2005-06-01 14:17:43 +00:00
|
|
|
## <summary>System initialization programs (init and init scripts).</summary>
|
2005-04-20 19:07:16 +00:00
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create a file type used for init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Create a file type used for init scripts. It can not be
|
|
|
|
## used in conjunction with init_script_domain(). These
|
|
|
|
## script files are typically stored in the /etc/init.d directory.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Typically this is used to constrain what services an
|
|
|
|
## admin can start/stop. For example, a policy writer may want
|
|
|
|
## to constrain a web administrator to only being able to
|
|
|
|
## restart the web server, not other services. This special type
|
|
|
|
## will help address that goal.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This also makes the type usable for files; thus an
|
|
|
|
## explicit call to files_type() is redundant.
|
2008-08-29 19:00:02 +00:00
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="script_file">
|
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Type to be used for a script file.
|
2008-08-29 19:00:02 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="none"/>
|
2008-08-29 19:00:02 +00:00
|
|
|
#
|
|
|
|
interface(`init_script_file',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
attribute init_script_file_type, init_run_all_scripts_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 init_script_file_type;
|
|
|
|
|
|
|
|
domain_entry_file(initrc_t, $1)
|
|
|
|
|
|
|
|
domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make the specified type usable for
|
|
|
|
## systemd unit files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="type">
|
|
|
|
## <summary>
|
|
|
|
## Type to be used for systemd unit files.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_unit_file',`
|
|
|
|
gen_require(`
|
|
|
|
attribute systemdunit;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_type($1)
|
|
|
|
typeattribute $1 systemdunit;
|
|
|
|
')
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create a domain used for init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Create a domain used for init scripts.
|
|
|
|
## Can not be used in conjunction with
|
|
|
|
## init_script_file().
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Type to be used as an init script domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="script_file">
|
|
|
|
## <summary>
|
|
|
|
## Type of the script file used as an entry point to this domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_script_domain',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_domain_type, init_script_file_type;
|
|
|
|
attribute init_run_all_scripts_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 init_script_domain_type;
|
|
|
|
typeattribute $2 init_script_file_type;
|
|
|
|
|
|
|
|
domain_type($1)
|
|
|
|
domain_entry_file($1, $2)
|
|
|
|
|
2013-12-10 15:26:53 +00:00
|
|
|
role system_r types $1;
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
|
2019-05-28 15:13:32 +00:00
|
|
|
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
|
|
|
|
|
|
|
allow init_t $1:process2 { nnp_transition nosuid_transition };
|
|
|
|
')
|
2008-08-29 19:00:02 +00:00
|
|
|
')
|
|
|
|
|
2005-05-13 20:21:50 +00:00
|
|
|
########################################
|
2005-07-07 15:25:28 +00:00
|
|
|
## <summary>
|
|
|
|
## Create a domain which can be started by init.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## Type to be used as a domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## Type of the program to be used as an entry point to this domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
2005-05-13 20:21:50 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_domain',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
role system_r;
|
|
|
|
')
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type($1)
|
2010-12-15 19:50:28 +00:00
|
|
|
domain_entry_file($1, $2)
|
2005-05-31 21:25:45 +00:00
|
|
|
|
|
|
|
role system_r types $1;
|
|
|
|
|
2010-12-15 19:50:28 +00:00
|
|
|
domtrans_pattern(init_t, $2, $1)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-09-27 19:48:43 +00:00
|
|
|
allow init_t $1:process rlimitinh;
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
2017-08-05 16:22:05 +00:00
|
|
|
|
|
|
|
allow init_t $1:process2 { nnp_transition nosuid_transition };
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
2005-05-13 20:21:50 +00:00
|
|
|
')
|
|
|
|
|
2017-09-12 23:35:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create a domain which can be started by init,
|
|
|
|
## with a range transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Type to be used as a domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
|
|
|
## <summary>
|
|
|
|
## Type of the program to be used as an entry point to this domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="range">
|
|
|
|
## <summary>
|
|
|
|
## Range for the domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_ranged_domain',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
init_domain($1, $2)
|
|
|
|
|
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition init_t $2:process $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition init_t $2:process $3;
|
|
|
|
mls_rangetrans_target($1)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2017-09-12 02:52:14 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Setup a domain which can be manually transitioned to from init.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Create a domain used for systemd services where the SELinuxContext
|
|
|
|
## option is specified in the .service file. This allows for the
|
|
|
|
## manual transition from systemd into the new domain. This is used
|
|
|
|
## when automatic transitions won't work. Used for the case where the
|
|
|
|
## same binary is used for multiple target domains.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Type to be used as a domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
|
|
|
## <summary>
|
|
|
|
## Type of the program being executed when starting this domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_spec_daemon_domain',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
role system_r;
|
2018-12-07 00:04:34 +00:00
|
|
|
attribute daemon;
|
2017-09-12 02:52:14 +00:00
|
|
|
')
|
|
|
|
|
2018-10-27 13:03:20 +00:00
|
|
|
typeattribute $1 daemon;
|
|
|
|
|
2017-09-12 02:52:14 +00:00
|
|
|
domain_type($1)
|
|
|
|
domain_entry_file($1, $2)
|
|
|
|
|
|
|
|
role system_r types $1;
|
|
|
|
|
|
|
|
spec_domtrans_pattern(init_t, $2, $1)
|
|
|
|
|
2017-09-27 19:48:43 +00:00
|
|
|
allow init_t $1:process rlimitinh;
|
|
|
|
|
2017-09-12 02:52:14 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
|
|
|
|
|
|
|
allow init_t $1:process2 { nnp_transition nosuid_transition };
|
|
|
|
')
|
|
|
|
|
|
|
|
# daemons started from init will
|
|
|
|
# inherit fds from init for the console
|
|
|
|
init_dontaudit_use_fds($1)
|
|
|
|
term_dontaudit_use_console($1)
|
|
|
|
|
|
|
|
# init script ptys are the stdin/out/err
|
|
|
|
# when using run_init
|
|
|
|
init_use_script_ptys($1)
|
|
|
|
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
|
|
userdom_dontaudit_use_user_terminals($1)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-05-13 20:21:50 +00:00
|
|
|
########################################
|
2005-07-07 15:25:28 +00:00
|
|
|
## <summary>
|
|
|
|
## Create a domain for long running processes
|
2010-02-25 21:00:58 +00:00
|
|
|
## (daemons/services) which are started by init scripts.
|
2005-07-07 15:25:28 +00:00
|
|
|
## </summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Create a domain for long running processes (daemons/services)
