selinux-refpolicy/policy/modules/system/init.te

1501 lines
40 KiB
Plaintext
Raw Normal View History

policy_module(init, 2.10.2)
2005-10-18 15:07:11 +00:00
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
## <desc>
## <p>
## Enable support for upstart as the init program.
## </p>
## </desc>
2009-06-26 14:40:13 +00:00
gen_tunable(init_upstart, false)
2017-02-24 01:03:23 +00:00
## <desc>
## <p>
## Allow all daemons the ability to read/write terminals
## </p>
## </desc>
gen_tunable(init_daemons_use_tty, false)
## <desc>
## <p>
## Enable systemd to mount on all non-security files.
## </p>
## </desc>
gen_tunable(init_mounton_non_security, false)
attribute init_mountpoint_type;
attribute init_path_unit_loc_type;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
attribute init_linkable_keyring_type;
attribute systemdunit;
2017-02-24 01:03:23 +00:00
attribute initrc_transition_domain;
# Mark process types as daemons
attribute daemon;
2017-02-24 01:03:23 +00:00
attribute systemprocess;
# Mark file type as a daemon pid file
attribute daemonpidfile;
2005-04-22 22:00:09 +00:00
#
2005-04-14 20:18:17 +00:00
# init_t is the domain of the init process.
#
2017-02-24 01:03:23 +00:00
type init_t, initrc_transition_domain;
type init_exec_t;
2005-06-13 17:35:46 +00:00
domain_type(init_t)
2009-06-26 14:40:13 +00:00
domain_entry_file(init_t, init_exec_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
2005-04-14 20:18:17 +00:00
2005-05-25 20:58:21 +00:00
#
# init_runtime_t is the type for /var/run/shutdown.pid and /var/run/systemd.
2005-05-25 20:58:21 +00:00
#
type init_runtime_t alias init_var_run_t;
files_runtime_file(init_runtime_t)
init_mountpoint(init_runtime_t)
2005-05-25 20:58:21 +00:00
2014-09-07 21:28:10 +00:00
#
# init_var_lib_t is the type for /var/lib/systemd.
#
type init_var_lib_t;
files_type(init_var_lib_t)
2005-04-22 22:00:09 +00:00
#
2010-06-08 12:47:26 +00:00
# initctl_t is the type of the named pipe created
2005-04-22 22:00:09 +00:00
# by init during initialization. This pipe is used
# to communicate with init.
#
2005-09-26 20:26:32 +00:00
type initctl_t;
files_type(initctl_t)
2005-09-26 20:26:32 +00:00
mls_trusted_object(initctl_t)
2005-04-14 20:18:17 +00:00
type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
type initrc_exec_t, init_script_file_type;
init_domain(initrc_t, initrc_exec_t)
ifdef(`enable_mcs', `
init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0)
')
ifdef(`enable_mls', `
init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0 - mls_systemhigh)
')
init_named_socket_activation(initrc_t, init_runtime_t)
# should be part of the true block
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
2005-04-22 22:00:09 +00:00
type initrc_devpts_t;
2005-06-10 01:01:13 +00:00
term_pty(initrc_devpts_t)
2005-09-05 18:17:17 +00:00
files_type(initrc_devpts_t)
2005-04-22 22:00:09 +00:00
type initrc_lock_t;
files_lock_file(initrc_lock_t)
type initrc_runtime_t alias initrc_var_run_t;
files_runtime_file(initrc_runtime_t)
2005-04-22 22:00:09 +00:00
type initrc_state_t;
files_type(initrc_state_t)
2005-04-22 22:00:09 +00:00
type initrc_tmp_t;
2005-06-13 17:35:46 +00:00
files_tmp_file(initrc_tmp_t)
2005-04-22 22:00:09 +00:00
type initrc_var_log_t;
logging_log_file(initrc_var_log_t)
type systemd_unit_t;
init_unit_file(systemd_unit_t)
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
domtrans_pattern(init_t, rc_exec_t, initrc_t)
')
ifdef(`enable_mls',`
2009-06-26 14:40:13 +00:00
kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
')
2005-04-22 22:00:09 +00:00
########################################
#
# Init local policy
#
# Use capabilities. old rule:
allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
2017-02-24 01:03:23 +00:00
allow init_t self:capability2 { wake_alarm block_suspend };
2010-06-08 12:47:26 +00:00
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
2005-06-13 17:35:46 +00:00
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
2006-12-12 20:08:08 +00:00
allow init_t self:fifo_file rw_fifo_file_perms;
2005-05-26 20:38:45 +00:00
2005-04-19 18:58:16 +00:00
# Re-exec itself
2009-06-26 14:40:13 +00:00
can_exec(init_t, init_exec_t)
2005-04-19 18:58:16 +00:00
2005-09-13 13:06:07 +00:00
allow init_t initrc_t:unix_stream_socket connectto;
# Mostly for systemd. Allow init to link to various keyrings
allow init_t init_linkable_keyring_type:key link;
2005-04-19 18:58:16 +00:00
# For /var/run/shutdown.pid.
allow init_t init_runtime_t:file manage_file_perms;
files_runtime_filetrans(init_t, init_runtime_t, file)
2005-04-19 18:58:16 +00:00
# for /run/initctl
allow init_t init_runtime_t:fifo_file manage_fifo_file_perms;
2017-02-24 01:03:23 +00:00
# for systemd to manage service file symlinks
allow init_t init_runtime_t:lnk_file manage_lnk_file_perms;
2017-02-24 01:03:23 +00:00
2006-12-12 20:08:08 +00:00
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
2009-06-26 14:40:13 +00:00
dev_filetrans(init_t, initctl_t, fifo_file)
files_runtime_filetrans(init_t, initctl_t, fifo_file)
