2017-04-06 20:59:47 +00:00
|
|
|
policy_module(init, 2.2.15)
|
2005-04-26 17:00:25 +00:00
|
|
|
|
2005-10-18 15:07:11 +00:00
|
|
|
gen_require(`
|
|
|
|
|
class passwd rootok;
|
|
|
|
|
')
|
|
|
|
|
|
2005-05-05 18:30:00 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Declarations
|
|
|
|
|
#
|
|
|
|
|
|
2008-03-10 19:29:47 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Enable support for upstart as the init program.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_tunable(init_upstart, false)
|
2008-03-10 19:29:47 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow all daemons the ability to read/write terminals
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(init_daemons_use_tty, false)
|
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
attribute init_script_domain_type;
|
|
|
|
|
attribute init_script_file_type;
|
|
|
|
|
attribute init_run_all_scripts_domain;
|
2015-10-23 14:16:59 +00:00
|
|
|
attribute systemdunit;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute initrc_transition_domain;
|
2008-08-29 19:00:02 +00:00
|
|
|
|
2006-09-25 18:53:06 +00:00
|
|
|
# Mark process types as daemons
|
|
|
|
|
attribute daemon;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute systemprocess;
|
2006-09-25 18:53:06 +00:00
|
|
|
|
Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-25 19:53:00 +00:00
|
|
|
# Mark file type as a daemon pid file
|
|
|
|
|
attribute daemonpidfile;
|
2012-08-25 18:25:06 +00:00
|
|
|
# Mark file type as a daemon run directory
|
2014-06-25 19:53:01 +00:00
|
|
|
# TODO - this attribute is deprecated and kept for a short while for compatibility
|
2012-08-25 18:25:06 +00:00
|
|
|
attribute daemonrundir;
|
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
#
|
2005-04-14 20:18:17 +00:00
|
|
|
# init_t is the domain of the init process.
|
|
|
|
|
#
|
2017-02-24 01:03:23 +00:00
|
|
|
type init_t, initrc_transition_domain;
|
2006-10-04 17:25:34 +00:00
|
|
|
type init_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
domain_entry_file(init_t, init_exec_t)
|
|
|
|
|
kernel_domtrans_to(init_t, init_exec_t)
|
2006-10-04 17:25:34 +00:00
|
|
|
role system_r types init_t;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
2014-09-07 21:28:10 +00:00
|
|
|
# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd.
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
|
|
|
|
type init_var_run_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
files_pid_file(init_var_run_t)
|
2005-05-25 20:58:21 +00:00
|
|
|
|
2014-09-07 21:28:10 +00:00
|
|
|
#
|
|
|
|
|
# init_var_lib_t is the type for /var/lib/systemd.
|
|
|
|
|
#
|
|
|
|
|
type init_var_lib_t;
|
|
|
|
|
files_type(init_var_lib_t)
|
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
#
|
2010-06-08 12:47:26 +00:00
|
|
|
# initctl_t is the type of the named pipe created
|
2005-04-22 22:00:09 +00:00
|
|
|
# by init during initialization. This pipe is used
|
|
|
|
|
# to communicate with init.
|
|
|
|
|
#
|
2005-09-26 20:26:32 +00:00
|
|
|
type initctl_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(initctl_t)
|
2005-09-26 20:26:32 +00:00
|
|
|
mls_trusted_object(initctl_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
|
|
|
|
|
type initrc_exec_t, init_script_file_type;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(initrc_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
domain_entry_file(initrc_t, initrc_exec_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_named_socket_activation(initrc_t, init_var_run_t)
|
2006-10-04 17:25:34 +00:00
|
|
|
role system_r types initrc_t;
|
2008-03-10 19:29:47 +00:00
|
|
|
# should be part of the true block
|
|
|
|
|
# of the below init_upstart tunable
|
|
|
|
|
# but this has a typeattribute in it
|
|
|
|
|
corecmd_shell_entry_type(initrc_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
|
|
|
|
type initrc_devpts_t;
|
2005-06-10 01:01:13 +00:00
|
|
|
term_pty(initrc_devpts_t)
|
2005-09-05 18:17:17 +00:00
|
|
|
files_type(initrc_devpts_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type initrc_lock_t;
|
|
|
|
|
files_lock_file(initrc_lock_t)
|
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
type initrc_state_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(initrc_state_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
|
|
|
|
type initrc_tmp_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
files_tmp_file(initrc_tmp_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
2012-07-12 19:24:41 +00:00
|
|
|
type initrc_var_log_t;
|
|
|
|
|
logging_log_file(initrc_var_log_t)
|
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
type initrc_var_run_t;
|
|
|
|
|
files_pid_file(initrc_var_run_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_unit_t;
|
|
|
|
|
init_unit_file(systemd_unit_t)
|
|
|
|
|
|
2011-09-03 14:19:27 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
|
type rc_exec_t;
|
|
|
|
|
domain_entry_file(initrc_t, rc_exec_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
ifdef(`enable_mls',`
|
2009-06-26 14:40:13 +00:00
|
|
|
kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Init local policy
|
|
|
|
|
#
|
|
|
|
|
|
2005-05-31 21:25:45 +00:00
|
|
|
# Use capabilities. old rule:
|
|
|
|
|
allow init_t self:capability ~sys_module;
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t self:capability2 { wake_alarm block_suspend };
|
2010-06-08 12:47:26 +00:00
|
|
|
# is ~sys_module really needed? observed:
|
2005-05-31 21:25:45 +00:00
|
|
|
# sys_boot
|
|
|
|
|
# sys_tty_config
|
|
|
|
|
# kill: now provided by domain_kill_all_domains()
|
|
|
|
|
# setuid (from /sbin/shutdown)
|
2005-06-13 17:35:46 +00:00
|
|
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow init_t self:fifo_file rw_fifo_file_perms;
|
2005-05-26 20:38:45 +00:00
|
|
|
|
2005-04-19 18:58:16 +00:00
|
|
|
# Re-exec itself
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec(init_t, init_exec_t)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2005-09-13 13:06:07 +00:00
|
|
|
allow init_t initrc_t:unix_stream_socket connectto;
|
|
|
|
|
|
2005-04-19 18:58:16 +00:00
|
|
|
# For /var/run/shutdown.pid.
|
2006-12-12 20:08:08 +00:00
|
|
|
allow init_t init_var_run_t:file manage_file_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
files_pid_filetrans(init_t, init_var_run_t, file)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# for systemd to manage service file symlinks
|
|
|
|
|
allow init_t init_var_run_t:file manage_lnk_file_perms;
|
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
dev_filetrans(init_t, initctl_t, fifo_file)
