## <summary>
## Allow search directory in the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_pids',`
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir search_dir_perms;
')
######################################
## <summary>
## Allow listing of the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_pids',`
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir list_dir_perms;
files_search_pids($1)
')
########################################
## <summary>
## Create files in an init PID directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_pid_filetrans',`
gen_require(`
type init_var_run_t;
')
files_search_pids($1)
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')
########################################
## <summary>
## Get the attributes of initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_initctl',`
gen_require(`
type initctl_t;
2017-02-08 21:56:09 +00:00
')
files_search_pids($1)
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_getattr_initctl',`
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file getattr;
')
########################################
## <summary>
## Write to initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_initctl',`
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')
2006-09-06 22:07:25 +00:00
########################################
## <summary>
## Use telinit (Read and write initctl).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_telinit',`
gen_require(`
2017-02-24 01:03:23 +00:00
type initctl_t, init_t;
2006-09-06 22:07:25 +00:00
')
2017-02-24 01:03:23 +00:00
ps_process_pattern($1, init_t)
allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
#576913
allow $1 init_t:unix_stream_socket connectto;
2006-12-12 20:08:08 +00:00
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
2007-02-26 20:19:53 +00:00
2017-02-24 01:03:23 +00:00
corecmd_exec_bin($1)
2017-02-24 01:03:23 +00:00
dev_list_all_dev_nodes($1)
files_search_pids($1)
2017-02-24 01:03:23 +00:00
init_exec($1)
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Read and write initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_initctl',`
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
files_search_pids($1)
2006-12-12 20:08:08 +00:00
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and
## write initctl.
## </summary>
## <param name="domain">
## <summary>
2014-08-23 13:11:05 +00:00
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_rw_initctl',`
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file { read write };
')
2006-02-21 15:57:49 +00:00
########################################
## <summary>
## Make init scripts an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2006-02-21 15:57:49 +00:00
## </summary>
## </param>
# cjp: added for gentoo integrated run_init
interface(`init_script_file_entry_type',`
gen_require(`
type initrc_exec_t;
')
2009-06-26 14:40:13 +00:00
domain_entry_file($1, initrc_exec_t)
2006-02-21 15:57:49 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Execute init scripts with a specified domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_spec_domtrans_script',`
gen_require(`
type initrc_t, initrc_exec_t;
')
files_list_etc($1)
2009-06-26 14:40:13 +00:00
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
ifdef(`distro_gentoo',`
gen_require(`
type rc_exec_t;
')
2011-09-06 18:00:58 +00:00
domtrans_pattern($1, rc_exec_t, initrc_t)
')
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
## Execute init scripts with an automatic domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`init_domtrans_script',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t, initrc_exec_t;
')
2005-06-17 17:59:26 +00:00
files_list_etc($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, initrc_exec_t, initrc_t)
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
2005-04-14 20:18:17 +00:00
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## Execute labelled init scripts with an automatic domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_domtrans_labeled_script',`
gen_require(`
type initrc_t;
attribute init_script_file_type;
attribute initrc_transition_domain;
')
typeattribute $1 initrc_transition_domain;
files_list_etc($1)
domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
2006-02-21 15:57:49 +00:00
########################################
## <summary>
## Execute a init script in a specified domain.
## </summary>
## <desc>
2008-12-03 19:16:20 +00:00
## <p>
2006-02-21 15:57:49 +00:00
## Execute a init script in a specified domain.
2008-12-03 19:16:20 +00:00
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
2006-02-21 15:57:49 +00:00
## </desc>
## <param name="source_domain">
## <summary>
## Domain allowed to transition.
2006-02-21 15:57:49 +00:00
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
domain_auto_transition_pattern($1, initrc_exec_t, $2)
2006-02-21 15:57:49 +00:00
')
########################################
## <summary>
## Send a kill signal to init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_kill_scripts',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigkill;
')
2017-02-19 21:13:14 +00:00
########################################
## <summary>
## Allow manage service for initrc_exec_t scripts
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_manage_script_service',`
gen_require(`
type initrc_exec_t;
class service { status start stop };
')
allow $1 initrc_exec_t:service { start stop status };
')