2005-05-25 20:58:21 +00:00
# Modify utmp.
allow init_t initrc_runtime_t:file { rw_file_perms setattr };
2005-04-14 20:18:17 +00:00
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
2005-04-14 20:18:17 +00:00
corecmd_exec_chroot(init_t)
2005-06-13 17:35:46 +00:00
corecmd_exec_bin(init_t)
2005-05-24 22:22:26 +00:00
2006-05-19 17:44:27 +00:00
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
2006-05-19 17:44:27 +00:00
2010-03-18 14:19:49 +00:00
domain_getpgid_all_domains(init_t)
2005-04-14 20:18:17 +00:00
domain_kill_all_domains(init_t)
2017-02-24 01:03:23 +00:00
domain_getattr_all_domains(init_t)
2005-05-27 20:44:05 +00:00
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
2005-04-14 20:18:17 +00:00
files_read_etc_files(init_t)
files_mmap_read_kernel_modules(init_t)
files_rw_runtime_files(init_t)
2005-06-13 17:35:46 +00:00
files_manage_etc_runtime_files(init_t)
2009-06-26 14:40:13 +00:00
files_etc_filetrans_etc_runtime(init_t, file)
2005-05-30 21:17:20 +00:00
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
2005-05-24 22:22:26 +00:00
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
2005-04-19 18:58:16 +00:00
fs_getattr_xattr_fs(init_t)
2010-03-18 14:19:49 +00:00
fs_list_inotifyfs(init_t)
2006-04-03 19:49:47 +00:00
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
2006-05-19 17:44:27 +00:00
mcs_process_set_categories(init_t)
2007-08-20 15:15:03 +00:00
mcs_killall(init_t)
2006-05-19 17:44:27 +00:00
mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)
2006-05-19 17:44:27 +00:00
# the following one is needed for libselinux:is_selinux_enabled()
# otherwise the call fails and sysvinit tries to load the policy
# again when using the initramfs
selinux_get_fs_mount(init_t)
selinux_set_all_booleans(init_t)
2006-05-19 17:44:27 +00:00
term_use_all_terms(init_t)
2005-06-13 17:35:46 +00:00
libs_rw_ld_so_cache(init_t)
2005-04-14 20:18:17 +00:00
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
logging_create_devlog(init_t)
2005-04-19 20:43:44 +00:00
seutil_read_config(init_t)
seutil_read_default_contexts(init_t)
2005-04-14 20:18:17 +00:00
miscfiles_read_localization(init_t)
ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
allow init_t self:process { setsockcreate setfscreate setrlimit };
allow init_t self:process { getcap setcap getsched setsched };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:system { status reboot halt reload };
# Until systemd is fixed
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
dontaudit init_t self:process { dyntransition setcurrent };
allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
# for /run/systemd/inaccessible/{chr,blk,fifo}
allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };
2017-02-24 01:03:23 +00:00
allow init_t systemprocess:process { dyntransition siginh };
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
# setexec and setkeycreate for systemd --user
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
allow init_t init_runtime_t:sock_file manage_sock_file_perms;
2017-02-24 01:03:23 +00:00
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
allow init_t daemon:unix_dgram_socket create_socket_perms;
allow init_t daemon:tcp_socket create_stream_socket_perms;
allow init_t daemon:udp_socket create_socket_perms;
allow daemon init_t:unix_dgram_socket sendto;
allow init_run_all_scripts_domain systemdunit:service { status start stop };
allow systemprocess init_t:unix_dgram_socket sendto;
allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
allow init_t init_runtime_t:{ dir file } watch;
manage_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t)
# /memfd:systemd-state
fs_tmpfs_filetrans(init_t, init_runtime_t, file)
# mounton is required for systemd-timesyncd
allow init_t init_var_lib_t:dir { manage_dir_perms mounton };
allow init_t init_var_lib_t:file manage_file_perms;
allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
allow init_t systemd_unit_t:dir relabel_dir_perms;
kernel_dyntrans_to(init_t)
kernel_read_network_state(init_t)
kernel_stream_connect(init_t)
kernel_getattr_proc(init_t)
kernel_read_fs_sysctls(init_t)
kernel_list_unlabeled(init_t)
kernel_load_module(init_t)
kernel_request_load_module(init_t)
kernel_rw_fs_sysctls(init_t)
kernel_rw_kernel_sysctl(init_t)
kernel_rw_net_sysctls(init_t)
kernel_read_all_sysctls(init_t)
kernel_read_software_raid_state(init_t)
kernel_unmount_debugfs(init_t)