|
2005-05-25 20:58:21 +00:00
|
|
|
|
2005-05-31 21:25:45 +00:00
|
|
|
# Modify utmp.
|
2005-06-10 01:01:13 +00:00
|
|
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
kernel_read_system_state(init_t)
|
|
|
|
|
kernel_share_state(init_t)
|
2014-01-16 16:24:25 +00:00
|
|
|
kernel_dontaudit_search_unlabeled(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-07-13 18:29:08 +00:00
|
|
|
corecmd_exec_chroot(init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
corecmd_exec_bin(init_t)
|
2005-05-24 22:22:26 +00:00
|
|
|
|
2006-05-19 17:44:27 +00:00
|
|
|
dev_read_sysfs(init_t)
|
2010-08-18 15:36:35 +00:00
|
|
|
# Early devtmpfs
|
|
|
|
|
dev_rw_generic_chr_files(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
domain_getpgid_all_domains(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
domain_kill_all_domains(init_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_getattr_all_domains(init_t)
|
2005-05-27 20:44:05 +00:00
|
|
|
domain_signal_all_domains(init_t)
|
|
|
|
|
domain_signull_all_domains(init_t)
|
|
|
|
|
domain_sigstop_all_domains(init_t)
|
|
|
|
|
domain_sigchld_all_domains(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_rw_generic_pids(init_t)
|
|
|
|
|
files_manage_etc_runtime_files(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_etc_filetrans_etc_runtime(init_t, file)
|
2005-05-30 21:17:20 +00:00
|
|
|
# Run /etc/X11/prefdm:
|
2005-06-29 14:26:41 +00:00
|
|
|
files_exec_etc_files(init_t)
|
2005-05-24 22:22:26 +00:00
|
|
|
# file descriptors inherited from the rootfs:
|
2006-01-31 19:21:01 +00:00
|
|
|
files_dontaudit_rw_root_files(init_t)
|
|
|
|
|
files_dontaudit_rw_root_chr_files(init_t)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2017-01-02 21:11:32 +00:00
|
|
|
fs_getattr_xattr_fs(init_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_list_inotifyfs(init_t)
|
2006-04-03 19:49:47 +00:00
|
|
|
# cjp: this may be related to /dev/log
|
|
|
|
|
fs_write_ramfs_sockets(init_t)
|
|
|
|
|
|
2006-05-19 17:44:27 +00:00
|
|
|
mcs_process_set_categories(init_t)
|
2007-08-20 15:15:03 +00:00
|
|
|
mcs_killall(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2007-08-20 18:26:08 +00:00
|
|
|
mls_file_read_all_levels(init_t)
|
|
|
|
|
mls_file_write_all_levels(init_t)
|
2014-05-23 18:18:10 +00:00
|
|
|
mls_process_write_all_levels(init_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
mls_fd_use_all_levels(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2017-01-02 21:11:32 +00:00
|
|
|
# the following one is needed for libselinux:is_selinux_enabled()
|
|
|
|
|
# otherwise the call fails and sysvinit tries to load the policy
|
|
|
|
|
# again when using the initramfs
|
|
|
|
|
selinux_get_fs_mount(init_t)
|
2009-01-13 13:01:48 +00:00
|
|
|
selinux_set_all_booleans(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
|
|
|
|
term_use_all_terms(init_t)
|
|
|
|
|
|
|
|
|
|
# Run init scripts.
|
|
|
|
|
init_domtrans_script(init_t)
|
|
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_rw_ld_so_cache(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(init_t)
|
|
|
|
|
logging_rw_generic_logs(init_t)
|
2005-04-19 20:43:44 +00:00
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
seutil_read_config(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
miscfiles_read_localization(init_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
|
# handle instances where an old labeled init script is encountered.
|
|
|
|
|
typeattribute init_t init_run_all_scripts_domain;
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t systemprocess:process { dyntransition siginh };
|
|
|
|
|
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
|
2016-01-15 10:42:25 +00:00
|
|
|
allow init_t self:capability2 { audit_read block_suspend };
|
2015-10-23 14:16:59 +00:00
|
|
|
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
|
allow init_t self:netlink_selinux_socket create_socket_perms;
|
2016-01-11 18:14:55 +00:00
|
|
|
allow init_t self:unix_dgram_socket lock;
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
allow init_t daemon:unix_dgram_socket create_socket_perms;
|
|
|
|
|
allow init_t daemon:tcp_socket create_stream_socket_perms;
|
|
|
|
|
allow init_t daemon:udp_socket create_socket_perms;
|
|
|
|
|
allow daemon init_t:unix_dgram_socket sendto;
|
|
|
|
|
|
|
|
|
|
allow init_run_all_scripts_domain systemdunit:service { status start stop };
|
|
|
|
|
|
|
|
|
|
allow systemprocess init_t:unix_dgram_socket sendto;
|
|
|
|
|
allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
|
|
|
|
|
|
|
|
|
|
allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
|
2015-10-23 14:16:59 +00:00
|
|
|
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
|
|
|
|
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
|
|
|
|
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
|
|
|
|
manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
|
|
|
|
|
|
|
|
|
|
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
|
|
|
|
|
|
|
|
|
|
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
|
|
|
|
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
|
|
|
|
allow init_t systemd_unit_t:dir relabel_dir_perms;
|
|
|
|
|
|
|
|
|
|
kernel_dyntrans_to(init_t)
|
|
|
|
|
kernel_read_network_state(init_t)
|
|
|
|
|
kernel_read_kernel_sysctls(init_t)
|
|
|
|
|
kernel_read_vm_sysctls(init_t)
|
|
|
|
|
kernel_dgram_send(init_t)
|
|
|
|
|
kernel_stream_connect(init_t)
|
|
|
|
|
kernel_getattr_proc(init_t)
|
|
|
|
|
kernel_read_fs_sysctls(init_t)
|
|
|
|
|
|
|
|
|
|
dev_rw_autofs(init_t)
|
|
|
|
|
dev_create_generic_dirs(init_t)
|
2015-10-20 18:48:38 +00:00
|
|
|
dev_manage_input_dev(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
dev_relabel_all_dev_nodes(init_t)
|
2015-10-20 17:23:35 +00:00
|
|
|
dev_relabel_all_sysfs(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
dev_read_urand(init_t)
|
|
|
|
|
dev_write_kmsg(init_t)
|
|
|
|
|
|
|
|
|
|
domain_read_all_domains_state(init_t)
|
|
|
|
|
|
|
|
|
|
files_read_all_pids(init_t)
|
|
|
|
|
files_list_usr(init_t)
|
|
|
|
|
files_list_var(init_t)
|
|
|
|
|
files_list_var_lib(init_t)
|
|
|
|
|
files_relabel_all_lock_dirs(init_t)
|
|
|
|
|
files_mounton_root(init_t)
|
|
|
|
|
files_search_pids(init_t)
|
|
|
|
|
files_relabel_all_pids(init_t)
|
|
|
|
|
files_read_all_locks(init_t)
|
|
|
|
|
files_search_kernel_modules(init_t)
|
|
|
|
|
# for privatetmp functions
|
|
|
|
|
files_manage_generic_tmp_dirs(init_t)
|
|
|
|
|
files_mounton_tmp(init_t)
|
|
|
|
|
|
|
|
|
|
fs_manage_cgroup_dirs(init_t)
|
|
|
|
|
fs_relabel_cgroup_dirs(init_t)
|
|
|
|
|
fs_rw_cgroup_files(init_t)
|
|
|
|
|
fs_list_auto_mountpoints(init_t)
|
|
|
|
|
fs_mount_autofs(init_t)
|
|
|
|
|
fs_manage_hugetlbfs_dirs(init_t)
|
|
|
|
|
fs_getattr_tmpfs(init_t)
|
|
|
|
|
fs_read_tmpfs_files(init_t)
|
|
|
|
|
fs_read_cgroup_files(init_t)
|
|
|
|
|
fs_dontaudit_getattr_xattr_fs(init_t)
|
|
|
|
|
# for privatetmp functions
|
|
|
|
|
fs_relabel_tmpfs_dirs(init_t)
|
|
|
|
|
fs_relabel_tmpfs_files(init_t)
|
|
|
|
|
# mount-setup
|
|
|
|
|
fs_unmount_autofs(init_t)
|
|
|
|
|
fs_getattr_pstore_dirs(init_t)
|
2016-01-11 18:14:55 +00:00
|
|
|
# for network namespaces
|
|
|
|
|
fs_read_nsfs_files(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# need write to /var/run/systemd/notify
|
|
|
|
|
init_write_pid_socket(daemon)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
# systemd_socket_activated policy
|
|
|
|
|
mls_socket_write_all_levels(init_t)
|
|
|
|
|
|
|
|
|
|
selinux_compute_create_context(init_t)
|
|
|
|
|
selinux_compute_access_vector(init_t)
|
|
|
|
|
|
|
|
|
|
term_relabel_pty_dirs(init_t)