########################################
## <summary>
## Transition to the init script domain
## on a specified labeled init script.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="init_script_file">
## <summary>
## Labeled init script file.
## </summary>
## </param>
#
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
2017-02-24 01:03:23 +00:00
attribute initrc_transition_domain;
')
2017-02-24 01:03:23 +00:00
typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
#########################################
## <summary>
## Transition to the init script domain
## for all labeled init script types
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
2009-11-11 16:28:50 +00:00
#
interface(`init_all_labeled_script_domtrans',`
gen_require(`
attribute init_script_file_type;
')
init_labeled_script_domtrans($1, init_script_file_type)
')
########################################
## <summary>
## Allow getting service status of initrc_exec_t scripts
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_get_script_status',`
gen_require(`
type initrc_exec_t;
class service status;
')
allow $1 initrc_exec_t:service status;
')
########################################
## <summary>
## Allow the role to start and stop
## labeled services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be performing this action.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
## </param>
## <param name="init_script_file">
## <summary>
## Labeled init script file.
## </summary>
## </param>
## <param name="unit" optional="true">
## <summary>
## Systemd unit file type.
## </summary>
## </param>
#
interface(`init_startstop_service',`
gen_require(`
role system_r;
')
# sysvinit/upstart systems will need to use run_init
# if not using direct_sysadm_daemon.
ifdef(`direct_sysadm_daemon',`
init_labeled_script_domtrans($1, $4)
domain_system_change_exemption($1)
role_transition $2 $4 system_r;
allow $2 system_r;
')
ifdef(`distro_gentoo',`
# for OpenRC
seutil_labeled_init_script_run_runinit($1, $2, $4)
')
ifdef(`init_systemd',`
# This ifelse condition is temporary, until
# all callers are updated to provide unit files.
ifelse(`$5',`',`',`
gen_require(`
class service { start status stop };
')
allow $1 $5:service { start status stop };
')
')
')
2005-07-07 15:25:28 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-07-07 15:25:28 +00:00
## Start and stop daemon programs directly.
2005-08-11 17:46:39 +00:00
## </summary>
2005-08-17 14:14:07 +00:00
## <desc>
## <p>
## Start and stop daemon programs directly
## in the traditional "/etc/init.d/daemon start"
## style, and do not require run_init.
## </p>
## </desc>
2005-07-07 15:25:28 +00:00
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
## <param name="role">
## <summary>
2005-07-07 15:25:28 +00:00
## The role to be performing this action.
## </summary>
2005-07-07 15:25:28 +00:00
## </param>
#
interface(`init_run_daemon',`
gen_require(`
attribute init_script_file_type;
2005-07-07 15:25:28 +00:00
role system_r;
')
allow $2 system_r;
init_all_labeled_script_domtrans($1)
role_transition $2 init_script_file_type system_r;
2005-07-07 15:25:28 +00:00
')
2017-02-19 21:13:14 +00:00
########################################
## <summary>
## Start and stop init_script_file_type services
## </summary>
## <param name="domain">
## <summary>
## domain that can start and stop the services
## </summary>
## </param>
#
interface(`init_startstop_all_script_services',`
gen_require(`
attribute init_script_file_type;
2017-02-24 01:03:23 +00:00
class service { start status stop };
2017-02-19 21:13:14 +00:00
')
allow $1 init_script_file_type:service { start status stop };
')
2008-09-12 14:18:20 +00:00
########################################
## <summary>
## Read the process state (/proc/pid) of init.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_state',`
gen_require(`
type init_t;
2008-09-12 14:18:20 +00:00
')
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file read_file_perms;
allow $1 init_t:lnk_file read_lnk_file_perms;
2008-09-12 14:18:20 +00:00
')
########################################
## <summary>
## Dontaudit read the process state (/proc/pid) of init.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_read_state',`
gen_require(`
type init_t;
')
dontaudit $1 init_t:dir search_dir_perms;
dontaudit $1 init_t:file read_file_perms;
dontaudit $1 init_t:lnk_file read_lnk_file_perms;
')
2008-09-12 14:18:20 +00:00
########################################
## <summary>
## Ptrace init
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_ptrace',`
gen_require(`
type init_t;
2008-09-12 14:18:20 +00:00
')
allow $1 init_t:process ptrace;
')
########################################
## <summary>
## get init process stats
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_getattr',`
gen_require(`
type init_t;
')
allow $1 init_t:process getattr;
')
2005-11-08 22:00:30 +00:00
########################################
## <summary>
## Write an init script unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-11-08 22:00:30 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_write_script_pipes',`
2005-11-08 22:00:30 +00:00
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file write;
')
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Get the attribute of init script entrypoint files.