Fix problems booting with fips=1 Seeing the following problem when booting in enforcing with FIPS mode enabled. Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13 Then seeing the system halt Fixing the following denials: [ 4.492635] type=1400 audit(1523666552.903:4): avc: denied { search } for pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir [ 4.496621] type=1400 audit(1523666552.907:5): avc: denied { read } for pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.499741] type=1400 audit(1523666552.910:6): avc: denied { open } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.502969] type=1400 audit(1523666552.914:7): avc: denied { getattr } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 4.950021] type=1400 audit(1523666553.360:8): avc: denied { search } for pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir [ 4.986551] type=1400 audit(1523666553.397:9): avc: denied { read } for pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file [ 5.028737] type=1400 audit(1523666553.439:10): avc: denied { open } for pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file type=1400 audit(1512501270.176:3): avc: denied { search } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:08:55 +00:00
kernel_search_key(init_t)
kernel_setsched(init_t)
kernel_link_key(init_t)
kernel_rw_unix_sysctls(init_t)
Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp
2020-08-13 06:44:22 +00:00
kernel_rw_stream_sockets(init_t)
kernel_rw_unix_dgram_sockets(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
corecmd_bin_domtrans(init_t, initrc_t)
corecmd_shell_domtrans(init_t, initrc_t)
dev_manage_input_dev(init_t)
dev_relabel_all_sysfs(init_t)
dev_relabel_generic_symlinks(init_t)
dev_write_kmsg(init_t)
dev_write_urand(init_t)
dev_rw_lvm_control(init_t)
dev_rw_autofs(init_t)
dev_manage_generic_symlinks(init_t)
dev_manage_generic_dirs(init_t)
dev_manage_null_service(initrc_t)
dev_read_generic_chr_files(init_t)
dev_relabel_generic_dev_dirs(init_t)
dev_relabel_all_dev_nodes(init_t)
dev_relabel_all_dev_files(init_t)
dev_manage_sysfs_dirs(init_t)
dev_relabel_sysfs_dirs(init_t)
dev_read_usbfs(initrc_t)
# sandbox
dev_create_null_dev(init_t)
dev_create_zero_dev(init_t)
dev_create_rand_dev(init_t)
dev_create_urand_dev(init_t)
# systemd writes to /dev/watchdog on shutdown
dev_write_watchdog(init_t)
domain_read_all_domains_state(init_t)
# for starting systemd --user in the right domain:
domain_subj_id_change_exemption(init_t)
domain_role_change_exemption(init_t)
files_getattr_all_dirs(init_t)
files_getattr_all_files(init_t)
files_getattr_all_pipes(init_t)
files_getattr_all_sockets(init_t)
files_read_all_symlinks(init_t)
files_read_all_runtime_files(init_t)
files_list_usr(init_t)
files_list_var(init_t)
files_list_var_lib(init_t)
files_watch_root_dirs(init_t)
files_search_runtime(init_t)
files_relabel_all_runtime_dirs(init_t)
files_relabel_all_runtime_files(init_t)
files_relabel_all_runtime_symlinks(init_t)
files_relabel_all_runtime_sockets(init_t)
files_relabelto_etc_runtime_dirs(init_t)
files_relabelto_etc_runtime_files(init_t)
files_read_all_locks(init_t)
files_search_kernel_modules(init_t)
files_create_all_runtime_pipes(init_t)
files_create_all_runtime_sockets(init_t)
files_create_all_spool_sockets(init_t)
files_create_lock_dirs(init_t)
files_watch_runtime_dirs(init_t)
files_delete_runtime_symlinks(init_t)
files_delete_all_runtime_files(init_t)
files_delete_all_runtime_dirs(init_t)
files_delete_all_runtime_sockets(init_t)
files_delete_all_runtime_pipes(init_t)
files_delete_all_spool_sockets(init_t)
files_exec_runtime(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
files_manage_all_runtime_dirs(init_t)
files_manage_generic_tmp_dirs(init_t)
files_relabel_generic_tmp_dirs(init_t)
files_mounton_tmp(init_t)
files_manage_urandom_seed(init_t)
files_read_boot_files(initrc_t)
files_relabel_all_lock_dirs(init_t)
files_search_all(init_t)
files_unmount_all_file_type_fs(init_t)
# If /etc/localtime is missing, a watch on /etc is added.
files_watch_etc_dirs(init_t)
files_watch_etc_symlinks(init_t)
files_dontaudit_write_var_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_list_auto_mountpoints(init_t)
fs_mount_autofs(init_t)
fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
fs_relabel_cgroup_symlinks(init_t)
fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
fs_create_cgroup_links(init_t)
fs_watch_cgroup_files(init_t)
fs_getattr_all_fs(init_t)
fs_manage_cgroup_dirs(init_t)
fs_manage_cgroup_files(init_t)
fs_manage_tmpfs_dirs(init_t)
fs_mount_all_fs(init_t)
fs_remount_all_fs(init_t)
fs_relabelfrom_tmpfs_symlinks(init_t)
fs_unmount_all_fs(init_t)
fs_relabel_tmpfs_blk_files(init_t)
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
fs_read_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
fs_relabelfrom_tmpfs_sockets(init_t)
fs_manage_tmpfs_symlinks(init_t)
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
init_manage_all_unit_files(init_t)
init_read_script_state(init_t)
2017-02-24 01:03:23 +00:00
miscfiles_watch_localization(init_t)
# systemd watches utab in order to mount the
# local filesystem at boot
mount_watch_runtime_dirs(init_t)
mount_watch_runtime_files(init_t)
mount_watch_reads_runtime_files(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
# read from systemd-journal and similar
mls_socket_read_to_clearance(init_t)
selinux_unmount_fs(init_t)
selinux_validate_context(init_t)
selinux_compute_create_context(init_t)
selinux_compute_access_vector(init_t)