|
|
|
|
|
|
|
|
|
|
logging_manage_pid_sockets(init_t)
|
|
|
|
|
logging_send_audit_msgs(init_t)
|
|
|
|
|
logging_relabelto_devlog_sock_files(init_t)
|
|
|
|
|
|
|
|
|
|
seutil_read_file_contexts(init_t)
|
|
|
|
|
|
|
|
|
|
# udevd is a "systemd kobject uevent socket activated daemon"
|
|
|
|
|
udev_create_kobject_uevent_sockets(init_t)
|
|
|
|
|
|
2017-02-19 21:13:14 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
clock_read_adjtime(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2016-03-07 08:45:36 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
systemd_dbus_chat_logind(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_system_bus_client(init_t)
|
|
|
|
|
dbus_connect_system_bus(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
2017-02-18 21:35:45 +00:00
|
|
|
modutils_domtrans(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
',`
|
|
|
|
|
tunable_policy(`init_upstart',`
|
|
|
|
|
corecmd_shell_domtrans(init_t, initrc_t)
|
|
|
|
|
',`
|
|
|
|
|
# Run the shell in the sysadm role for single-user mode.
|
|
|
|
|
# causes problems with upstart
|
2017-02-18 14:39:01 +00:00
|
|
|
ifndef(`distro_debian',`
|
|
|
|
|
sysadm_shell_domtrans(init_t)
|
|
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2013-11-09 09:45:07 +00:00
|
|
|
ifdef(`distro_debian',`
|
2013-12-20 19:44:03 +00:00
|
|
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
|
2013-12-10 15:27:44 +00:00
|
|
|
|
|
|
|
|
allow init_t initrc_var_run_t:file manage_file_perms;
|
2013-12-10 14:55:56 +00:00
|
|
|
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
|
2013-11-09 09:45:07 +00:00
|
|
|
')
|
|
|
|
|
|
2006-08-23 03:47:39 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
|
allow init_t self:process { getcap setcap };
|
2011-09-03 14:19:27 +00:00
|
|
|
|
2011-09-06 17:58:04 +00:00
|
|
|
init_exec_rc(initrc_t)
|
2006-08-23 03:47:39 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_read_tmpfs_symlinks(init_t)
|
2006-01-31 20:29:27 +00:00
|
|
|
fs_rw_tmpfs_chr_files(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
2005-05-24 22:22:26 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-13 17:35:46 +00:00
|
|
|
auth_rw_login_records(init_t)
|
2005-05-31 21:25:45 +00:00
|
|
|
')
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_system_bus_client(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2012-12-17 20:06:29 +00:00
|
|
|
nscd_use(init_t)
|
2005-10-24 17:06:34 +00:00
|
|
|
')
|
|
|
|
|
|
2014-06-04 12:32:28 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
shutdown_domtrans(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
sssd_stream_connect(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
udev_read_db(init_t)
|
|
|
|
|
udev_relabelto_db(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_domain(init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
########################################
|
2005-04-19 18:58:16 +00:00
|
|
|
#
|
2005-04-22 22:00:09 +00:00
|
|
|
# Init script local policy
|
2005-04-19 18:58:16 +00:00
|
|
|
#
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
|
|
|
|
allow initrc_t self:capability ~{ sys_admin sys_module };
|
2013-01-12 21:32:29 +00:00
|
|
|
allow initrc_t self:capability2 block_suspend;
|
2006-09-25 18:53:06 +00:00
|
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
2005-04-14 20:18:17 +00:00
|
|
|
allow initrc_t self:passwd rootok;
|
2010-03-18 14:19:49 +00:00
|
|
|
allow initrc_t self:key manage_key_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
# Allow IPC with self
|
2005-06-09 14:50:48 +00:00
|
|
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
2005-06-09 14:50:48 +00:00
|
|
|
allow initrc_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
|
allow initrc_t self:udp_socket create_socket_perms;
|
|
|
|
|
allow initrc_t self:fifo_file rw_file_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-10-31 22:27:45 +00:00
|
|
|
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
term_create_pty(initrc_t, initrc_devpts_t)
|
2005-10-31 22:27:45 +00:00
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
# Going to single user mode
|
2010-03-18 14:19:49 +00:00
|
|
|
init_telinit(initrc_t)
|
2006-12-04 20:10:56 +00:00
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
can_exec(initrc_t, init_script_file_type)
|
|
|
|
|
|
Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-25 19:53:00 +00:00
|
|
|
create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
|
manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
|
setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
|
|
2014-06-25 19:53:01 +00:00
|
|
|
# TODO - this is deprecated supported for a short while for backwards compatibility
|
2012-08-25 18:25:06 +00:00
|
|
|
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
|
|
|
|
|
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
|
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
|
manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
|
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
2005-05-11 19:36:36 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t daemon:process siginh;
|
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec(initrc_t, initrc_tmp_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
|
|
|
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t initrc_tmp_t:dir relabelfrom;
|
2005-05-05 18:30:00 +00:00
|
|
|
|
2012-07-12 19:24:41 +00:00
|
|
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
|
|
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
|
|
|
logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
|
|
|
|
|
|
2006-02-20 16:31:54 +00:00
|
|
|
init_write_initctl(initrc_t)
|
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
kernel_read_system_state(initrc_t)
|
|
|
|
|
kernel_read_software_raid_state(initrc_t)
|
|
|
|
|
kernel_read_network_state(initrc_t)
|
|
|
|
|
kernel_read_ring_buffer(initrc_t)
|
|
|
|
|
kernel_change_ring_buffer_level(initrc_t)
|
|
|
|
|
kernel_clear_ring_buffer(initrc_t)
|
|
|
|
|
kernel_get_sysvipc_info(initrc_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_all_sysctls(initrc_t)
|
|
|
|
|
kernel_rw_all_sysctls(initrc_t)
|
2005-05-02 21:02:14 +00:00
|
|
|
# for lsof which is used by alsa shutdown:
|
2005-06-10 01:01:13 +00:00
|
|
|
kernel_dontaudit_getattr_message_if(initrc_t)
|
2014-01-16 16:24:25 +00:00
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
|
kernel_list_unlabeled(initrc_t)
|
|
|
|
|
kernel_mounton_unlabeled_dirs(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2012-07-12 19:24:43 +00:00
|
|
|
files_create_lock_dirs(initrc_t)
|
|
|
|
|
files_pid_filetrans_lock_dir(initrc_t, "lock")
|
2006-03-02 23:41:11 +00:00
|
|
|
files_read_kernel_symbol_table(initrc_t)
|
2012-07-12 19:24:43 +00:00
|
|
|
files_setattr_lock_dirs(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2009-08-05 14:01:06 +00:00
|
|
|
corecmd_exec_all_executables(initrc_t)
|
|
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_unlabeled(initrc_t)
|
|
|
|
|
corenet_all_recvfrom_netlabel(initrc_t)
|
2005-06-10 01:01:13 +00:00
|
|
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
|
|
|
|
corenet_udp_sendrecv_all_if(initrc_t)
|
|
|
|
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
|
|
|
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
|
|
|
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
|
|
|
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
corenet_tcp_connect_all_ports(initrc_t)
|
2006-05-29 15:04:49 +00:00
|
|
|
corenet_sendrecv_all_client_packets(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_rand(initrc_t)
|
|
|
|
|