## </summary>
## <param name="domain">
## <summary>
2005-11-29 21:27:15 +00:00
## Domain allowed access.
## </summary>
2005-11-29 21:27:15 +00:00
## </param>
#
2006-02-06 15:40:41 +00:00
interface(`init_getattr_script_files',`
2005-11-29 21:27:15 +00:00
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
allow $1 initrc_exec_t:file getattr;
')
########################################
## <summary>
## Read init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_script_files',`
gen_require(`
type initrc_exec_t;
')
files_search_etc($1)
allow $1 initrc_exec_t:file read_file_perms;
')
########################################
## <summary>
## Execute init scripts in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-06 15:40:41 +00:00
interface(`init_exec_script_files',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_exec_t;
')
2005-06-17 17:59:26 +00:00
files_list_etc($1)
2009-06-26 14:40:13 +00:00
can_exec($1, initrc_exec_t)
')
########################################
## <summary>
## Get the attribute of all init script entrypoint files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
allow $1 init_script_file_type:file getattr;
')
########################################
## <summary>
## Read all init script files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_search_etc($1)
allow $1 init_script_file_type:file read_file_perms;
')
2010-03-18 14:19:49 +00:00
#######################################
## <summary>
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2010-03-18 14:19:49 +00:00
## </summary>
## </param>
#
interface(`init_dontaudit_read_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
dontaudit $1 init_script_file_type:file read_file_perms;
')
########################################
## <summary>
## Execute all init scripts in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_exec_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
can_exec($1, init_script_file_type)
')
########################################
2005-06-24 20:37:09 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the process state (/proc/pid) of the init scripts.
2005-06-24 20:37:09 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_read_script_state',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t;
')
2006-12-12 20:08:08 +00:00
kernel_search_proc($1)
2017-02-24 01:03:23 +00:00
ps_process_pattern($1, initrc_t)
')
########################################
## <summary>
## Inherit and use init script file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`init_use_script_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit
## init script file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`init_dontaudit_use_script_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:fd use;
')
########################################
## <summary>
## Search init script keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_script_keys',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:key search;
')
########################################
## <summary>
## Get the process group ID of init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_getpgid_script',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process getpgid;
')
2005-10-23 20:18:36 +00:00
########################################
## <summary>
## Send SIGCHLD signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-10-23 20:18:36 +00:00
## </param>
#
interface(`init_sigchld_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigchld;
')
2005-11-09 17:12:34 +00:00
########################################
## <summary>
## Send generic signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
2005-11-09 17:12:34 +00:00
## Domain allowed access.
## </summary>
2005-11-09 17:12:34 +00:00
## </param>
#
interface(`init_signal_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signal;
')
########################################
## <summary>
## Send null signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
2005-11-09 17:12:34 +00:00
## Domain allowed access.
## </summary>
2005-11-09 17:12:34 +00:00
## </param>
#
interface(`init_signull_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signull;
')
########################################
2005-06-24 20:37:09 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write init script unnamed pipes.
2005-06-24 20:37:09 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_rw_script_pipes',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file { read write };
')
2005-10-05 19:52:53 +00:00
########################################
## <summary>
## Allow the specified domain to connect to
## init scripts with a unix socket.
## </summary>
## <param name="domain">
## <summary>
2005-10-05 19:52:53 +00:00
## Domain allowed access.
## </summary>
2005-10-05 19:52:53 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_stream_connect_script',`
2005-10-05 19:52:53 +00:00
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Allow the specified domain to read/write to
## init scripts with a unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_script_stream_sockets',`
gen_require(`
type initrc_t;
')
2010-03-18 14:19:49 +00:00
allow $1 initrc_t:unix_stream_socket rw_socket_perms;
')
2005-12-05 17:11:14 +00:00
########################################
## <summary>
## Dont audit the specified domain connecting to
## init scripts with a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-12-05 17:11:14 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_dontaudit_stream_connect_script',`
2005-12-05 17:11:14 +00:00
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Send messages to init scripts over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_dbus_send_script',`
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
')