# for starting systemd --user in the right domain:
selinux_compute_user_contexts(init_t)
selinux_use_status_page(init_t)
storage_getattr_removable_dev(init_t)
term_relabel_pty_dirs(init_t)
auth_manage_var_auth(init_t)
auth_relabel_login_records(init_t)
auth_relabel_pam_console_data_dirs(init_t)
auth_domtrans_chk_passwd(init_t)
# for systemd dynamic users
auth_rw_shadow_lock(init_t)
logging_manage_runtime_sockets(init_t)
logging_relabelto_devlog_sock_files(init_t)
Fix problem labeling /run/log/journal/* Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* [ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied [ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied [ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied [ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file [ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-09 21:15:13 +00:00
logging_relabel_generic_log_dirs(init_t)
logging_audit_socket_activation(init_t)
logging_use_syslogd_fd(init_t)
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(init_t)
sysnet_read_config(init_t)
systemd_getattr_updated_runtime(init_t)
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
systemd_list_tmpfiles_conf(init_t)
systemd_relabelto_tmpfiles_conf_dirs(init_t)
systemd_relabelto_tmpfiles_conf_files(init_t)
Fix problem labeling /run/log/journal/* Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* [ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied [ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied [ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied [ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file [ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-09 21:15:13 +00:00
systemd_relabelto_journal_dirs(init_t)
systemd_relabelto_journal_files(init_t)
systemd_rw_networkd_netlink_route_sockets(init_t)
systemd_manage_userdb_runtime_sock_files(init_t)
systemd_manage_userdb_runtime_dirs(init_t)
systemd_filetrans_userdb_runtime_dirs(init_t)
2017-09-12 00:03:58 +00:00
term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
term_create_controlling_term(init_t)
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
# for systemd to read udev status
udev_read_runtime_files(init_t)
udev_relabel_rules_dirs(init_t)
udev_relabel_rules_files(init_t)
userdom_relabel_user_runtime_root_dirs(init_t)
tunable_policy(`init_mounton_non_security',`
files_mounton_non_security(init_t)
')
2017-02-19 21:13:14 +00:00
optional_policy(`
clock_read_adjtime(init_t)
')
optional_policy(`
systemd_dbus_chat_logind(init_t)
systemd_search_all_user_keys(init_t)
systemd_create_all_user_keys(init_t)
systemd_write_all_user_keys(init_t)
')
optional_policy(`
dbus_connect_system_bus(init_t)
')
optional_policy(`
# for systemd --user:
unconfined_search_keys(init_t)
unconfined_create_keys(init_t)
unconfined_write_keys(init_t)
')
',`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
ifndef(`distro_debian',`
sysadm_shell_domtrans(init_t)
')
')
')
ifdef(`distro_debian',`
2013-12-20 19:44:03 +00:00
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
allow init_t initrc_runtime_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_runtime_t, file, "utmp")
fs_manage_tmpfs_files(initrc_t)
sysnet_manage_config(initrc_t)
optional_policy(`
postfix_read_config(initrc_t)
')
')
2006-08-23 03:47:39 +00:00
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
init_exec_rc(initrc_t)
2006-08-23 03:47:39 +00:00
')
ifdef(`distro_redhat',`
2010-03-18 14:19:49 +00:00
fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
2009-06-26 14:40:13 +00:00
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
2005-05-24 22:22:26 +00:00
')
optional_policy(`
modutils_read_module_config(init_t)
modutils_read_module_deps(init_t)
')
optional_policy(`
2005-06-13 17:35:46 +00:00
auth_rw_login_records(init_t)
')
2010-03-18 14:19:49 +00:00
optional_policy(`
dbus_system_bus_client(init_t)
2018-02-15 22:07:08 +00:00
optional_policy(`
unconfined_dbus_send(init_t)
')
2010-03-18 14:19:49 +00:00
')
optional_policy(`
nscd_use(init_t)
2005-10-24 17:06:34 +00:00
')
optional_policy(`
shutdown_domtrans(init_t)
')
2010-03-18 14:19:49 +00:00
optional_policy(`
sssd_stream_connect(init_t)
')
optional_policy(`
unconfined_domain(init_t)
')
2005-04-22 22:00:09 +00:00
########################################
2005-04-19 18:58:16 +00:00
#
2005-04-22 22:00:09 +00:00
# Init script local policy
2005-04-19 18:58:16 +00:00
#
2005-04-14 20:18:17 +00:00
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow initrc_t self:capability2 { wake_alarm block_suspend };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
2005-04-14 20:18:17 +00:00
allow initrc_t self:passwd rootok;
2010-03-18 14:19:49 +00:00
allow initrc_t self:key manage_key_perms;
2005-04-14 20:18:17 +00:00
# Allow IPC with self
2005-06-09 14:50:48 +00:00
allow initrc_t self:unix_dgram_socket create_socket_perms;
2005-04-14 20:18:17 +00:00
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
2005-06-09 14:50:48 +00:00