dev_read_urand(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_dontaudit_read_kmsg(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_write_kmsg(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_write_rand(initrc_t)
|
|
|
|
|
dev_write_urand(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
dev_rw_sysfs(initrc_t)
|
|
|
|
|
dev_list_usbfs(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_framebuffer(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_write_framebuffer(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_realtime_clock(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_read_sound_mixer(initrc_t)
|
|
|
|
|
dev_write_sound_mixer(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_setattr_generic_dirs(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_setattr_all_chr_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_rw_lvm_control(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_rw_generic_chr_files(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_delete_lvm_control_dev(initrc_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
dev_manage_generic_symlinks(initrc_t)
|
2006-02-20 16:31:54 +00:00
|
|
|
dev_manage_generic_files(initrc_t)
|
2005-05-24 15:55:57 +00:00
|
|
|
# Wants to remove udev.tbl:
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_delete_generic_symlinks(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_getattr_all_blk_files(initrc_t)
|
|
|
|
|
dev_getattr_all_chr_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_rw_xserver_misc(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
|
2005-05-05 17:44:11 +00:00
|
|
|
domain_kill_all_domains(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
domain_signal_all_domains(initrc_t)
|
|
|
|
|
domain_signull_all_domains(initrc_t)
|
|
|
|
|
domain_sigstop_all_domains(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_sigstop_all_domains(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
domain_sigchld_all_domains(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_read_all_domains_state(initrc_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
domain_getattr_all_domains(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_getsession_all_domains(initrc_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
# for lsof which is used by alsa shutdown:
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
|
|
|
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
2005-11-25 19:38:45 +00:00
|
|
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
|
|
|
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_obj_id_change_exemption(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2005-07-15 15:17:57 +00:00
|
|
|
files_getattr_all_dirs(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_getattr_all_files(initrc_t)
|
2005-07-15 15:17:57 +00:00
|
|
|
files_getattr_all_symlinks(initrc_t)
|
|
|
|
|
files_getattr_all_pipes(initrc_t)
|
|
|
|
|
files_getattr_all_sockets(initrc_t)
|
2005-08-05 15:32:27 +00:00
|
|
|
files_purge_tmp(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_manage_all_locks(initrc_t)
|
|
|
|
|
files_manage_boot_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_all_pids(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_delete_root_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_delete_all_pids(initrc_t)
|
2005-09-19 21:17:45 +00:00
|
|
|
files_delete_all_pid_dirs(initrc_t)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_manage_etc_runtime_files(initrc_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_etc_filetrans_etc_runtime(initrc_t, file)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_exec_etc_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_usr_files(initrc_t)
|
|
|
|
|
files_manage_urandom_seed(initrc_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_manage_generic_spool(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
# Mount and unmount file systems.
|
|
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
|
files_list_default(initrc_t)
|
|
|
|
|
files_mounton_default(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_manage_mnt_dirs(initrc_t)
|
|
|
|
|
files_manage_mnt_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
fs_delete_cgroup_dirs(initrc_t)
|
|
|
|
|
fs_list_cgroup_dirs(initrc_t)
|
|
|
|
|
fs_rw_cgroup_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_list_inotifyfs(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
fs_register_binary_executable_type(initrc_t)
|
|
|
|
|
# rhgb-console writes to ramfs
|
|
|
|
|
fs_write_ramfs_pipes(initrc_t)
|
|
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
|
fs_mount_all_fs(initrc_t)
|
|
|
|
|
fs_unmount_all_fs(initrc_t)
|
|
|
|
|
fs_remount_all_fs(initrc_t)
|
|
|
|
|
fs_getattr_all_fs(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
fs_search_all(initrc_t)
|
|
|
|
|
fs_getattr_nfsd_files(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
|
|
|
|
|
# initrc_t needs to do a pidof which requires ptrace
|
|
|
|
|
mcs_ptrace_all(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mcs_file_read_all(initrc_t)
|
|
|
|
|
mcs_file_write_all(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
mcs_killall(initrc_t)
|
|
|
|
|
mcs_process_set_categories(initrc_t)
|
|
|
|
|
|
|
|
|
|
mls_file_read_all_levels(initrc_t)
|
|
|
|
|
mls_file_write_all_levels(initrc_t)
|
2014-05-23 18:18:10 +00:00
|
|
|
mls_process_read_all_levels(initrc_t)
|
|
|
|
|
mls_process_write_all_levels(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
mls_rangetrans_source(initrc_t)
|
|
|
|
|
mls_fd_share_all_levels(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mls_socket_write_to_clearance(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
|
|
|
|
|
selinux_get_enforce_mode(initrc_t)
|
|
|
|
|
|
|
|
|
|
storage_getattr_fixed_disk_dev(initrc_t)
|
|
|
|
|
storage_setattr_fixed_disk_dev(initrc_t)
|
|
|
|
|
storage_setattr_removable_dev(initrc_t)
|
|
|
|
|
|
|
|
|
|
term_use_all_terms(initrc_t)
|
|
|
|
|
term_reset_tty_labels(initrc_t)
|
|
|
|
|
|
|
|
|
|
auth_rw_login_records(initrc_t)
|
|
|
|
|
auth_setattr_login_records(initrc_t)
|
|
|
|
|
auth_rw_lastlog(initrc_t)
|
|
|
|
|
auth_read_pam_pid(initrc_t)
|
|
|
|
|
auth_delete_pam_pid(initrc_t)
|
|
|
|
|
auth_delete_pam_console_data(initrc_t)
|
2007-12-04 15:05:55 +00:00
|
|
|
auth_use_nsswitch(initrc_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
init_get_system_status(initrc_t)
|
|
|
|
|
init_stream_connect(initrc_t)
|
|
|
|
|
init_start_all_units(initrc_t)
|
|
|
|
|
init_stop_all_units(initrc_t)
|
|
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_rw_ld_so_cache(initrc_t)
|
|
|
|
|
libs_exec_lib_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
libs_exec_ld_so(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
logging_send_audit_msgs(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
logging_manage_generic_logs(initrc_t)
|
2005-05-26 20:38:45 +00:00
|
|
|
logging_read_all_logs(initrc_t)
|
|
|
|
|
logging_append_all_logs(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
logging_read_audit_config(initrc_t)
|
2005-04-19 20:43:44 +00:00
|
|
|
|
2005-05-26 20:38:45 +00:00
|
|
|
miscfiles_read_localization(initrc_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
# slapd needs to read cert files from its initscript
|
2017-02-24 01:03:23 +00:00
|
|
|
miscfiles_manage_generic_cert_files(initrc_t)
|
2005-04-25 21:28:25 +00:00
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
seutil_read_config(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_read_user_home_content_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