|
|
|
|
## which are started by init scripts. Short running processes
|
|
|
|
## should use the init_system_domain() interface instead.
|
|
|
|
## Typically all long running processes started by an init
|
|
|
|
## script (usually in /etc/init.d) will need to use this
|
|
|
|
## interface.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## The types will be made usable as a domain and file, making
|
|
|
|
## calls to domain_type() and files_type() redundant.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## If the process must also run in a specific MLS/MCS level,
|
|
|
|
## the init_ranged_daemon_domain() should be used instead.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2005-07-07 15:25:28 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Type to be used as a daemon domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## Type of the program to be used as an entry point to this domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="read" weight="10"/>
|
2005-05-13 20:21:50 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_daemon_domain',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
2017-02-24 01:03:23 +00:00
|
|
|
type init_t, initrc_t;
|
2005-06-17 17:59:26 +00:00
|
|
|
role system_r;
|
2006-09-25 18:53:06 +00:00
|
|
|
attribute daemon;
|
2005-06-17 17:59:26 +00:00
|
|
|
')
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2006-09-25 18:53:06 +00:00
|
|
|
typeattribute $1 daemon;
|
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type($1)
|
2010-12-15 19:50:28 +00:00
|
|
|
domain_entry_file($1, $2)
|
2005-05-31 21:25:45 +00:00
|
|
|
|
|
|
|
role system_r types $1;
|
|
|
|
|
2010-12-15 19:50:28 +00:00
|
|
|
domtrans_pattern(initrc_t, $2, $1)
|
2007-03-23 21:01:49 +00:00
|
|
|
|
2007-03-20 18:47:18 +00:00
|
|
|
# daemons started from init will
|
|
|
|
# inherit fds from init for the console
|
|
|
|
init_dontaudit_use_fds($1)
|
|
|
|
term_dontaudit_use_console($1)
|
|
|
|
|
2010-12-15 19:50:28 +00:00
|
|
|
# init script ptys are the stdin/out/err
|
2007-03-20 18:47:18 +00:00
|
|
|
# when using run_init
|
|
|
|
init_use_script_ptys($1)
|
|
|
|
|
2017-09-27 19:48:43 +00:00
|
|
|
allow init_t $1:process rlimitinh;
|
|
|
|
|
2005-07-07 15:25:28 +00:00
|
|
|
ifdef(`direct_sysadm_daemon',`
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_use_user_terminals($1)
|
2005-07-07 15:25:28 +00:00
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
init_domain($1, $2)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
|
|
|
allow $1 init_t:unix_dgram_socket sendto;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2012-12-17 20:06:29 +00:00
|
|
|
nscd_use($1)
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
2017-09-27 19:48:43 +00:00
|
|
|
|
2005-05-13 20:21:50 +00:00
|
|
|
')
|
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create a domain for long running processes
|
2010-02-25 21:00:58 +00:00
|
|
|
## (daemons/services) which are started by init scripts,
|
|
|
|
## running at a specified MLS/MCS range.
|
2006-10-04 17:25:34 +00:00
|
|
|
## </summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Create a domain for long running processes (daemons/services)
|
|
|
|
## which are started by init scripts, running at a specified
|
|
|
|
## MLS/MCS range. Short running processes
|
|
|
|
## should use the init_ranged_system_domain() interface instead.
|
|
|
|
## Typically all long running processes started by an init
|
|
|
|
## script (usually in /etc/init.d) will need to use this
|
|
|
|
## interface if they need to run in a specific MLS/MCS range.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## The types will be made usable as a domain and file, making
|
|
|
|
## calls to domain_type() and files_type() redundant.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## If the policy build option TYPE is standard (MLS and MCS disabled),
|
|
|
|
## this interface has the same behavior as init_daemon_domain().
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2006-10-04 17:25:34 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Type to be used as a daemon domain.
|
2006-10-04 17:25:34 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
|
|
|
## <summary>
|
|
|
|
## Type of the program to be used as an entry point to this domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="range">
|
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## MLS/MCS range for the domain.
|
2006-10-04 17:25:34 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="read" weight="10"/>
|
2006-10-04 17:25:34 +00:00
|
|
|
#
|
|
|
|
interface(`init_ranged_daemon_domain',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
init_ranged_domain($1, $2, $3)
|
|
|
|
',`
|
|
|
|
init_daemon_domain($1, $2)
|
2006-10-04 17:25:34 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition initrc_t $2:process $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition initrc_t $2:process $3;
|
|
|
|
mls_rangetrans_target($1)
|
|
|
|
')
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
2006-10-04 17:25:34 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
#########################################
|
|
|
|
## <summary>
|
|
|
|
## Abstract socket service activation (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## The domain to be started by systemd socket activation.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_abstract_socket_activation',`
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow init_t $1:unix_stream_socket create_stream_socket_perms;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
## <summary>
|
|
|
|
## Named socket service activation (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## The domain to be started by systemd socket activation.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="sock_file">
|
|
|
|
## <summary>
|
|
|
|
## The domain socket file type.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_named_socket_activation',`
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow init_t $1:unix_dgram_socket create_socket_perms;
|
|
|
|
allow init_t $1:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow init_t $2:dir manage_dir_perms;
|
|
|
|
allow init_t $2:fifo_file manage_fifo_file_perms;
|
|
|
|
allow init_t $2:sock_file manage_sock_file_perms;
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-05-13 20:21:50 +00:00
|
|
|
########################################
|
2005-07-07 15:25:28 +00:00
|
|
|
## <summary>
|
|
|
|
## Create a domain for short running processes
|
2010-02-25 21:00:58 +00:00
|
|
|
## which are started by init scripts.
|
2005-07-07 15:25:28 +00:00
|
|
|
## </summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
2011-04-27 14:42:47 +00:00
|
|
|
## Create a domain for short running processes
|
2010-02-25 21:00:58 +00:00
|
|
|
## which are started by init scripts. These are generally applications that
|
|
|
|
## are used to initialize the system during boot.
|
2011-04-27 14:42:47 +00:00
|
|
|
## Long running processes, such as daemons/services
|
2010-02-25 21:00:58 +00:00
|
|
|
## should use the init_daemon_domain() interface instead.
|
|
|
|
## Typically all short running processes started by an init
|
|
|
|
## script (usually in /etc/init.d) will need to use this
|
2010-12-15 19:50:28 +00:00
|
|
|
## interface.
|
2010-02-25 21:00:58 +00:00
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## The types will be made usable as a domain and file, making
|
|
|
|
## calls to domain_type() and files_type() redundant.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## If the process must also run in a specific MLS/MCS level,
|
|
|
|
## the init_ranged_system_domain() should be used instead.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2005-07-07 15:25:28 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Type to be used as a system domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## Type of the program to be used as an entry point to this domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="read" weight="10"/>
|
2005-05-13 20:21:50 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_system_domain',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
role system_r;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute systemprocess;
|
2005-06-17 17:59:26 +00:00
|
|
|
')
|
2005-05-31 23:02:11 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
typeattribute $1 systemprocess;
|
2010-12-15 19:50:28 +00:00
|
|
|
application_domain($1, $2)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
role system_r types $1;
|
|
|
|
|
2010-12-15 19:50:28 +00:00
|
|
|
domtrans_pattern(initrc_t, $2, $1)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
init_domain($1, $2)
|
|
|
|
')
|
2005-05-13 20:21:50 +00:00
|
|
|
')
|
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create a domain for short running processes
|
2010-02-25 21:00:58 +00:00
|
|
|
## which are started by init scripts.
|
2006-10-04 17:25:34 +00:00
|
|
|
## </summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Create a domain for long running processes (daemons/services)
|
|
|
|
## which are started by init scripts.
|
|
|
|
## These are generally applications that
|
|
|
|
## are used to initialize the system during boot.
|
|
|
|
## Long running processes
|
|
|
|
## should use the init_ranged_system_domain() interface instead.
|
|
|
|
## Typically all short running processes started by an init
|
|
|
|
## script (usually in /etc/init.d) will need to use this
|
|
|
|
## interface if they need to run in a specific MLS/MCS range.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## The types will be made usable as a domain and file, making
|
|
|
|
## calls to domain_type() and files_type() redundant.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## If the policy build option TYPE is standard (MLS and MCS disabled),
|
|
|
|
## this interface has the same behavior as init_system_domain().
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2006-10-04 17:25:34 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## Type to be used as a system domain.