allow initrc_t self:tcp_socket create_stream_socket_perms;
allow initrc_t self:udp_socket create_socket_perms;
allow initrc_t self:fifo_file rw_fifo_file_perms;
2005-04-14 20:18:17 +00:00
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
2009-06-26 14:40:13 +00:00
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
2010-03-18 14:19:49 +00:00
init_telinit(initrc_t)
can_exec(initrc_t, init_script_file_type)
create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
2005-05-30 21:17:20 +00:00
2009-06-26 14:40:13 +00:00
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
2005-04-14 20:18:17 +00:00
allow initrc_t initrc_runtime_t:file manage_file_perms;
files_runtime_filetrans(initrc_t, initrc_runtime_t, file)
2017-02-24 01:03:23 +00:00
allow initrc_t daemon:process siginh;
2009-06-26 14:40:13 +00:00
can_exec(initrc_t, initrc_tmp_t)
2010-03-18 14:19:49 +00:00
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
2009-06-26 14:40:13 +00:00
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
2017-02-24 01:03:23 +00:00
allow initrc_t initrc_tmp_t:dir relabelfrom;
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
init_write_initctl(initrc_t)
2005-04-14 20:18:17 +00:00
kernel_read_system_state(initrc_t)
kernel_read_software_raid_state(initrc_t)
kernel_read_network_state(initrc_t)
kernel_read_ring_buffer(initrc_t)
kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
kernel_rw_all_sysctls(initrc_t)
kernel_use_fds(initrc_t)
# for lsof which is used by alsa shutdown:
2005-06-10 01:01:13 +00:00
kernel_dontaudit_getattr_message_if(initrc_t)
# cjp: not sure why these are here; should use mount policy
kernel_list_unlabeled(initrc_t)
kernel_mounton_unlabeled_dirs(initrc_t)
2005-04-14 20:18:17 +00:00
files_create_lock_dirs(initrc_t)
files_manage_all_locks(initrc_t)
files_runtime_filetrans_lock_dir(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
files_setattr_lock_dirs(initrc_t)
2005-04-14 20:18:17 +00:00
corecmd_exec_all_executables(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
2005-06-10 01:01:13 +00:00
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
corenet_udp_sendrecv_all_nodes(initrc_t)
2005-09-13 13:06:07 +00:00
corenet_tcp_connect_all_ports(initrc_t)
corenet_sendrecv_all_client_packets(initrc_t)
2005-04-14 20:18:17 +00:00
2005-06-13 16:22:32 +00:00
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
2017-02-24 01:03:23 +00:00
dev_dontaudit_read_kmsg(initrc_t)
2010-03-18 14:19:49 +00:00
dev_write_kmsg(initrc_t)
2005-06-13 16:22:32 +00:00
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
2005-09-13 13:06:07 +00:00
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
2005-06-13 16:22:32 +00:00
dev_read_framebuffer(initrc_t)
2010-03-18 14:19:49 +00:00
dev_write_framebuffer(initrc_t)
2005-06-13 16:22:32 +00:00
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
2017-02-24 01:03:23 +00:00
dev_setattr_generic_dirs(initrc_t)
2005-06-13 16:22:32 +00:00
dev_setattr_all_chr_files(initrc_t)
2010-03-18 14:19:49 +00:00
dev_rw_lvm_control(initrc_t)
2017-02-24 01:03:23 +00:00
dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
2005-09-15 15:34:31 +00:00
dev_manage_generic_symlinks(initrc_t)
2005-05-24 15:55:57 +00:00
# Wants to remove udev.tbl:
dev_delete_generic_symlinks(initrc_t)
2010-03-18 14:19:49 +00:00
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
2017-02-24 01:03:23 +00:00
dev_rw_xserver_misc(initrc_t)
dev_map_xserver_misc(initrc_t)
2010-03-18 14:19:49 +00:00
2005-05-05 17:44:11 +00:00
domain_kill_all_domains(initrc_t)
2005-05-30 21:17:20 +00:00
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
2005-06-13 17:35:46 +00:00
domain_read_all_domains_state(initrc_t)
2005-09-16 14:54:36 +00:00
domain_getattr_all_domains(initrc_t)
2005-06-13 17:35:46 +00:00
domain_getsession_all_domains(initrc_t)
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(initrc_t)
2005-05-30 21:17:20 +00:00
# for lsof which is used by alsa shutdown:
2005-06-13 17:35:46 +00:00
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
2005-11-25 19:38:45 +00:00
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
2017-02-24 01:03:23 +00:00
domain_obj_id_change_exemption(initrc_t)
2005-06-13 17:35:46 +00:00
files_getattr_all_dirs(initrc_t)
2005-06-13 17:35:46 +00:00
files_getattr_all_files(initrc_t)
files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
2005-08-05 15:32:27 +00:00
files_purge_tmp(initrc_t)
2017-02-24 01:03:23 +00:00
files_manage_boot_files(initrc_t)
files_read_all_runtime_files(initrc_t)
2017-02-24 01:03:23 +00:00
files_delete_root_files(initrc_t)
files_delete_runtime_symlinks(initrc_t)
files_delete_all_runtime_files(initrc_t)
files_delete_all_runtime_dirs(initrc_t)
files_delete_all_runtime_sockets(initrc_t)
files_delete_all_runtime_pipes(initrc_t)
files_read_etc_files(initrc_t)
2005-06-13 17:35:46 +00:00
files_manage_etc_runtime_files(initrc_t)
2009-06-26 14:40:13 +00:00
files_etc_filetrans_etc_runtime(initrc_t, file)
files_exec_etc_files(initrc_t)