2005-05-19 21:06:06 +00:00
|
|
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
|
|
|
|
# started from init should be placed in their own domain.
|
2017-02-24 01:03:23 +00:00
|
|
|
userdom_use_inherited_user_terminals(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2006-01-16 18:30:14 +00:00
|
|
|
ifdef(`distro_debian',`
|
2016-08-03 05:48:19 +00:00
|
|
|
kernel_getattr_core_if(initrc_t)
|
|
|
|
|
|
|
|
|
|
dev_getattr_generic_blk_files(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_setattr_generic_dirs(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
|
|
|
|
# for storing state under /dev/shm
|
2006-01-31 20:29:27 +00:00
|
|
|
fs_setattr_tmpfs_dirs(initrc_t)
|
2006-03-02 23:41:11 +00:00
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
|
|
|
storage_tmpfs_filetrans_fixed_disk(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
2006-01-31 19:21:01 +00:00
|
|
|
files_setattr_etc_dirs(initrc_t)
|
2013-11-09 09:45:10 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
exim_manage_var_lib_files(initrc_t)
|
|
|
|
|
')
|
2013-11-09 09:45:11 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
gdomap_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
minissdpd_read_config(initrc_t)
|
|
|
|
|
')
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
|
2005-09-02 14:52:08 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
2006-08-23 03:47:39 +00:00
|
|
|
kernel_dontaudit_getattr_core_if(initrc_t)
|
|
|
|
|
|
|
|
|
|
# seed udev /dev
|
|
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
|
dev_create_null_dev(initrc_t)
|
|
|
|
|
dev_create_zero_dev(initrc_t)
|
|
|
|
|
dev_create_generic_dirs(initrc_t)
|
|
|
|
|
term_create_console_dev(initrc_t)
|
|
|
|
|
|
2006-09-19 17:02:29 +00:00
|
|
|
# unfortunately /sbin/rc does stupid tricks
|
|
|
|
|
# with /dev/.rcboot to decide if we are in
|
|
|
|
|
# early init
|
|
|
|
|
dev_create_generic_dirs(initrc_t)
|
|
|
|
|
dev_delete_generic_dirs(initrc_t)
|
2012-10-30 21:51:53 +00:00
|
|
|
dev_setattr_generic_dirs(initrc_t)
|
2006-09-19 17:02:29 +00:00
|
|
|
|
2012-10-30 21:51:55 +00:00
|
|
|
files_manage_all_pids(initrc_t)
|
2010-04-24 16:03:16 +00:00
|
|
|
# allow bootmisc to create /var/lock/.keep.
|
|
|
|
|
files_manage_generic_locks(initrc_t)
|
2012-10-30 21:51:55 +00:00
|
|
|
files_manage_var_symlinks(initrc_t)
|
2012-07-12 19:24:43 +00:00
|
|
|
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
|
2010-04-24 16:03:16 +00:00
|
|
|
|
2009-07-30 12:33:43 +00:00
|
|
|
# openrc uses tmpfs for its state data
|
|
|
|
|
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
|
2010-11-28 08:44:46 +00:00
|
|
|
files_mountpoint(initrc_state_t)
|
2006-08-18 18:20:22 +00:00
|
|
|
|
2006-08-28 02:46:20 +00:00
|
|
|
# init scripts touch this
|
|
|
|
|
clock_dontaudit_write_adjtime(initrc_t)
|
|
|
|
|
|
2009-07-30 01:50:32 +00:00
|
|
|
logging_send_audit_msgs(initrc_t)
|
|
|
|
|
|
2006-10-15 00:23:06 +00:00
|
|
|
# for integrated run_init to read run_init_type.
|
|
|
|
|
# happens during boot (/sbin/rc execs init scripts)
|
|
|
|
|
seutil_read_default_contexts(initrc_t)
|
|
|
|
|
|
2008-03-20 14:55:17 +00:00
|
|
|
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
|
|
|
|
|
sysnet_create_config(initrc_t)
|
|
|
|
|
sysnet_write_config(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
sysnet_setattr_config(initrc_t)
|
2008-03-20 14:55:17 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
abrt_manage_pid_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
alsa_read_lib(initrc_t)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
arpwatch_manage_data_files(initrc_t)
|
2005-09-02 14:52:08 +00:00
|
|
|
')
|
2011-02-06 14:42:13 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
dhcpd_setattr_state_files(initrc_t)
|
2011-02-06 14:42:13 +00:00
|
|
|
')
|
2005-09-02 14:52:08 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2005-06-01 13:51:54 +00:00
|
|
|
# this is from kmodule, which should get its own policy:
|
|
|
|
|
allow initrc_t self:capability sys_admin;
|
|
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# Red Hat systems seem to have a stray
|
|
|
|
|
# fd open from the initrd
|
2017-02-24 01:03:23 +00:00
|
|
|
kernel_use_fds(initrc_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_dontaudit_read_root_files(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# These seem to be from the initrd
|
|
|
|
|
# during device initialization:
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_create_generic_dirs(initrc_t)
|
|
|
|
|
dev_rwx_zero(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_rx_raw_memory(initrc_t)
|
|
|
|
|
dev_wx_raw_memory(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
storage_raw_read_fixed_disk(initrc_t)
|
|
|
|
|
storage_raw_write_fixed_disk(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
files_create_boot_dirs(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
files_create_boot_flag(initrc_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
files_rw_boot_symlinks(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
# wants to read /.fonts directory
|
|
|
|
|
files_read_default_files(initrc_t)
|
2005-11-11 16:08:03 +00:00
|
|
|
files_mountpoint(initrc_tmp_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
# Needs to cp localtime to /var dirs
|
|
|
|
|
files_write_var_dirs(initrc_t)
|
2005-11-11 16:08:03 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_read_tmpfs_symlinks(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
fs_rw_tmpfs_chr_files(initrc_t)
|
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
|
|
|
storage_dev_filetrans_fixed_disk(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