|
2006-10-04 17:25:34 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_point">
|
|
|
|
## <summary>
|
|
|
|
## Type of the program to be used as an entry point to this domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="range">
|
|
|
|
## <summary>
|
|
|
|
## Range for the domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="read" weight="10"/>
|
2006-10-04 17:25:34 +00:00
|
|
|
#
|
|
|
|
interface(`init_ranged_system_domain',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
init_ranged_domain($1, $2, $3)
|
|
|
|
',`
|
|
|
|
init_system_domain($1, $2)
|
2006-10-04 17:25:34 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition initrc_t $2:process $3;
|
|
|
|
')
|
2006-10-04 17:25:34 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition initrc_t $2:process $3;
|
|
|
|
mls_rangetrans_target($1)
|
|
|
|
')
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## Allow domain dyntransition to init_t domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed to transition.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dyntrans',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dyntrans_pattern($1, init_t)
|
|
|
|
')
|
|
|
|
|
Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-25 19:53:00 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mark the file type as a daemon pid file, allowing initrc_t
|
|
|
|
## to create it
|
|
|
|
## </summary>
|
|
|
|
## <param name="filetype">
|
|
|
|
## <summary>
|
|
|
|
## Type to mark as a daemon pid file
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="class">
|
|
|
|
## <summary>
|
|
|
|
## Class on which the type is applied
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="filename">
|
|
|
|
## <summary>
|
|
|
|
## Filename of the file that the init script creates
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_daemon_pid_file',`
|
|
|
|
gen_require(`
|
|
|
|
attribute daemonpidfile;
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 daemonpidfile;
|
|
|
|
|
|
|
|
files_pid_file($1)
|
|
|
|
files_pid_filetrans(initrc_t, $1, $2, $3)
|
|
|
|
')
|
|
|
|
|
2017-01-05 11:14:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mark the file type as a daemon lock file, allowing initrc_t
|
|
|
|
## to create it
|
|
|
|
## </summary>
|
|
|
|
## <param name="filetype">
|
|
|
|
## <summary>
|
|
|
|
## Type to mark as a daemon lock file
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="class">
|
|
|
|
## <summary>
|
|
|
|
## Class on which the type is applied
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="filename">
|
|
|
|
## <summary>
|
|
|
|
## Filename of the file that the init script creates
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_daemon_lock_file',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_lock_file($1)
|
|
|
|
files_lock_filetrans(initrc_t, $1, $2, $3)
|
|
|
|
|
|
|
|
allow initrc_t $1:dir manage_dir_perms;
|
|
|
|
allow initrc_t $1:file manage_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Execute init (/sbin/init) with a domain transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_domtrans',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t, init_exec_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
domtrans_pattern($1, init_exec_t, init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute init (/sbin/init) with a domain transition
|
|
|
|
## to the provided domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## Execute init (/sbin/init) with a domain transition
|
|
|
|
## to the provided domain. This is used by systemd
|
|
|
|
## to execute the systemd user session.
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed to transition.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## New domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_pgm_spec_user_daemon_domain',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t, init_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_type($1)
|
|
|
|
domain_entry_file($1, init_exec_t)
|
|
|
|
|
|
|
|
spec_domtrans_pattern(init_t, init_exec_t, $1)
|
|
|
|
|
|
|
|
allow init_t $1:process { setsched rlimitinh noatsecure };
|
|
|
|
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the init program in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-15 15:34:31 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-15 15:34:31 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-09-15 15:34:31 +00:00
|
|
|
#
|
|
|
|
interface(`init_exec',`
|
|
|
|
gen_require(`
|
|
|
|
type init_exec_t;
|
|
|
|
')
|
|
|
|
|
2007-03-23 23:24:59 +00:00
|
|
|
corecmd_search_bin($1)
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec($1, init_exec_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
')
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the init program to be an entrypoint
|
|
|
|
## for the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`init_pgm_entrypoint',`
|
|
|
|
gen_require(`
|
|
|
|
type init_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_exec_t:file entrypoint;
|
|
|
|
')
|
|
|
|
|
2011-09-03 14:19:27 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute the rc application in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
2011-09-06 18:00:58 +00:00
|
|
|
## This is only applicable to Gentoo or distributions that use the OpenRC
|
|
|
|
## init system.
|
2011-09-03 14:19:27 +00:00
|
|
|
## </p>
|
|
|
|
## <p>
|
2011-09-06 18:00:58 +00:00
|
|
|
## The OpenRC /sbin/rc binary is used for both init scripts as well as
|
|
|
|
## management applications and tools. When used for management purposes,
|
|
|
|
## calling /sbin/rc should never cause a transition to initrc_t.
|
2011-09-03 14:19:27 +00:00
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
2011-09-06 17:58:04 +00:00
|
|
|
interface(`init_exec_rc',`
|
2011-09-03 14:19:27 +00:00
|
|
|
gen_require(`
|
|
|
|
type rc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
corecmd_search_bin($1)
|
|
|
|
can_exec($1, rc_exec_t)
|
|
|
|
')
|
|
|
|
|
2005-05-09 15:38:06 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Get the process group of init.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-09 15:38:06 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_getpgid',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-03-28 21:20:01 +00:00
|
|
|
allow $1 init_t:process getpgid;
|
2005-05-02 18:40:05 +00:00
|
|
|
')
|
|
|
|
|
2017-06-09 13:37:16 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send init a generic signal.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_signal',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:process signal;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-08-31 15:25:12 +00:00
|
|
|
## <summary>
|
|
|
|
## Send init a null signal.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-31 15:25:12 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-31 15:25:12 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-08-31 15:25:12 +00:00
|
|
|
interface(`init_signull',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:process signull;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send init a SIGCHLD signal.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-31 15:25:12 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-31 15:25:12 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_sigchld',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 init_t:process sigchld;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2010-10-04 18:23:41 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Connect to init with a unix socket.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_stream_connect',`
|
|
|
|
gen_require(`
|
2015-10-23 14:16:59 +00:00
|
|
|
type init_t, init_var_run_t;
|
2010-10-04 18:23:41 +00:00
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
|
|
|
|
files_search_pids($1)
|
2017-02-24 01:03:23 +00:00
|
|
|
allow $1 init_t:unix_stream_socket getattr;
|
2010-10-04 18:23:41 +00:00
|
|
|
')
|
|
|
|
|
2005-04-27 21:56:12 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Inherit and use file descriptors from init.
|
|
|
|
## </summary>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow the specified domain to inherit file
|
|
|
|
## descriptors from the init program (process ID 1).
|
|
|
|
## Typically the only file descriptors to be
|
|
|
|
## inherited from init are for the console.
|
|
|
|
## This does not allow the domain any access to
|
|
|
|
## the object to which the file descriptors references.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Related interfaces:
|
|
|
|
## </p>
|
|
|
|
## <ul>
|
|
|
|
## <li>init_dontaudit_use_fds()</li>
|
|
|
|
## <li>term_dontaudit_use_console()</li>
|
|
|
|
## <li>term_use_console()</li>
|
|
|
|
## </ul>
|
|
|
|
## <p>
|
|
|
|
## Example usage:
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## init_use_fds(mydomain_t)
|
|
|
|
## term_use_console(mydomain_t)
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Normally, processes that can inherit these file