2005-12-05 17:11:14 +00:00
2005-12-02 22:06:05 +00:00
########################################
## <summary>
## Send and receive messages from
## init scripts over dbus.
## </summary>
## <param name="domain">
## <summary>
2005-12-02 22:06:05 +00:00
## Domain allowed access.
## </summary>
2005-12-02 22:06:05 +00:00
## </param>
#
interface(`init_dbus_chat_script',`
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
allow initrc_t $1:dbus send_msg;
')
########################################
2005-08-17 14:14:07 +00:00
## <summary>
## Read and write the init script pty.
## </summary>
## <desc>
## <p>
## Read and write the init script pty. This
## pty is generally opened by the open_init_pty
## portion of the run_init program so that the
## daemon does not require direct access to
## the administrator terminal.
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-08-17 14:14:07 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_use_script_ptys',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_devpts_t;
')
2005-06-10 01:01:13 +00:00
term_list_ptys($1)
2005-10-21 19:36:49 +00:00
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')
########################################
## <summary>
## Read and write inherited init script ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_use_inherited_script_ptys',`
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
init_use_fds($1)
')
2005-05-09 15:38:06 +00:00
########################################
2005-08-17 14:14:07 +00:00
## <summary>
2005-10-21 21:35:25 +00:00
## Do not audit attempts to read and
## write the init script pty.
2005-08-17 14:14:07 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-10-21 21:35:25 +00:00
## Domain to not audit.
## </summary>
2005-08-17 14:14:07 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`init_dontaudit_use_script_ptys',`
2005-08-17 14:14:07 +00:00
gen_require(`
2005-10-21 21:35:25 +00:00
type initrc_devpts_t;
2005-08-17 14:14:07 +00:00
')
2005-10-21 21:35:25 +00:00
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
2005-08-17 14:14:07 +00:00
')
########################################
2005-10-21 21:35:25 +00:00
## <summary>
## Get the attributes of init script
## status files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_script_status_files',`
gen_require(`
type initrc_state_t;
')
2009-06-26 14:40:13 +00:00
getattr_files_pattern($1, initrc_state_t, initrc_state_t)
')
########################################
2006-05-29 14:16:22 +00:00
## <summary>
## Do not audit attempts to read init script
## status files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2006-05-29 14:16:22 +00:00
## </summary>
## </param>
#
interface(`init_dontaudit_read_script_status_files',`
gen_require(`
type initrc_state_t;
')
dontaudit $1 initrc_state_t:dir search_dir_perms;
dontaudit $1 initrc_state_t:file read_file_perms;
')
2014-09-07 21:28:11 +00:00
######################################
## <summary>
## Search the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_run',`
gen_require(`
type init_var_run_t;
')
files_search_pids($1)
allow $1 init_var_run_t:dir search_dir_perms;
')
2010-03-18 14:19:49 +00:00
########################################
## <summary>
## Read init script temporary data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_script_tmp_files',`
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
')
########################################
2005-06-24 20:37:09 +00:00
## <summary>
## Read and write init script inherited temporary data.
2005-06-24 20:37:09 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`init_rw_inherited_script_tmp_files',`
2005-06-17 17:59:26 +00:00
gen_require(`
2005-09-21 20:01:40 +00:00
type initrc_tmp_t;
2005-06-17 17:59:26 +00:00
')
allow $1 initrc_tmp_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Read and write init script temporary data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_script_tmp_files',`
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
')
2005-11-25 19:09:08 +00:00
########################################
## <summary>
## Create files in a init script
## temporary data directory.
## </summary>
## <param name="domain">
## <summary>
2005-11-25 19:09:08 +00:00
## Domain allowed access.
## </summary>
2005-11-25 19:09:08 +00:00
## </param>
## <param name="file_type">
## <summary>
2005-11-25 19:09:08 +00:00
## The type of the object to be created
## </summary>
2005-11-25 19:09:08 +00:00
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
2005-11-25 19:09:08 +00:00
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
2005-11-25 19:09:08 +00:00
#
2006-02-21 18:40:44 +00:00
interface(`init_script_tmp_filetrans',`
2005-11-25 19:09:08 +00:00
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
2005-11-25 19:09:08 +00:00
')