storage_getattr_removable_dev(initrc_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# readahead asks for these
|
2006-01-06 22:51:40 +00:00
|
|
|
auth_dontaudit_read_shadow(initrc_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
# init scripts cp /etc/localtime over other directories localtime
|
|
|
|
|
miscfiles_rw_localization(initrc_t)
|
|
|
|
|
miscfiles_setattr_localization(initrc_t)
|
|
|
|
|
miscfiles_relabel_localization(initrc_t)
|
|
|
|
|
|
2006-02-07 21:48:00 +00:00
|
|
|
miscfiles_read_fonts(initrc_t)
|
|
|
|
|
miscfiles_read_hwdata(initrc_t)
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
2016-08-14 18:34:19 +00:00
|
|
|
alsa_manage_config(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
abrt_manage_pid_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
bind_manage_config_dirs(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
bind_write_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
bind_setattr_zone_dirs(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
devicekit_append_inherited_log_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
gnome_manage_gconf_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
pulseaudio_stream_connect(initrc_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
2005-10-24 01:53:13 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-24 01:53:13 +00:00
|
|
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
|
|
|
rpc_write_exports(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
rpc_manage_nfs_state_data(initrc_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
rpcbind_stream_connect(initrc_t)
|
|
|
|
|
')
|
2006-02-07 21:48:00 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
sysnet_rw_dhcp_config(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
sysnet_manage_config(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
xserver_delete_log(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
ifdef(`distro_suse',`
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
# set permissions on /tmp/.X11-unix
|
|
|
|
|
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
|
|
|
|
')
|
2005-06-01 13:51:54 +00:00
|
|
|
')
|
2005-05-13 14:37:13 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
ifdef(`enabled_mls',`
|
|
|
|
|
optional_policy(`
|
|
|
|
|
# allow init scripts to su
|
|
|
|
|
su_restricted_domain_template(initrc, initrc_t, system_r)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t self:system { status reboot halt reload };
|
|
|
|
|
|
|
|
|
|
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
|
allow init_t self:process { setsockcreate setfscreate setrlimit };
|
|
|
|
|
allow init_t self:process { getcap setcap };
|
|
|
|
|
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
|
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
# Until systemd is fixed
|
|
|
|
|
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
|
|
|
|
|
allow init_t self:udp_socket create_socket_perms;
|
|
|
|
|
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
|
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
|
|
|
|
|
allow initrc_t init_t:system { status reboot halt reload };
|
|
|
|
|
allow init_t self:capability2 audit_read;
|
2015-10-23 14:16:59 +00:00
|
|
|
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
|
|
|
|
|
files_lock_filetrans(initrc_t, initrc_lock_t, file)
|
|
|
|
|
|
|
|
|
|
manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
|
|
|
|
|
|
|
|
|
|
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
|
|
|
|
manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
|
|
|
|
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
|
|
|
|
|
|
|
|
|
|
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t systemd_unit_t:service reload;
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
manage_files_pattern(initrc_t, systemdunit, systemdunit)
|
|
|
|
|
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t systemdunit:service reload;
|
|
|
|
|
allow initrc_t init_script_file_type:service { stop start status reload };
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
kernel_dgram_send(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
kernel_list_unlabeled(init_t)
|
|
|
|
|
kernel_read_network_state(init_t)
|
|
|
|
|
kernel_rw_kernel_sysctl(init_t)
|
|
|
|
|
kernel_rw_net_sysctls(init_t)
|
|
|
|
|
kernel_read_all_sysctls(init_t)
|
|
|
|
|
kernel_read_software_raid_state(init_t)
|
|
|
|
|
kernel_unmount_debugfs(init_t)
|
|
|
|
|
kernel_setsched(init_t)
|
|
|
|
|
|
|
|
|
|
auth_relabel_login_records(init_t)
|
|
|
|
|
auth_relabel_pam_console_data_dirs(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
# run systemd misc initializations
|
|
|
|
|
# in the initrc_t domain, as would be
|
|
|
|
|
# done in traditional sysvinit/upstart.
|
|
|
|
|
corecmd_bin_entry_type(initrc_t)
|
|
|
|
|
corecmd_shell_entry_type(initrc_t)
|
|
|
|
|
corecmd_bin_domtrans(init_t, initrc_t)
|
|
|
|
|
corecmd_shell_domtrans(init_t, initrc_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_write_kmsg(init_t)
|
|
|
|
|
dev_write_urand(init_t)
|
|
|
|
|
dev_rw_lvm_control(init_t)
|
|
|
|
|
dev_rw_autofs(init_t)
|
|
|
|
|
dev_manage_generic_symlinks(init_t)
|
|
|
|
|
dev_manage_generic_dirs(init_t)
|
|
|
|
|
dev_manage_generic_files(init_t)
|
|
|
|
|
dev_manage_null_service(initrc_t)
|
|
|
|
|
dev_read_generic_chr_files(init_t)
|
|
|
|
|
dev_relabel_generic_dev_dirs(init_t)
|
|
|
|
|
dev_relabel_all_dev_nodes(init_t)
|
|
|
|
|
dev_relabel_all_dev_files(init_t)
|
|
|
|
|
dev_manage_sysfs_dirs(init_t)
|
|
|
|
|
dev_relabel_sysfs_dirs(init_t)
|
|
|
|
|
# systemd writes to /dev/watchdog on shutdown
|
|
|
|
|
dev_write_watchdog(init_t)