2005-06-13 17:35:46 +00:00
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
2005-07-08 20:44:57 +00:00
# Mount and unmount file systems.
# cjp: not sure why these are here; should use mount policy
files_list_default(initrc_t)
files_mounton_default(initrc_t)
2017-02-24 01:03:23 +00:00
files_manage_mnt_dirs(initrc_t)
files_manage_mnt_files(initrc_t)
2005-06-13 17:35:46 +00:00
2017-02-24 01:03:23 +00:00
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
fs_rw_cgroup_files(initrc_t)
2010-03-18 14:19:49 +00:00
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy
fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
2017-02-24 01:03:23 +00:00
fs_search_all(initrc_t)
fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
2017-02-24 01:03:23 +00:00
mcs_file_read_all(initrc_t)
mcs_file_write_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
mls_file_write_all_levels(initrc_t)
mls_process_read_all_levels(initrc_t)
mls_process_write_all_levels(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
2017-02-24 01:03:23 +00:00
mls_socket_write_to_clearance(initrc_t)
selinux_get_enforce_mode(initrc_t)
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
storage_setattr_removable_dev(initrc_t)
term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_runtime_files(initrc_t)
auth_delete_pam_runtime_files(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
2017-02-24 01:03:23 +00:00
init_get_system_status(initrc_t)
init_stream_connect(initrc_t)
init_start_all_units(initrc_t)
init_stop_all_units(initrc_t)
2005-06-13 17:35:46 +00:00
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
2010-03-18 14:19:49 +00:00
libs_exec_ld_so(initrc_t)
2005-06-13 17:35:46 +00:00
2010-03-18 14:19:49 +00:00
logging_send_audit_msgs(initrc_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(initrc_t)
2005-09-13 13:06:07 +00:00
logging_manage_generic_logs(initrc_t)
2005-05-26 20:38:45 +00:00
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
2006-02-02 21:08:12 +00:00
logging_read_audit_config(initrc_t)
2005-04-19 20:43:44 +00:00
2005-05-26 20:38:45 +00:00
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
2017-02-24 01:03:23 +00:00
miscfiles_manage_generic_cert_files(initrc_t)
2005-04-25 21:28:25 +00:00
seutil_read_config(initrc_t)
2005-04-14 20:18:17 +00:00
2008-11-05 16:10:46 +00:00
userdom_read_user_home_content_files(initrc_t)
2010-03-18 14:19:49 +00:00
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
2017-02-24 01:03:23 +00:00
userdom_use_inherited_user_terminals(initrc_t)
ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
dev_getattr_generic_blk_files(initrc_t)
2005-07-08 20:44:57 +00:00
fs_tmpfs_filetrans(initrc_t, initrc_runtime_t, dir)
2005-07-08 20:44:57 +00:00
# for storing state under /dev/shm
fs_setattr_tmpfs_dirs(initrc_t)
storage_manage_fixed_disk(initrc_t)
storage_tmpfs_filetrans_fixed_disk(initrc_t)
2005-07-08 20:44:57 +00:00
files_setattr_etc_dirs(initrc_t)
optional_policy(`
exim_manage_var_lib_files(initrc_t)
')
optional_policy(`
gdomap_read_config(initrc_t)
')
optional_policy(`
minissdpd_read_config(initrc_t)
')
')
2005-09-02 14:52:08 +00:00
ifdef(`distro_gentoo',`
2006-08-23 03:47:39 +00:00
kernel_dontaudit_getattr_core_if(initrc_t)
# seed udev /dev
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
term_create_console_dev(initrc_t)
2006-09-19 17:02:29 +00:00
# unfortunately /sbin/rc does stupid tricks
# with /dev/.rcboot to decide if we are in
# early init
dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
dev_setattr_generic_dirs(initrc_t)
2006-09-19 17:02:29 +00:00
files_manage_all_runtime_dirs(initrc_t)
files_manage_all_runtime_files(initrc_t)
files_manage_all_runtime_symlinks(initrc_t)
# allow bootmisc to create /var/lock/.keep.
files_manage_generic_locks(initrc_t)
files_manage_var_symlinks(initrc_t)
files_runtime_filetrans(initrc_t, initrc_state_t, dir, "openrc")
# openrc uses tmpfs for its state data
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
files_mountpoint(initrc_state_t)
2006-08-18 18:20:22 +00:00
2006-08-28 02:46:20 +00:00
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
2008-03-20 14:55:17 +00:00
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
sysnet_manage_config(initrc_t)
2008-03-20 14:55:17 +00:00
2017-02-24 01:03:23 +00:00
optional_policy(`
abrt_manage_runtime_files(initrc_t)
2017-02-24 01:03:23 +00:00
')
optional_policy(`
2011-02-09 14:27:39 +00:00
alsa_read_lib(initrc_t)
')
optional_policy(`
2011-02-09 14:27:39 +00:00
arpwatch_manage_data_files(initrc_t)
2005-09-02 14:52:08 +00:00
')
optional_policy(`
2011-02-09 14:27:39 +00:00
dhcpd_setattr_state_files(initrc_t)
')
2005-09-02 14:52:08 +00:00
')
ifdef(`distro_redhat',`
2005-06-01 13:51:54 +00:00
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
allow initrc_t self:process setfscreate;
2005-05-31 23:02:11 +00:00
# Red Hat systems seem to have a stray
# fd open from the initrd
2017-02-24 01:03:23 +00:00
kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
2005-04-14 20:18:17 +00:00
2005-05-31 23:02:11 +00:00
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
dev_rwx_zero(initrc_t)
2005-05-31 23:02:11 +00:00
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
2010-03-18 14:19:49 +00:00
files_create_boot_dirs(initrc_t)
2005-05-31 23:02:11 +00:00
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
2005-10-28 14:34:26 +00:00
# wants to read /.fonts directory
files_read_default_files(initrc_t)
2005-11-11 16:08:03 +00:00
files_mountpoint(initrc_tmp_t)
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
2005-11-11 16:08:03 +00:00
2010-03-18 14:19:49 +00:00
fs_read_tmpfs_symlinks(initrc_t)
2006-02-07 21:48:00 +00:00
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
2006-02-07 21:48:00 +00:00
storage_getattr_removable_dev(initrc_t)
2006-01-06 22:51:40 +00:00