2005-10-21 15:38:22 +00:00
########################################
## <summary>
## Get the attributes of init script process id files.
## </summary>
## <param name="domain">
## <summary>
2005-10-21 15:38:22 +00:00
## Domain allowed access.
## </summary>
2005-10-21 15:38:22 +00:00
## </param>
#
interface(`init_getattr_utmp',`
2005-10-21 15:38:22 +00:00
gen_require(`
type initrc_var_run_t;
')
allow $1 initrc_var_run_t:file getattr;
')
########################################
## <summary>
## Read utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`init_read_utmp',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_var_run_t;
')
2005-06-13 17:35:46 +00:00
files_list_pids($1)
2006-12-12 20:08:08 +00:00
allow $1 initrc_var_run_t:file read_file_perms;
2005-04-14 20:18:17 +00:00
')
2005-05-13 14:37:13 +00:00
########################################
## <summary>
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
2005-05-13 14:37:13 +00:00
#
interface(`init_dontaudit_write_utmp',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file { write lock };
2005-05-13 14:37:13 +00:00
')
2006-03-31 22:09:27 +00:00
########################################
## <summary>
## Write to utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_utmp',`
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
2008-10-20 16:10:42 +00:00
allow $1 initrc_var_run_t:file { getattr open write };
2006-03-31 22:09:27 +00:00
')
2006-01-06 19:46:44 +00:00
########################################
## <summary>
2010-12-15 19:50:28 +00:00
## Do not audit attempts to lock
2006-01-06 19:46:44 +00:00
## init script pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2006-01-06 19:46:44 +00:00
## </param>
#
interface(`init_dontaudit_lock_utmp',`
2006-01-06 19:46:44 +00:00
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file lock;
')
########################################
## <summary>
## Read and write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_utmp',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_var_run_t;
')
2005-06-13 17:35:46 +00:00
files_list_pids($1)
2005-06-09 14:50:48 +00:00
allow $1 initrc_var_run_t:file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_rw_utmp',`
2005-06-17 17:59:26 +00:00
gen_require(`
type initrc_var_run_t;
')
2017-02-24 01:03:23 +00:00
dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
2006-01-18 16:40:04 +00:00
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Create, read, write, and delete utmp.
2006-01-18 16:40:04 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2006-01-18 16:40:04 +00:00
## </param>
#
interface(`init_manage_utmp',`
gen_require(`
type initrc_var_run_t;
')
files_search_pids($1)
2006-12-12 20:08:08 +00:00
allow $1 initrc_var_run_t:file manage_file_perms;
2006-01-18 16:40:04 +00:00
')
########################################
## <summary>
## Relabel utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_relabel_utmp',`
gen_require(`
type initrc_var_run_t;
')
allow $1 initrc_var_run_t:file { relabelfrom relabelto };
')
2008-11-05 16:10:46 +00:00
########################################
## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2008-11-05 16:10:46 +00:00
## </summary>
## </param>
#
interface(`init_pid_filetrans_utmp',`
refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
init_runtime_filetrans_utmp($1)
')
########################################
## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_runtime_filetrans_utmp',`
2008-11-05 16:10:46 +00:00
gen_require(`
type initrc_var_run_t;
')
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
2008-11-05 16:10:46 +00:00
')
2017-02-24 01:03:23 +00:00
#######################################
## <summary>
## Create a directory in the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_create_pid_dirs',`
refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
init_create_runtime_dirs($1)
')
#######################################
## <summary>
## Create a directory in the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_create_runtime_dirs',`
2017-02-24 01:03:23 +00:00
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir list_dir_perms;
create_dirs_pattern($1, init_var_run_t, init_var_run_t)
')
########################################
## <summary>
## Rename init_var_run_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_rename_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
init_rename_runtime_files($1)
')
########################################
## <summary>
## Rename init_var_run_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_rename_runtime_files',`
2017-02-24 01:03:23 +00:00
gen_require(`
type init_var_run_t;
')
rename_files_pattern($1, init_var_run_t, init_var_run_t)
')
########################################
## <summary>
## Delete init_var_run_t files
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_delete_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
init_delete_runtime_files($1)
')
########################################
## <summary>
## Delete init_var_run_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_delete_runtime_files',`
2017-02-24 01:03:23 +00:00
gen_require(`
type init_var_run_t;
')
delete_files_pattern($1, init_var_run_t, init_var_run_t)
')
#######################################
## <summary>
## Allow the specified domain to write to
## init sock file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_pid_socket',`
refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
init_write_runtime_socket($1)
')
#######################################
## <summary>
## Allow the specified domain to write to
## init sock file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_runtime_socket',`
gen_require(`
type init_var_run_t;
')
2017-02-24 01:03:23 +00:00