|
|
|
|
|
|
2015-10-20 18:33:56 +00:00
|
|
|
# Allow initrc_t to check /etc/fstab "service." It appears that
|
|
|
|
|
# systemd is conflating files and services.
|
2017-02-24 01:03:23 +00:00
|
|
|
files_create_all_pid_pipes(init_t)
|
|
|
|
|
files_create_all_pid_sockets(init_t)
|
|
|
|
|
files_create_all_spool_sockets(init_t)
|
|
|
|
|
files_create_lock_dirs(init_t)
|
|
|
|
|
files_delete_all_pids(init_t)
|
|
|
|
|
files_delete_all_spool_sockets(init_t)
|
|
|
|
|
files_exec_generic_pid_files(init_t)
|
2015-10-20 18:33:56 +00:00
|
|
|
files_get_etc_unit_status(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_list_locks(init_t)
|
|
|
|
|
files_list_spool(init_t)
|
|
|
|
|
files_list_var(init_t)
|
|
|
|
|
files_manage_all_pid_dirs(init_t)
|
|
|
|
|
files_manage_generic_tmp_dirs(init_t)
|
|
|
|
|
files_manage_urandom_seed(init_t)
|
|
|
|
|
files_mounton_all_mountpoints(init_t)
|
|
|
|
|
files_read_boot_files(initrc_t)
|
|
|
|
|
files_relabel_all_lock_dirs(init_t)
|
|
|
|
|
files_relabel_all_pid_dirs(init_t)
|
|
|
|
|
files_relabel_all_pid_files(init_t)
|
|
|
|
|
files_search_all(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_setattr_pid_dirs(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_unmount_all_file_type_fs(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
fs_getattr_all_fs(init_t)
|
|
|
|
|
fs_list_auto_mountpoints(init_t)
|
|
|
|
|
fs_manage_cgroup_dirs(init_t)
|
|
|
|
|
fs_manage_cgroup_files(init_t)
|
|
|
|
|
fs_manage_hugetlbfs_dirs(init_t)
|
|
|
|
|
fs_manage_tmpfs_dirs(init_t)
|
|
|
|
|
fs_mount_all_fs(init_t)
|
|
|
|
|
fs_remount_all_fs(init_t)
|
|
|
|
|
fs_unmount_all_fs(init_t)
|
|
|
|
|
fs_search_cgroup_dirs(daemon)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
init_get_all_units_status(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_manage_var_lib_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
init_read_script_state(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_rw_stream_sockets(initrc_t)
|
|
|
|
|
init_stop_all_units(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
init_stream_connect(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
# Create /etc/audit.rules.prev after firstboot remediation
|
|
|
|
|
logging_manage_audit_config(initrc_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
selinux_compute_create_context(init_t)
|
|
|
|
|
selinux_set_enforce_mode(initrc_t)
|
|
|
|
|
selinux_unmount_fs(init_t)
|
|
|
|
|
selinux_validate_context(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
# lvm2-activation-generator checks file labels
|
|
|
|
|
seutil_read_file_contexts(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
seutil_read_file_contexts(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
storage_getattr_removable_dev(init_t)
|
|
|
|
|
systemd_manage_all_units(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
systemd_start_power_units(initrc_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
term_relabel_pty_dirs(init_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
# create /var/lock/lvm/
|
|
|
|
|
lvm_create_lock_dirs(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-07 21:15:24 +00:00
|
|
|
amavis_search_lib(initrc_t)
|
|
|
|
|
amavis_setattr_pid_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-28 14:34:26 +00:00
|
|
|
dev_rw_apm_bios(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-05 21:17:22 +00:00
|
|
|
apache_read_config(initrc_t)
|
|
|
|
|
apache_list_modules(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
# webmin seems to cause this.
|
|
|
|
|
apache_search_sys_content(daemon)
|
2005-10-05 21:17:22 +00:00
|
|
|
')
|
|
|
|
|
|
2012-03-26 18:50:52 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
asterisk_setattr_logs(initrc_t)
|
|
|
|
|
asterisk_setattr_pid_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-23 17:26:19 +00:00
|
|
|
bind_read_config(initrc_t)
|
|
|
|
|
|
|
|
|
|
# for chmod in start script
|
2006-02-02 21:08:12 +00:00
|
|
|
bind_setattr_pid_dirs(initrc_t)
|
2005-08-23 17:26:19 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-07 21:45:04 +00:00
|
|
|
dev_read_usbfs(initrc_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
bluetooth_read_config(initrc_t)
|
2005-10-07 21:45:04 +00:00
|
|
|
')
|
|
|
|
|
|
2010-06-07 18:25:59 +00:00
|
|
|
optional_policy(`
|
2010-08-08 10:05:41 +00:00
|
|
|
cgroup_stream_connect_cgred(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_setpriority_all_domains(initrc_t)
|
2010-06-07 18:25:59 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-07 21:15:24 +00:00
|
|
|
clamav_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2012-09-08 15:45:53 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
courier_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-08 22:00:30 +00:00
|
|
|
cpucontrol_stub(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_getattr_cpu_dev(initrc_t)
|
2005-09-20 18:15:35 +00:00
|
|
|
')
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
cron_read_pipes(initrc_t)
|
|
|
|
|
# managing /etc/cron.d/mailman content
|
|
|
|
|
cron_manage_system_spool(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-06-08 17:18:25 +00:00
|
|
|
dev_getattr_printer_dev(initrc_t)
|
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
cups_read_log(initrc_t)
|
2006-06-08 17:18:25 +00:00
|
|
|
cups_read_rw_config(initrc_t)
|
2006-09-28 14:37:29 +00:00
|
|
|
#cups init script clears error log
|
|
|
|
|
cups_write_log(initrc_t)
|
2005-11-29 21:27:15 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-16 18:30:14 +00:00
|
|
|
daemontools_manage_svc(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-28 14:34:26 +00:00
|
|
|
dbus_connect_system_bus(initrc_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
dbus_system_bus_client(initrc_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
dbus_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dbus_manage_lib_files(initrc_t)
|
|
|
|
|
|
|
|
|
|
init_dbus_chat(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
consolekit_dbus_chat(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
consolekit_manage_log(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-25 16:43:03 +00:00
|
|
|
networkmanager_dbus_chat(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
')
|
2010-03-18 14:19:49 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
policykit_dbus_chat(initrc_t)
|
|
|
|
|
')
|
2005-10-28 14:34:26 +00:00
|
|
|
')