2005-05-31 23:02:11 +00:00
# readahead asks for these
2006-01-06 22:51:40 +00:00
auth_dontaudit_read_shadow(initrc_t)
2005-09-15 21:03:29 +00:00
# init scripts cp /etc/localtime over other directories localtime
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
2006-02-07 21:48:00 +00:00
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
2010-03-18 14:19:49 +00:00
optional_policy(`
alsa_manage_config(initrc_t)
2010-03-18 14:19:49 +00:00
')
2017-02-24 01:03:23 +00:00
optional_policy(`
abrt_manage_runtime_files(initrc_t)
2017-02-24 01:03:23 +00:00
')
optional_policy(`
2006-02-02 21:08:12 +00:00
bind_manage_config_dirs(initrc_t)
2006-02-07 21:48:00 +00:00
bind_write_config(initrc_t)
2017-02-24 01:03:23 +00:00
bind_setattr_zone_dirs(initrc_t)
')
optional_policy(`
devicekit_append_inherited_log_files(initrc_t)
')
optional_policy(`
gnome_manage_gconf_config(initrc_t)
')
optional_policy(`
pulseaudio_stream_connect(initrc_t)
2005-09-15 21:03:29 +00:00
')
2005-10-24 01:53:13 +00:00
optional_policy(`
2005-10-24 01:53:13 +00:00
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
2010-03-18 14:19:49 +00:00
rpc_manage_nfs_state_data(initrc_t)
2005-10-24 01:53:13 +00:00
')
2017-02-24 01:03:23 +00:00
optional_policy(`
rpcbind_stream_connect(initrc_t)
')
2006-02-07 21:48:00 +00:00
optional_policy(`
2006-02-07 21:48:00 +00:00
sysnet_rw_dhcp_config(initrc_t)
2010-03-18 14:19:49 +00:00
sysnet_manage_config(initrc_t)
2006-02-07 21:48:00 +00:00
')
optional_policy(`
2006-02-07 21:48:00 +00:00
xserver_delete_log(initrc_t)
')
')
ifdef(`distro_suse',`
optional_policy(`
2006-02-07 21:48:00 +00:00
# set permissions on /tmp/.X11-unix
xserver_setattr_xdm_tmp_dirs(initrc_t)
')
2005-06-01 13:51:54 +00:00
')
2005-05-13 14:37:13 +00:00
2017-02-24 01:03:23 +00:00
ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc, initrc_t, system_r)
')
')
ifdef(`init_systemd',`
allow initrc_t init_t:system { start status reboot halt reload };
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
manage_dirs_pattern(initrc_t, init_runtime_t, init_runtime_t)
allow initrc_t init_runtime_t:file create_file_perms;
allow initrc_t init_runtime_t:lnk_file create_lnk_file_perms;
allow initrc_t init_runtime_t:service { start status };
manage_dirs_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
manage_chr_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set)
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
2017-02-24 01:03:23 +00:00
allow initrc_t systemd_unit_t:service reload;
manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
2017-02-24 01:03:23 +00:00
allow initrc_t systemdunit:service reload;
allow initrc_t init_script_file_type:service { stop start status reload };
Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp
2020-08-13 06:44:22 +00:00
# Access to notify socket for services with Type=notify
kernel_dgram_send(initrc_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
corecmd_bin_entry_type(initrc_t)
dev_create_generic_dirs(initrc_t)
2017-02-24 01:03:23 +00:00
# Allow initrc_t to check /etc/fstab "service." It appears that
# systemd is conflating files and services.
files_get_etc_unit_status(initrc_t)
files_create_runtime_dirs(initrc_t)
files_setattr_runtime_dirs(initrc_t)
# for logsave in strict configuration
fstools_write_log(initrc_t)
2017-02-24 01:03:23 +00:00
init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
init_rw_stream_sockets(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
# journalctl:
logging_watch_runtime_dirs(initrc_t)
logging_manage_runtime_sockets(initrc_t)
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(initrc_t)
systemd_start_power_units(initrc_t)
systemd_watch_networkd_runtime_dirs(initrc_t)
optional_policy(`
# create /var/lock/lvm/
lvm_create_lock_dirs(initrc_t)
')
')
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_runtime_files(initrc_t)
')
optional_policy(`
dev_rw_acpi_bios(initrc_t)
2005-07-08 20:44:57 +00:00
')
optional_policy(`
2005-10-05 21:17:22 +00:00
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
2017-02-24 01:03:23 +00:00
# webmin seems to cause this.
apache_search_sys_content(daemon)
2005-10-05 21:17:22 +00:00
')
optional_policy(`
asterisk_setattr_logs(initrc_t)
')
optional_policy(`
2005-08-23 17:26:19 +00:00
bind_read_config(initrc_t)
')
optional_policy(`
2006-01-06 22:51:40 +00:00
bluetooth_read_config(initrc_t)
2005-10-07 21:45:04 +00:00
')
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
2017-02-24 01:03:23 +00:00
domain_setpriority_all_domains(initrc_t)
')
optional_policy(`
clamav_filetrans_runtime_dir(initrc_t)
clamav_read_config(initrc_t)
')
optional_policy(`
courier_read_config(initrc_t)
')
optional_policy(`
2005-11-08 22:00:30 +00:00
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
2005-09-20 18:15:35 +00:00
')
2017-02-24 01:03:23 +00:00
optional_policy(`
cron_read_pipes(initrc_t)
# managing /etc/cron.d/mailman content
cron_manage_system_spool(initrc_t)
')
optional_policy(`
2006-06-08 17:18:25 +00:00
dev_getattr_printer_dev(initrc_t)
2005-11-29 21:27:15 +00:00
cups_read_log(initrc_t)
2006-06-08 17:18:25 +00:00
cups_read_rw_config(initrc_t)
#cups init script clears error log
cups_write_log(initrc_t)
2005-11-29 21:27:15 +00:00
')
optional_policy(`
daemontools_manage_svc(initrc_t)
')
optional_policy(`
2005-10-28 14:34:26 +00:00
dbus_connect_system_bus(initrc_t)
2008-11-05 16:10:46 +00:00
dbus_system_bus_client(initrc_t)
2006-01-06 22:51:40 +00:00
dbus_read_config(initrc_t)
2017-02-24 01:03:23 +00:00
dbus_manage_lib_files(initrc_t)
init_dbus_chat(initrc_t)
2005-10-28 14:34:26 +00:00
optional_policy(`
2005-11-25 16:43:03 +00:00
networkmanager_dbus_chat(initrc_t)
2005-10-28 14:34:26 +00:00
')
2010-03-18 14:19:49 +00:00
optional_policy(`
policykit_dbus_chat(initrc_t)
')
2005-10-28 14:34:26 +00:00
')