|
|
|
|
## descriptors (usually services) write messages to the
|
|
|
|
## system log instead of writing to the console.
|
|
|
|
## Therefore, in many cases, this access should
|
|
|
|
## dontaudited instead.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Example dontaudit usage:
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## init_dontaudit_use_fds(mydomain_t)
|
|
|
|
## term_dontaudit_use_console(mydomain_t)
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2006-05-10 18:09:08 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2010-02-25 21:00:58 +00:00
|
|
|
## <infoflow type="read" weight="1"/>
|
2005-04-27 21:56:12 +00:00
|
|
|
#
|
2006-03-02 23:41:11 +00:00
|
|
|
interface(`init_use_fds',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 init_t:fd use;
|
2005-04-27 21:56:12 +00:00
|
|
|
')
|
|
|
|
|
2005-04-28 19:50:58 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to inherit file
|
|
|
|
## descriptors from init.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-28 19:50:58 +00:00
|
|
|
#
|
2006-03-02 23:41:11 +00:00
|
|
|
interface(`init_dontaudit_use_fds',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 init_t:fd use;
|
2005-04-28 19:50:58 +00:00
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send messages to init unix datagram sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`init_dgram_send',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t, init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
|
|
|
|
files_search_pids($1)
|
2017-04-01 16:08:42 +00:00
|
|
|
allow $1 init_t:unix_stream_socket getattr;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
2018-01-04 21:51:21 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write to inherited init unix streams.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_rw_inherited_stream_socket',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to read/write to
|
|
|
|
## init with unix domain stream sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_rw_stream_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
')
|
|
|
|
|
2017-02-19 21:13:14 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## start service (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_start_system',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system start;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## stop service (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_stop_system',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system stop;
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get all service status (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_get_system_status',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system status;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Enable all systemd services (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_enable',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system enable;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Disable all services (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_disable',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system disable;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Reload all services (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_reload',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system reload;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Reboot the system (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_reboot_system',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system reboot;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Shutdown (halt) the system (systemd).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_shutdown_system',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:system halt;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow specified domain to get init status
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to allow access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_service_status',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
class service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow specified domain to get init start
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to allow access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_service_start',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
class service start;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:service start;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send and receive messages from
|
|
|
|
## systemd over dbus.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dbus_chat',`
|
|
|
|
gen_require(`
|
2016-01-17 18:46:23 +00:00
|
|
|
type init_t;
|
2015-10-23 14:16:59 +00:00
|
|
|
class dbus send_msg;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:dbus send_msg;
|
|
|
|
allow init_t $1:dbus send_msg;
|
|
|
|
')
|
|
|
|
|
2019-01-04 07:51:18 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## read/follow symlinks under /var/lib/systemd/
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_var_lib_links',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_lib_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_lib_t:dir list_dir_perms;
|
|
|
|
allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
|
|
|
|
')
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List /var/lib/systemd/ dir
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_list_var_lib_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_lib_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_lib_t:dir list_dir_perms;
|
|
|
|
')
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Relabel dirs in /var/lib/systemd/.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_relabel_var_lib_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_lib_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_lib_t:dir { relabelfrom relabelto };
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Manage files in /var/lib/systemd/.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_manage_var_lib_files',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_lib_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
|
|
|
|
files_search_var_lib($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create files in /var/lib/systemd
|
|
|
|
## with an automatic type transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="type">
|
|
|
|
## <summary>
|
|
|
|
## The type of object to be created
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="object_class">
|
|
|
|
## <summary>
|
|
|
|
## The object class.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="name" optional="true">
|
|
|
|
## <summary>
|
|
|
|
## The name of the object being created.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_var_lib_filetrans',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_lib_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
|
|
|
|
')
|
|
|
|
|
2017-02-24 06:22:42 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
2017-02-25 13:39:58 +00:00
|
|
|
## Allow search directory in the /run/systemd directory.
|
2017-02-24 06:22:42 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2017-02-25 13:39:58 +00:00
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
2017-02-24 06:22:42 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2017-02-25 13:38:16 +00:00
|
|
|
interface(`init_search_pids',`
|
2017-02-24 06:22:42 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_run_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2017-04-06 21:37:50 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## Allow listing of the /run/systemd directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_list_pids',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_run_t:dir list_dir_perms;
|
|
|
|
files_search_pids($1)
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create files in an init PID directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="file_type">
|
|
|
|
## <summary>
|
|
|
|
## The type of the object to be created
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="object_class">
|
|
|
|
## <summary>
|
|
|
|
## The object class.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="name" optional="true">
|
|
|
|
## <summary>
|
|
|
|
## The name of the object being created.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_pid_filetrans',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_pids($1)
|
|
|
|
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
|
|
|
|
')
|
|
|
|
|
2006-03-28 21:20:01 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Get the attributes of initctl.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-03-28 21:20:01 +00:00
|
|
|
#
|
|
|
|
interface(`init_getattr_initctl',`
|
2019-01-04 07:51:18 +00:00
|
|
|
gen_require(`
|
|
|
|
type initctl_t;
|
2017-02-08 21:56:09 +00:00
|
|
|
')
|
2019-01-04 07:51:18 +00:00
|
|
|
|
|
|
|
files_search_pids($1)
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
|
|
allow $1 initctl_t:fifo_file getattr;
|
2006-03-28 21:20:01 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the
|
|
|
|
## attributes of initctl.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-03-28 21:20:01 +00:00
|
|
|
#
|
|
|
|
interface(`init_dontaudit_getattr_initctl',`
|
|
|
|
gen_require(`
|
|
|
|
type initctl_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 initctl_t:fifo_file getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Write to initctl.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-03-28 21:20:01 +00:00
|
|
|
#
|
|
|
|
interface(`init_write_initctl',`
|
|
|
|
gen_require(`
|
|
|
|
type initctl_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
2018-04-30 06:32:23 +00:00
|
|
|
files_search_pids($1)
|
2006-03-28 21:20:01 +00:00
|
|
|
allow $1 initctl_t:fifo_file write;
|
|
|
|
')
|
|
|
|
|
2006-09-06 22:07:25 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Use telinit (Read and write initctl).
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`init_telinit',`
|
|
|
|
gen_require(`
|
2017-02-24 01:03:23 +00:00
|
|
|
type initctl_t, init_t;
|
2006-09-06 22:07:25 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
ps_process_pattern($1, init_t)
|
|
|
|
allow $1 init_t:process signal;
|
|
|
|
# upstart uses a datagram socket instead of initctl pipe
|
|
|
|
allow $1 self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow $1 init_t:unix_dgram_socket sendto;
|
|
|
|
#576913
|
|
|
|
allow $1 init_t:unix_stream_socket connectto;
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
2007-02-26 20:19:53 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
corecmd_exec_bin($1)
|
2008-07-15 15:33:51 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2018-04-30 06:32:23 +00:00
|
|
|
files_search_pids($1)
|
2008-07-15 15:33:51 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
init_exec($1)
|
2006-09-06 22:07:25 +00:00
|
|
|
')
|
|
|
|
|
2006-03-28 21:20:01 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Read and write initctl.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-03-28 21:20:01 +00:00
|
|
|
#
|
|
|
|
interface(`init_rw_initctl',`
|
|
|
|
gen_require(`
|
|
|
|
type initctl_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
2018-04-30 06:32:23 +00:00
|
|
|
files_search_pids($1)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
2006-03-28 21:20:01 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read and
|
|
|
|
## write initctl.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2014-08-23 13:11:05 +00:00
|
|
|
## Domain to not audit.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-03-28 21:20:01 +00:00
|
|
|
#
|
|
|
|
interface(`init_dontaudit_rw_initctl',`
|
|
|
|
gen_require(`
|
|
|
|
type initctl_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 initctl_t:fifo_file { read write };
|
|
|
|
')
|
|
|
|
|
2006-02-21 15:57:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make init scripts an entry point for