allow $1 init_var_run_t:sock_file write;
2017-02-24 01:03:23 +00:00
')
########################################
## <summary>
## Read init unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
init_read_runtime_pipes($1)
')
########################################
## <summary>
## Read init unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_runtime_pipes',`
2017-02-24 01:03:23 +00:00
gen_require(`
type init_var_run_t;
')
read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
')
######################################
## <summary>
## read systemd unit symlinks (usually under /run/systemd/units/)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_runtime_symlinks',`
gen_require(`
type init_var_run_t;
')
read_lnk_files_pattern($1, init_var_run_t, init_var_run_t)
')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_tcp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_tcp_recvfrom_labeled($1, daemon)
')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a udp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_udp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_udp_recvfrom_labeled($1, daemon)
')
######################################
## <summary>
## Search systemd unit dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_units',`
gen_require(`
type init_var_run_t, systemd_unit_t;
')
search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
files_search_etc($1)
files_search_usr($1)
libs_search_lib($1)
fs_search_tmpfs($1)
')
Allow ntpd to read unit files Adding missing documenation (sorry about that). type=AVC msg=audit(1553013917.359:9935): avc: denied { read } for pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9935): avc: denied { open } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9936): avc: denied { getattr } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013821.622:9902): avc: denied { getattr } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { read } for pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { open } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-26 22:00:27 +00:00
######################################
## <summary>
## List systemd unit dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_unit_dirs',`
gen_require(`
type systemd_unit_t;
')
allow $1 systemd_unit_t:dir list_dir_perms;
init_search_units($1)
')
########################################
## <summary>
## Read systemd unit links
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_generic_units_symlinks',`
gen_require(`
type systemd_unit_t;
')
allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Get status of generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_generic_units_status',`
gen_require(`
type systemd_unit_t;
class service status;
')
allow $1 systemd_unit_t:service status;
')
########################################
## <summary>
## Start generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_generic_units',`
gen_require(`
type systemd_unit_t;
class service start;
')
allow $1 systemd_unit_t:service start;
')
########################################
## <summary>
## Stop generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_stop_generic_units',`
gen_require(`
type systemd_unit_t;
class service stop;
')
allow $1 systemd_unit_t:service stop;
')
#######################################
## <summary>
## Reload generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload_generic_units',`
gen_require(`
type systemd_unit_t;
class service reload;
')
allow $1 systemd_unit_t:service reload;
')
########################################
## <summary>
## Get status of all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_all_units_status',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service status;
')
allow $1 { init_script_file_type systemdunit }:service status;
')
#######################################
## <summary>
## All perms on all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_all_units',`
gen_require(`
attribute systemdunit;
class service all_service_perms;
')
allow $1 systemdunit:service all_service_perms;
allow $1 systemdunit:file getattr;
')
########################################
## <summary>
## Start all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service start;
')
allow $1 { init_script_file_type systemdunit }:service start;
')
########################################
## <summary>
## Stop all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_stop_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service stop;
')
allow $1 { init_script_file_type systemdunit }:service stop;
')
#######################################
## <summary>
## Reload all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service reload;
')
allow $1 { init_script_file_type systemdunit }:service reload;
')
########################################
## <summary>
## Allow unconfined access to send instructions to init
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_admin',`
gen_require(`
type initrc_exec_t;
class service status;
')
dev_manage_null_service($1)
init_disable($1)
init_enable($1)
init_get_all_units_status($1)
init_get_generic_units_status($1)
init_get_system_status($1)
init_manage_all_units($1)
init_manage_script_service($1)
init_reboot_system($1)
init_reload($1)
init_reload_all_units($1)
init_shutdown_system($1)
init_start_system($1)
init_start_all_units($1)
init_start_generic_units($1)
init_stop_all_units($1)
init_stop_generic_units($1)
init_stop_system($1)
init_telinit($1)
')
########################################
## <summary>
## Allow getting init_t rlimit
## </summary>
## <param name="domain">
## <summary>
## Source domain
## </summary>
## </param>
#
interface(`init_getrlimit',`
gen_require(`
type init_t;
')
allow $1 init_t:process getrlimit;
')