|
|
|
|
|
|
2008-02-25 19:31:03 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
|
|
|
|
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
|
|
|
|
# the directory. But we do not want to allow this.
|
|
|
|
|
# The master process of dovecot will manage this file.
|
|
|
|
|
dovecot_dontaudit_unlink_lib_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-27 22:29:45 +00:00
|
|
|
ftp_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-17 21:28:31 +00:00
|
|
|
gpm_setattr_gpmctl(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
hal_write_log(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-14 19:56:46 +00:00
|
|
|
dev_read_usbfs(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
|
|
|
hotplug_read_config(initrc_t)
|
|
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
modutils_read_module_deps(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-08 13:23:11 +00:00
|
|
|
inn_exec_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-18 18:31:49 +00:00
|
|
|
ipsec_read_config(initrc_t)
|
|
|
|
|
ipsec_manage_pid(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
iscsi_stream_connect(initrc_t)
|
|
|
|
|
iscsi_read_lib_files(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-01 13:31:34 +00:00
|
|
|
kerberos_use(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-17 18:33:43 +00:00
|
|
|
ldap_read_config(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
ldap_list_db(initrc_t)
|
2005-08-17 18:33:43 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-15 14:46:17 +00:00
|
|
|
loadkeys_exec(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2007-07-19 18:57:48 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
# in emergency/recovery situations use sulogin
|
|
|
|
|
locallogin_domtrans_sulogin(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-22 21:09:03 +00:00
|
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
|
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
|
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
|
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
|
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
|
|
|
lpd_list_spool(initrc_t)
|
|
|
|
|
|
|
|
|
|
lpd_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
lpd_manage_spool(init_t)
|
2005-10-22 21:09:03 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-05-31 23:02:11 +00:00
|
|
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
|
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_lvm_control(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_create_generic_chr_files(initrc_t)
|
2006-01-11 15:28:14 +00:00
|
|
|
|
|
|
|
|
lvm_read_config(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-11 15:36:53 +00:00
|
|
|
mailman_list_data(initrc_t)
|
|
|
|
|
mailman_read_data_symlinks(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-18 14:39:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
modutils_read_module_config(initrc_t)
|
2017-02-18 21:35:45 +00:00
|
|
|
modutils_domtrans(initrc_t)
|
2017-02-18 14:39:01 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-06 22:51:40 +00:00
|
|
|
mta_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mta_write_config(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-03 17:56:26 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2006-02-02 21:08:12 +00:00
|
|
|
mysql_manage_db_dirs(initrc_t)
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
mysql_stream_connect(initrc_t)
|
|
|
|
|
mysql_write_log(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
mysql_read_config(initrc_t)
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-24 20:37:09 +00:00
|
|
|
nis_list_var_yp(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-04-14 20:07:01 +00:00
|
|
|
openvpn_read_config(initrc_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
plymouthd_stream_connect(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-19 21:17:45 +00:00
|
|
|
postgresql_manage_db(initrc_t)
|
|
|
|
|
postgresql_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-23 20:18:36 +00:00
|
|
|
postfix_list_spool(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2009-11-09 22:54:00 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
puppet_rw_tmp(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-11 14:49:58 +00:00
|
|
|
quota_manage_flags(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-04-14 20:07:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
raid_manage_mdadm_pid(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-09 19:02:29 +00:00
|
|
|
fs_write_ramfs_sockets(initrc_t)
|
|
|
|
|
fs_search_ramfs(initrc_t)
|
|
|
|
|
|
|
|
|
|
rhgb_rw_stream_sockets(initrc_t)
|
|
|
|
|
rhgb_stream_connect(initrc_t)
|
2005-05-26 20:38:45 +00:00
|
|
|
')
|
|
|
|
|
|
2006-04-14 20:07:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
rpc_read_exports(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-05-31 23:02:11 +00:00
|
|
|
# bash tries to access a block device in the initrd
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
|
# for a bug in rm
|
2005-06-13 17:35:46 +00:00
|
|
|
files_dontaudit_write_all_pids(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
|
# bash tries ioctl for some reason
|
2005-06-13 17:35:46 +00:00
|
|
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
2005-05-24 15:55:57 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-14 18:33:53 +00:00
|
|
|
samba_rw_config(initrc_t)
|
2005-09-28 18:22:58 +00:00
|
|
|
samba_read_winbind_pid(initrc_t)
|
2005-09-14 18:33:53 +00:00
|
|
|
')
|
|
|
|
|
|
2011-03-21 13:42:12 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
# shorewall-init script run /var/lib/shorewall/firewall
|
|
|
|
|
shorewall_lib_domtrans(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-02 19:11:07 +00:00
|
|
|
squid_read_config(initrc_t)
|
|
|
|
|
squid_manage_logs(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-18 15:07:11 +00:00
|
|
|
ssh_dontaudit_read_server_keys(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
ssh_setattr_key_files(initrc_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
')
|
|
|
|
|
|
2012-12-17 09:42:48 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
stunnel_read_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-29 20:53:53 +00:00
|
|
|
sysnet_read_dhcpc_state(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:48:35 +00:00
|
|
|
optional_policy(`
|
2010-03-18 14:19:49 +00:00
|
|
|
udev_manage_pid_files(initrc_t)
|
2012-07-12 19:24:45 +00:00
|
|
|
udev_manage_pid_dirs(initrc_t)
|
2010-04-16 06:27:36 +00:00
|
|
|
udev_manage_rules_files(initrc_t)
|
2006-03-24 16:48:35 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-16 21:33:18 +00:00
|
|
|
uml_setattr_util_sockets(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
2012-04-11 18:35:57 +00:00
|
|
|
virt_stream_connect(initrc_t)
|
2012-12-14 12:58:49 +00:00
|
|
|
virt_manage_virt_cache(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
optional_policy(`
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_role_change_exemption(initrc_t)
|
|
|
|
|
|
|
|
|
|
mcs_file_read_all(initrc_t)
|
|
|
|
|
mcs_file_write_all(initrc_t)
|
|
|
|
|
mcs_killall(initrc_t)
|
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
unconfined_domain(initrc_t)
|
|
|
|
|
|
|
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
|
# system-config-services causes avc messages that should be dontaudited
|
|
|
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
mono_domtrans(initrc_t)
|
|
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
rtkit_scheduled(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
rpm_read_db(initrc_t)
|
|
|
|
|
rpm_delete_db(initrc_t)
|
2007-10-02 16:04:50 +00:00
|
|
|
')
|
|
|
|
|
|
2006-04-26 18:18:15 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
vmware_read_system_config(initrc_t)
|
|
|
|
|
vmware_append_system_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-25 19:09:08 +00:00
|
|
|
miscfiles_manage_fonts(initrc_t)
|
|
|
|
|
|
|
|
|
|
# cjp: is this really needed?
|
2006-02-02 21:08:12 +00:00
|
|
|
xfs_read_sockets(initrc_t)
|
2005-11-25 19:09:08 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-04-06 19:27:41 +00:00
|
|
|
# Set device ownerships/modes.
|
|
|
|
|
xserver_setattr_console_pipes(initrc_t)
|
|
|
|
|
|
|
|
|
|
# init script wants to check if it needs to update windowmanagerlist
|
2006-02-07 21:48:00 +00:00
|
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-09 13:24:11 +00:00
|
|
|
zebra_read_config(initrc_t)
|
|
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Rules applied to all daemons
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
domain_dontaudit_use_interactive_fds(daemon)
|
|
|
|
|
|
|
|
|
|
# daemons started from init will
|
|
|
|
|
# inherit fds from init for the console
|
|
|
|
|
term_dontaudit_use_console(daemon)
|
|
|
|
|
|
|
|
|
|
init_dontaudit_use_fds(daemon)
|
|
|
|
|
# init script ptys are the stdin/out/err
|
|
|
|
|
# when using run_init
|
|
|
|
|
init_use_script_ptys(daemon)
|
|
|
|
|
|
|
|
|
|
tunable_policy(`init_daemons_use_tty',`
|
|
|
|
|
term_use_unallocated_ttys(daemon)
|
|
|
|
|
term_use_generic_ptys(daemon)
|
|
|
|
|
term_use_all_ttys(daemon)
|
|
|
|
|
term_use_all_ptys(daemon)
|
|
|
|
|
',`
|
|
|
|
|
term_dontaudit_use_unallocated_ttys(daemon)
|
|
|
|
|
term_dontaudit_use_generic_ptys(daemon)
|
|
|
|
|
term_dontaudit_use_all_ttys(daemon)
|
|
|
|
|
term_dontaudit_use_all_ptys(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
|
|
|
fs_dontaudit_rw_nfs_files(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
|
fs_dontaudit_rw_cifs_files(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
|
|
|
unconfined_dontaudit_rw_stream_sockets(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
userdom_dontaudit_rw_all_users_stream_sockets(daemon)
|
|
|
|
|
userdom_dontaudit_read_user_tmp_files(daemon)
|
|
|
|
|
userdom_dontaudit_write_user_tmp_files(daemon)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Rules applied to all system processes
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
dontaudit systemprocess init_t:unix_stream_socket getattr;
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
userdom_dontaudit_search_user_home_dirs(systemprocess)
|
|
|
|
|
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
|
|
|
|
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
|
|
|
|
')
|