|
|
|
|
## the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed access.
|
2006-02-21 15:57:49 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
# cjp: added for gentoo integrated run_init
|
|
|
|
interface(`init_script_file_entry_type',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
domain_entry_file($1, initrc_exec_t)
|
2006-02-21 15:57:49 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
2006-10-09 18:52:19 +00:00
|
|
|
## Execute init scripts with a specified domain transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-10-09 18:52:19 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_spec_domtrans_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t, initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_etc($1)
|
2009-06-26 14:40:13 +00:00
|
|
|
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
|
2006-10-09 18:52:19 +00:00
|
|
|
|
2011-09-03 14:19:27 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
gen_require(`
|
|
|
|
type rc_exec_t;
|
|
|
|
')
|
2011-09-06 18:00:58 +00:00
|
|
|
|
2011-09-03 14:19:27 +00:00
|
|
|
domtrans_pattern($1, rc_exec_t, initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-10-09 18:52:19 +00:00
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition $1 initrc_exec_t:process s0;
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute init scripts with an automatic domain transition.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`init_domtrans_script',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t, initrc_exec_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-17 17:59:26 +00:00
|
|
|
files_list_etc($1)
|
2009-06-26 14:40:13 +00:00
|
|
|
domtrans_pattern($1, initrc_exec_t, initrc_t)
|
2006-10-04 17:25:34 +00:00
|
|
|
|
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition $1 initrc_exec_t:process s0;
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
|
|
|
|
')
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute labelled init scripts with an automatic domain transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed to transition.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_domtrans_labeled_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
attribute init_script_file_type;
|
|
|
|
attribute initrc_transition_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 initrc_transition_domain;
|
|
|
|
|
|
|
|
files_list_etc($1)
|
|
|
|
domtrans_pattern($1, init_script_file_type, initrc_t)
|
|
|
|
|
|
|
|
ifdef(`enable_mcs',`
|
|
|
|
range_transition $1 init_script_file_type:process s0;
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2006-02-21 15:57:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute a init script in a specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
2008-12-03 19:16:20 +00:00
|
|
|
## <p>
|
2006-02-21 15:57:49 +00:00
|
|
|
## Execute a init script in a specified domain.
|
2008-12-03 19:16:20 +00:00
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## No interprocess communication (signals, pipes,
|
|
|
|
## etc.) is provided by this interface since
|
|
|
|
## the domains are not owned by this module.
|
|
|
|
## </p>
|
2006-02-21 15:57:49 +00:00
|
|
|
## </desc>
|
|
|
|
## <param name="source_domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-02-21 15:57:49 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="target_domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to transition to.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
# cjp: added for gentoo integrated run_init
|
|
|
|
interface(`init_script_file_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_etc($1)
|
2016-12-01 17:12:34 +00:00
|
|
|
domain_auto_transition_pattern($1, initrc_exec_t, $2)
|
2006-02-21 15:57:49 +00:00
|
|
|
')
|
|
|
|
|
2017-04-01 16:08:42 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a kill signal to init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_kill_scripts',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:process sigkill;
|
|
|
|
')
|
|
|
|
|
2017-02-19 21:13:14 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow manage service for initrc_exec_t scripts
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Target domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_manage_script_service',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
class service { status start stop };
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_exec_t:service { start stop status };
|
|
|
|
')
|
|
|
|
|
2008-09-18 13:47:43 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the init script domain
|
|
|
|
## on a specified labeled init script.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2008-09-18 13:47:43 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="init_script_file">
|
|
|
|
## <summary>
|
|
|
|
## Labeled init script file.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_labeled_script_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute initrc_transition_domain;
|
2008-09-18 13:47:43 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
typeattribute $1 initrc_transition_domain;
|
2008-09-18 13:47:43 +00:00
|
|
|
domtrans_pattern($1, $2, initrc_t)
|
|
|
|
files_search_etc($1)
|
|
|
|
')
|
|
|
|
|
2009-11-09 22:54:00 +00:00
|
|
|
#########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the init script domain
|
|
|
|
## for all labeled init script types
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2009-11-09 22:54:00 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2009-11-11 16:28:50 +00:00
|
|
|
#
|
2009-11-09 22:54:00 +00:00
|
|
|
interface(`init_all_labeled_script_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
init_labeled_script_domtrans($1, init_script_file_type)
|
|
|
|
')
|
|
|
|
|
2017-04-06 21:37:50 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow getting service status of initrc_exec_t scripts
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Target domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_get_script_status',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
class service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_exec_t:service status;
|
|
|
|
')
|
|
|
|
|
2015-05-22 14:08:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the role to start and stop
|
|
|
|
## labeled services.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed to transition.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## The role to be performing this action.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Type to be used as a daemon domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="init_script_file">
|
|
|
|
## <summary>
|
|
|
|
## Labeled init script file.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2015-10-20 18:33:56 +00:00
|
|
|
## <param name="unit" optional="true">
|
|
|
|
## <summary>
|
|
|
|
## Systemd unit file type.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2015-05-22 14:08:05 +00:00
|
|
|
#
|
|
|
|
interface(`init_startstop_service',`
|
|
|
|
gen_require(`
|
|
|
|
role system_r;
|
|
|
|
')
|
|
|
|
|
2019-03-22 18:35:59 +00:00
|
|
|
# sysvinit/upstart systems will need to use run_init
|
|
|
|
# if not using direct_sysadm_daemon.
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
|
|
init_labeled_script_domtrans($1, $4)
|
|
|
|
domain_system_change_exemption($1)
|
|
|
|
role_transition $2 $4 system_r;
|
|
|
|
allow $2 system_r;
|
|
|
|
')
|
2015-10-20 18:33:56 +00:00
|
|
|
|
2019-03-22 18:35:59 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
# for OpenRC
|
|
|
|
seutil_labeled_init_script_run_runinit($1, $2, $4)
|
|
|
|
')
|
2015-10-20 18:33:56 +00:00
|
|
|
|
2019-03-22 18:35:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
# This ifelse condition is temporary, until
|
|
|
|
# all callers are updated to provide unit files.
|
|
|
|
ifelse(`$5',`',`',`
|
|
|
|
gen_require(`
|
|
|
|
class service { start status stop };
|
2015-10-20 18:33:56 +00:00
|
|
|
')
|
2019-03-22 18:35:59 +00:00
|
|
|
|
|
|
|
allow $1 $5:service { start status stop };
|
2015-10-20 18:33:56 +00:00
|
|
|
')
|
2015-05-22 14:08:05 +00:00
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-07-07 15:25:28 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## Start and stop daemon programs directly.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-08-17 14:14:07 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Start and stop daemon programs directly
|
|
|
|
## in the traditional "/etc/init.d/daemon start"
|
|
|
|
## style, and do not require run_init.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2005-07-07 15:25:28 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## The role to be performing this action.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-07 15:25:28 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_run_daemon',`
|
|
|
|
gen_require(`
|
2017-04-01 16:08:42 +00:00
|
|
|
attribute init_script_file_type;
|
2005-07-07 15:25:28 +00:00
|
|
|
role system_r;
|
|
|
|
')
|
|
|
|
|
2013-11-09 09:45:01 +00:00
|
|
|
allow $2 system_r;
|
2014-01-15 15:04:31 +00:00
|
|
|
|
2017-04-01 16:08:42 +00:00
|
|
|
init_all_labeled_script_domtrans($1)
|
|
|
|
role_transition $2 init_script_file_type system_r;
|
2005-07-07 15:25:28 +00:00
|
|
|
')
|
|
|
|
|
2017-02-19 21:13:14 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Start and stop init_script_file_type services
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## domain that can start and stop the services
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_startstop_all_script_services',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
2017-02-24 01:03:23 +00:00
|
|
|
class service { start status stop };
|
2017-02-19 21:13:14 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_script_file_type:service { start status stop };
|
|
|
|
')
|
|
|
|
|
2008-09-12 14:18:20 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read the process state (/proc/pid) of init.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_state',`
|
|
|
|
gen_require(`
|
2011-01-31 19:08:11 +00:00
|
|
|
type init_t;
|
2008-09-12 14:18:20 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:dir search_dir_perms;
|
|
|
|
allow $1 init_t:file read_file_perms;
|
2008-10-16 16:09:20 +00:00
|
|
|
allow $1 init_t:lnk_file read_lnk_file_perms;
|
2008-09-12 14:18:20 +00:00
|
|
|
')
|
|
|
|
|
2017-01-05 11:10:30 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Dontaudit read the process state (/proc/pid) of init.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dontaudit_read_state',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 init_t:dir search_dir_perms;
|
|
|
|
dontaudit $1 init_t:file read_file_perms;
|
|
|
|
dontaudit $1 init_t:lnk_file read_lnk_file_perms;
|
|
|
|
')
|
|
|
|
|
2008-09-12 14:18:20 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Ptrace init
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`init_ptrace',`
|
|
|
|
gen_require(`
|
2011-01-31 19:08:11 +00:00
|
|
|
type init_t;
|
2008-09-12 14:18:20 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:process ptrace;
|
|
|
|
')
|
|
|
|
|
2019-01-04 07:51:18 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## get init process stats
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`init_getattr',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:process getattr;
|
|
|
|
')
|
|
|
|
|
2005-11-08 22:00:30 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Write an init script unnamed pipe.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_write_script_pipes',`
|
2005-11-08 22:00:30 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:fifo_file write;
|
|
|
|
')
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attribute of init script entrypoint files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-29 21:27:15 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-29 21:27:15 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-06 15:40:41 +00:00
|
|
|
interface(`init_getattr_script_files',`
|
2005-11-29 21:27:15 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_etc($1)
|
|
|
|
allow $1 initrc_exec_t:file getattr;
|
|
|
|
')
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_script_files',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_etc($1)
|
|
|
|
allow $1 initrc_exec_t:file read_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-05-04 13:19:47 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Execute init scripts in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-04 13:19:47 +00:00
|
|
|
#
|
2006-02-06 15:40:41 +00:00
|
|
|
interface(`init_exec_script_files',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-17 17:59:26 +00:00
|
|
|
files_list_etc($1)
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec($1, initrc_exec_t)
|
2005-05-04 13:19:47 +00:00
|
|
|
')
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attribute of all init script entrypoint files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_getattr_all_script_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_etc($1)
|
|
|
|
allow $1 init_script_file_type:file getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read all init script files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_all_script_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_etc($1)
|
|
|
|
allow $1 init_script_file_type:file read_file_perms;
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Dontaudit read all init script files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2010-03-18 14:19:49 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dontaudit_read_all_script_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 init_script_file_type:file read_file_perms;
|
|
|
|
')
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute all init scripts in the caller domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_exec_all_script_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute init_script_file_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_etc($1)
|
|
|
|
can_exec($1, init_script_file_type)
|
|
|
|
')
|
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
########################################
|
2005-06-24 20:37:09 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read the process state (/proc/pid) of the init scripts.
|
2005-06-24 20:37:09 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_read_script_state',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
kernel_search_proc($1)
|
2017-02-24 01:03:23 +00:00
|
|
|
ps_process_pattern($1, initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2005-05-03 20:23:33 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Inherit and use init script file descriptors.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-28 18:59:01 +00:00
|
|
|
#
|
2006-02-20 21:33:25 +00:00
|
|
|
interface(`init_use_script_fds',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 initrc_t:fd use;
|
2005-04-28 18:59:01 +00:00
|
|
|
')
|
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to inherit
|
|
|
|
## init script file descriptors.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-02-20 21:33:25 +00:00
|
|
|
interface(`init_dontaudit_use_script_fds',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 initrc_t:fd use;
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2010-10-08 13:08:57 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search init script keys.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
2010-10-11 13:36:31 +00:00
|
|
|
interface(`init_search_script_keys',`
|
2010-10-08 13:08:57 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:key search;
|
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Get the process group ID of init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_getpgid_script',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 initrc_t:process getpgid;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-10-23 20:18:36 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send SIGCHLD signals to init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-23 20:18:36 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_sigchld_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:process sigchld;
|
|
|
|
')
|
|
|
|
|
2005-11-09 17:12:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send generic signals to init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-09 17:12:34 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-09 17:12:34 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_signal_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:process signal;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send null signals to init scripts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-09 17:12:34 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-09 17:12:34 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_signull_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:process signull;
|
|
|
|
')
|
|
|
|
|
2005-06-20 17:41:29 +00:00
|
|
|
########################################
|
2005-06-24 20:37:09 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read and write init script unnamed pipes.
|
2005-06-24 20:37:09 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-20 17:41:29 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_rw_script_pipes',`
|
2005-06-20 17:41:29 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:fifo_file { read write };
|
|
|
|
')
|
|
|
|
|
2005-10-05 19:52:53 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to connect to
|
|
|
|
## init scripts with a unix socket.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-05 19:52:53 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-05 19:52:53 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_stream_connect_script',`
|
2005-10-05 19:52:53 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:unix_stream_socket connectto;
|
|
|
|
')
|
|
|
|
|
2006-05-17 14:50:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to read/write to
|
|
|
|
## init scripts with a unix domain stream sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_rw_script_stream_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
allow $1 initrc_t:unix_stream_socket rw_socket_perms;
|
2006-05-17 14:50:31 +00:00
|
|
|
')
|
|
|
|
|
2005-12-05 17:11:14 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Dont audit the specified domain connecting to
|
|
|
|
## init scripts with a unix domain stream socket.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-05 17:11:14 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_dontaudit_stream_connect_script',`
|
2005-12-05 17:11:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
|
|
|
')
|
2007-10-02 16:04:50 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send messages to init scripts over dbus.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dbus_send_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
class dbus send_msg;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:dbus send_msg;
|
|
|
|
')
|
2005-12-05 17:11:14 +00:00
|
|
|
|
2005-12-02 22:06:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send and receive messages from
|
|
|
|
## init scripts over dbus.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dbus_chat_script',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_t;
|
|
|
|
class dbus send_msg;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_t:dbus send_msg;
|
|
|
|
allow initrc_t $1:dbus send_msg;
|
|
|
|
')
|
|
|
|
|
2005-04-27 21:56:12 +00:00
|
|
|
########################################
|
2005-08-17 14:14:07 +00:00
|
|
|
## <summary>
|
|
|
|
## Read and write the init script pty.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Read and write the init script pty. This
|
|
|
|
## pty is generally opened by the open_init_pty
|
|
|
|
## portion of the run_init program so that the
|
|
|
|
## daemon does not require direct access to
|
|
|
|
## the administrator terminal.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-17 14:14:07 +00:00
|
|
|
## </param>
|
2005-04-27 21:56:12 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_use_script_ptys',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_devpts_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_list_ptys($1)
|
2005-10-21 19:36:49 +00:00
|
|
|
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
2005-04-27 21:56:12 +00:00
|
|
|
')
|
|
|
|
|
2013-09-24 13:40:19 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write inherited init script ptys.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_use_inherited_script_ptys',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_devpts_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
term_list_ptys($1)
|
|
|
|
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
|
|
|
|
|
|
|
init_use_fds($1)
|
|
|
|
')
|
|
|
|
|
2005-05-09 15:38:06 +00:00
|
|
|
########################################
|
2005-08-17 14:14:07 +00:00
|
|
|
## <summary>
|
2005-10-21 21:35:25 +00:00
|
|
|
## Do not audit attempts to read and
|
|
|
|
## write the init script pty.
|
2005-08-17 14:14:07 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-21 21:35:25 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-17 14:14:07 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`init_dontaudit_use_script_ptys',`
|
2005-08-17 14:14:07 +00:00
|
|
|
gen_require(`
|
2005-10-21 21:35:25 +00:00
|
|
|
type initrc_devpts_t;
|
2005-08-17 14:14:07 +00:00
|
|
|
')
|
|
|
|
|
2005-10-21 21:35:25 +00:00
|
|
|
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
|
2005-08-17 14:14:07 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-10-21 21:35:25 +00:00
|
|
|
## <summary>
|
2006-11-13 03:24:07 +00:00
|
|
|
## Get the attributes of init script
|
|
|
|
## status files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_getattr_script_status_files',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_state_t;
|
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
getattr_files_pattern($1, initrc_state_t, initrc_state_t)
|
2006-11-13 03:24:07 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2006-05-29 14:16:22 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read init script
|
|
|
|
## status files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-05-29 14:16:22 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_dontaudit_read_script_status_files',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_state_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 initrc_state_t:dir search_dir_perms;
|
|
|
|
dontaudit $1 initrc_state_t:file read_file_perms;
|
|
|
|
')
|
|
|
|
|
2014-09-07 21:28:11 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## Search the /run/systemd directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_search_run',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_pids($1)
|
|
|
|
allow $1 init_var_run_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read init script temporary data.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_script_tmp_files',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_tmp_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_tmp($1)
|
|
|
|
read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
|
|
|
|
')
|
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
########################################
|
2005-06-24 20:37:09 +00:00
|
|
|
## <summary>
|
2017-02-25 13:39:58 +00:00
|
|
|
## Read and write init script inherited temporary data.
|
2005-06-24 20:37:09 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2017-02-25 13:39:58 +00:00
|
|
|
interface(`init_rw_inherited_script_tmp_files',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
2005-09-21 20:01:40 +00:00
|
|
|
type initrc_tmp_t;
|
2005-06-17 17:59:26 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2017-02-25 13:39:58 +00:00
|
|
|
allow $1 initrc_tmp_t:file rw_inherited_file_perms;
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 06:22:42 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2017-02-25 13:39:58 +00:00
|
|
|
## Read and write init script temporary data.
|
2017-02-24 06:22:42 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
2017-02-25 13:39:58 +00:00
|
|
|
interface(`init_rw_script_tmp_files',`
|
2017-02-24 06:22:42 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_tmp_t;
|
|
|
|
')
|
|
|
|
|
2017-02-25 13:39:58 +00:00
|
|
|
files_search_tmp($1)
|
|
|
|
rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
|
2017-02-24 06:22:42 +00:00
|
|
|
')
|
|
|
|
|
2005-11-25 19:09:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create files in a init script
|
|
|
|
## temporary data directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-25 19:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-25 19:09:08 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="file_type">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-25 19:09:08 +00:00
|
|
|
## The type of the object to be created
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-25 19:09:08 +00:00
|
|
|
## </param>
|
2006-03-02 23:41:11 +00:00
|
|
|
## <param name="object_class">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-03-02 23:41:11 +00:00
|
|
|
## The object class.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-25 19:09:08 +00:00
|
|
|
## </param>
|
2012-05-10 13:53:45 +00:00
|
|
|
## <param name="name" optional="true">
|
|
|
|
## <summary>
|
|
|
|
## The name of the object being created.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-11-25 19:09:08 +00:00
|
|
|
#
|
2006-02-21 18:40:44 +00:00
|
|
|
interface(`init_script_tmp_filetrans',`
|
2005-11-25 19:09:08 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_tmp_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_tmp($1)
|
2012-05-10 13:53:45 +00:00
|
|
|
filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
|
2005-11-25 19:09:08 +00:00
|
|
|
')
|
|
|
|
|
2005-10-21 15:38:22 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of init script process id files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-21 15:38:22 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-21 15:38:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_getattr_utmp',`
|
2005-10-21 15:38:22 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_var_run_t:file getattr;
|
|
|
|
')
|
|
|
|
|
2005-08-15 19:31:37 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Read utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_read_utmp',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
files_list_pids($1)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 initrc_var_run_t:file read_file_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-05-13 14:37:13 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to write utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-13 14:37:13 +00:00
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_dontaudit_write_utmp',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
2005-05-13 14:37:13 +00:00
|
|
|
')
|
|
|
|
|
2006-03-31 22:09:27 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Write to utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_write_utmp',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_list_pids($1)
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 initrc_var_run_t:file { getattr open write };
|
2006-03-31 22:09:27 +00:00
|
|
|
')
|
|
|
|
|
2006-01-06 19:46:44 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2010-12-15 19:50:28 +00:00
|
|
|
## Do not audit attempts to lock
|
2006-01-06 19:46:44 +00:00
|
|
|
## init script pid files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-06 19:46:44 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_dontaudit_lock_utmp',`
|
2006-01-06 19:46:44 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 initrc_var_run_t:file lock;
|
|
|
|
')
|
|
|
|
|
2005-05-03 20:23:33 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Read and write utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-03 20:23:33 +00:00
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_rw_utmp',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
files_list_pids($1)
|
2005-06-09 14:50:48 +00:00
|
|
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
2005-05-03 20:23:33 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read and write utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-05-03 20:23:33 +00:00
|
|
|
#
|
2006-01-18 18:08:39 +00:00
|
|
|
interface(`init_dontaudit_rw_utmp',`
|
2005-06-17 17:59:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
dontaudit $1 initrc_var_run_t:file rw_file_perms;
|
2005-05-03 20:23:33 +00:00
|
|
|
')
|
|
|
|
|
2006-01-18 16:40:04 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2008-12-03 19:16:20 +00:00
|
|
|
## Create, read, write, and delete utmp.
|
2006-01-18 16:40:04 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-18 16:40:04 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_manage_utmp',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
files_search_pids($1)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 initrc_var_run_t:file manage_file_perms;
|
2006-01-18 16:40:04 +00:00
|
|
|
')
|
2008-07-25 04:07:09 +00:00
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Relabel utmp.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_relabel_utmp',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 initrc_var_run_t:file { relabelfrom relabelto };
|
|
|
|
')
|
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create files in /var/run with the
|
|
|
|
## utmp file type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed access.
|
2008-11-05 16:10:46 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_pid_filetrans_utmp',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
|
|
|
|
init_runtime_filetrans_utmp($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create files in /var/run with the
|
|
|
|
## utmp file type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_runtime_filetrans_utmp',`
|
2008-11-05 16:10:46 +00:00
|
|
|
gen_require(`
|
|
|
|
type initrc_var_run_t;
|
|
|
|
')
|
|
|
|
|
2012-05-10 13:53:45 +00:00
|
|
|
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
2008-11-05 16:10:46 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Create a directory in the /run/systemd directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_create_pid_dirs',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
|
|
|
|
init_create_runtime_dirs($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Create a directory in the /run/systemd directory.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_create_runtime_dirs',`
|
2017-02-24 01:03:23 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_var_run_t:dir list_dir_perms;
|
|
|
|
create_dirs_pattern($1, init_var_run_t, init_var_run_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Rename init_var_run_t files
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_rename_pid_files',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
|
|
|
|
init_rename_runtime_files($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Rename init_var_run_t files
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_rename_runtime_files',`
|
2017-02-24 01:03:23 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
rename_files_pattern($1, init_var_run_t, init_var_run_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
2019-01-11 20:07:57 +00:00
|
|
|
## Delete init_var_run_t files
|
2017-02-24 01:03:23 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_delete_pid_files',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
|
|
|
|
init_delete_runtime_files($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Delete init_var_run_t files
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_delete_runtime_files',`
|
2017-02-24 01:03:23 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
delete_files_pattern($1, init_var_run_t, init_var_run_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to write to
|
|
|
|
## init sock file.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_write_pid_socket',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
|
|
|
|
init_write_runtime_socket($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to write to
|
|
|
|
## init sock file.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_write_runtime_socket',`
|
2017-04-01 16:08:42 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2017-04-01 16:08:42 +00:00
|
|
|
allow $1 init_var_run_t:sock_file write;
|
2017-02-24 01:03:23 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read init unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_pid_pipes',`
|
2019-01-11 20:07:57 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
|
|
|
|
init_read_runtime_pipes($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read init unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_runtime_pipes',`
|
2017-02-24 01:03:23 +00:00
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
|
|
|
|
')
|
|
|
|
|
2019-01-05 21:45:46 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## read systemd unit symlinks (usually under /run/systemd/units/)
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_read_runtime_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
read_lnk_files_pattern($1, init_var_run_t, init_var_run_t)
|
|
|
|
')
|
|
|
|
|
2008-07-25 04:07:09 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to connect to daemon with a tcp socket
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_tcp_recvfrom_all_daemons',`
|
|
|
|
gen_require(`
|
|
|
|
attribute daemon;
|
|
|
|
')
|
|
|
|
|
|
|
|
corenet_tcp_recvfrom_labeled($1, daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the specified domain to connect to daemon with a udp socket
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_udp_recvfrom_all_daemons',`
|
|
|
|
gen_require(`
|
|
|
|
attribute daemon;
|
|
|
|
')
|
|
|
|
corenet_udp_recvfrom_labeled($1, daemon)
|
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## Search systemd unit dirs.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_search_units',`
|
|
|
|
gen_require(`
|
|
|
|
type init_var_run_t, systemd_unit_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
|
|
|
|
|
|
|
|
# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
|
|
|
|
files_search_etc($1)
|
|
|
|
files_search_usr($1)
|
|
|
|
libs_search_lib($1)
|
|
|
|
|
|
|
|
fs_search_tmpfs($1)
|
|
|
|
')
|
|
|
|
|
2019-03-26 22:00:27 +00:00
|
|
|
######################################
|
|
|
|
## <summary>
|
|
|
|
## List systemd unit dirs.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_list_unit_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:dir list_dir_perms;
|
|
|
|
|
|
|
|
init_search_units($1)
|
|
|
|
')
|
|
|
|
|
2019-01-21 22:59:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read systemd unit links
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
2019-01-23 23:34:10 +00:00
|
|
|
interface(`init_read_generic_units_symlinks',`
|
2019-01-21 22:59:28 +00:00
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get status of generic systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_get_generic_units_status',`
|
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
class service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Start generic systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_start_generic_units',`
|
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
class service start;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:service start;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Stop generic systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_stop_generic_units',`
|
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
class service stop;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:service stop;
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Reload generic systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_reload_generic_units',`
|
|
|
|
gen_require(`
|
|
|
|
type systemd_unit_t;
|
|
|
|
class service reload;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemd_unit_t:service reload;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get status of all systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_get_all_units_status',`
|
|
|
|
gen_require(`
|
2017-02-20 13:24:56 +00:00
|
|
|
attribute init_script_file_type, systemdunit;
|
2015-10-23 14:16:59 +00:00
|
|
|
class service status;
|
|
|
|
')
|
|
|
|
|
2017-02-20 13:24:56 +00:00
|
|
|
allow $1 { init_script_file_type systemdunit }:service status;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
2017-04-06 21:37:50 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## All perms on all systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_manage_all_units',`
|
|
|
|
gen_require(`
|
|
|
|
attribute systemdunit;
|
|
|
|
class service all_service_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 systemdunit:service all_service_perms;
|
|
|
|
allow $1 systemdunit:file getattr;
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Start all systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_start_all_units',`
|
|
|
|
gen_require(`
|
2017-02-20 13:24:56 +00:00
|
|
|
attribute init_script_file_type, systemdunit;
|
2015-10-23 14:16:59 +00:00
|
|
|
class service start;
|
|
|
|
')
|
|
|
|
|
2017-02-20 13:24:56 +00:00
|
|
|
allow $1 { init_script_file_type systemdunit }:service start;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Stop all systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_stop_all_units',`
|
|
|
|
gen_require(`
|
2017-02-20 13:24:56 +00:00
|
|
|
attribute init_script_file_type, systemdunit;
|
2015-10-23 14:16:59 +00:00
|
|
|
class service stop;
|
|
|
|
')
|
|
|
|
|
2017-02-20 13:24:56 +00:00
|
|
|
allow $1 { init_script_file_type systemdunit }:service stop;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Reload all systemd units.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_reload_all_units',`
|
|
|
|
gen_require(`
|
2017-02-20 13:24:56 +00:00
|
|
|
attribute init_script_file_type, systemdunit;
|
2015-10-23 14:16:59 +00:00
|
|
|
class service reload;
|
|
|
|
')
|
|
|
|
|
2017-02-20 13:24:56 +00:00
|
|
|
allow $1 { init_script_file_type systemdunit }:service reload;
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
2017-04-06 21:37:50 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow unconfined access to send instructions to init
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Target domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_admin',`
|
|
|
|
gen_require(`
|
|
|
|
type initrc_exec_t;
|
|
|
|
class service status;
|
|
|
|
')
|
|
|
|
|
|
|
|
dev_manage_null_service($1)
|
|
|
|
init_disable($1)
|
|
|
|
init_enable($1)
|
|
|
|
init_get_all_units_status($1)
|
|
|
|
init_get_generic_units_status($1)
|
|
|
|
init_get_system_status($1)
|
|
|
|
init_manage_all_units($1)
|
|
|
|
init_manage_script_service($1)
|
|
|
|
init_reboot_system($1)
|
|
|
|
init_reload($1)
|
|
|
|
init_reload_all_units($1)
|
|
|
|
init_shutdown_system($1)
|
2017-04-21 00:00:34 +00:00
|
|
|
init_start_system($1)
|
2017-04-06 21:37:50 +00:00
|
|
|
init_start_all_units($1)
|
|
|
|
init_start_generic_units($1)
|
|
|
|
init_stop_all_units($1)
|
|
|
|
init_stop_generic_units($1)
|
|
|
|
init_stop_system($1)
|
|
|
|
init_telinit($1)
|
|
|
|
')
|
2019-01-04 07:51:18 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow getting init_t rlimit
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Source domain
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`init_getrlimit',`
|
|
|
|
gen_require(`
|
|
|
|
type init_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 init_t:process getrlimit;
|
|
|
|
')
|