optional_policy(`
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
# The master process of dovecot will manage this file.
dovecot_dontaudit_unlink_lib_files(initrc_t)
')
optional_policy(`
2005-09-27 22:29:45 +00:00
ftp_read_config(initrc_t)
')
optional_policy(`
2005-08-17 21:28:31 +00:00
gpm_setattr_gpmctl(initrc_t)
')
2010-03-18 14:19:49 +00:00
optional_policy(`
2006-02-02 21:08:12 +00:00
modutils_read_module_deps(initrc_t)
')
optional_policy(`
inn_exec_config(initrc_t)
')
optional_policy(`
2005-07-18 18:31:49 +00:00
ipsec_read_config(initrc_t)
ipsec_manage_runtime_files(initrc_t)
2005-07-18 18:31:49 +00:00
')
optional_policy(`
iptables_read_config(initrc_t)
')
2010-03-18 14:19:49 +00:00
optional_policy(`
iscsi_stream_connect(initrc_t)
iscsi_read_lib_files(initrc_t)
')
optional_policy(`
2005-07-01 13:31:34 +00:00
kerberos_use(initrc_t)
')
optional_policy(`
knot_read_config_files(initrc_t)
')
optional_policy(`
2005-08-17 18:33:43 +00:00
ldap_read_config(initrc_t)
2006-02-02 21:08:12 +00:00
ldap_list_db(initrc_t)
2005-08-17 18:33:43 +00:00
')
optional_policy(`
2005-08-15 14:46:17 +00:00
loadkeys_exec(initrc_t)
')
2007-07-19 18:57:48 +00:00
optional_policy(`
# in emergency/recovery situations use sulogin
locallogin_domtrans_sulogin(initrc_t)
')
optional_policy(`
2005-10-22 21:09:03 +00:00
# This is needed to permit chown to read /var/spool/lpd/lp.
# This is opens up security more than necessary; this means that ANYTHING
# running in the initrc_t domain can read the printer spool directory.
# Perhaps executing /etc/rc.d/init.d/lpd should transition
# to domain lpd_t, instead of waiting for executing lpd.
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
2017-02-24 01:03:23 +00:00
lpd_manage_spool(init_t)
2005-10-22 21:09:03 +00:00
')
optional_policy(`
2005-05-31 23:02:11 +00:00
#allow initrc_t lvm_control_t:chr_file unlink;
2005-06-13 16:22:32 +00:00
dev_read_lvm_control(initrc_t)
dev_create_generic_chr_files(initrc_t)
2006-01-11 15:28:14 +00:00
lvm_read_config(initrc_t)
2005-05-30 21:17:20 +00:00
')
optional_policy(`
2005-10-11 15:36:53 +00:00
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
optional_policy(`
modutils_read_module_config(initrc_t)
')
optional_policy(`
2006-01-06 22:51:40 +00:00
mta_read_config(initrc_t)
2017-02-24 01:03:23 +00:00
mta_write_config(initrc_t)
2006-02-02 21:08:12 +00:00
mta_dontaudit_read_spool_symlinks(initrc_t)
2005-07-08 20:44:57 +00:00
')
optional_policy(`
2005-08-03 17:56:26 +00:00
ifdef(`distro_redhat',`
2006-02-02 21:08:12 +00:00
mysql_manage_db_dirs(initrc_t)
2005-08-03 17:56:26 +00:00
')
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
2010-03-18 14:19:49 +00:00
mysql_read_config(initrc_t)
2005-08-03 17:56:26 +00:00
')
optional_policy(`
2005-06-24 20:37:09 +00:00
nis_list_var_yp(initrc_t)
')
optional_policy(`
2006-04-14 20:07:01 +00:00
openvpn_read_config(initrc_t)
2005-10-24 01:53:13 +00:00
')
2017-02-24 01:03:23 +00:00
optional_policy(`
plymouthd_stream_connect(initrc_t)
')
optional_policy(`
2005-09-19 21:17:45 +00:00
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
optional_policy(`
2005-10-23 20:18:36 +00:00
postfix_list_spool(initrc_t)
')
optional_policy(`
puppet_rw_tmp(initrc_t)
')
optional_policy(`
2005-08-11 14:49:58 +00:00
quota_manage_flags(initrc_t)
')
2006-04-14 20:07:01 +00:00
optional_policy(`
raid_manage_mdadm_runtime_files(initrc_t)
2006-04-14 20:07:01 +00:00
')
optional_policy(`
2006-03-09 19:02:29 +00:00
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
2005-05-26 20:38:45 +00:00
')
optional_policy(`
ftp_filetrans_pure_ftpd_runtime(initrc_t)
')
2006-04-14 20:07:01 +00:00
optional_policy(`
rpc_read_exports(initrc_t)
')
optional_policy(`
2005-05-31 23:02:11 +00:00
# bash tries to access a block device in the initrd
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
2005-05-31 23:02:11 +00:00
# for a bug in rm
files_dontaudit_write_all_runtime_files(initrc_t)
2005-05-31 23:02:11 +00:00
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_runtime_files(initrc_t)
2005-05-31 23:02:11 +00:00
2005-07-08 20:44:57 +00:00
')
2005-05-24 15:55:57 +00:00
optional_policy(`
2005-09-14 18:33:53 +00:00
samba_rw_config(initrc_t)
samba_read_winbind_runtime_files(initrc_t)
2005-09-14 18:33:53 +00:00
')
2011-03-21 13:42:12 +00:00
optional_policy(`
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
optional_policy(`
2005-09-02 19:11:07 +00:00
squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
optional_policy(`
2005-10-18 15:07:11 +00:00
ssh_dontaudit_read_server_keys(initrc_t)
2010-03-18 14:19:49 +00:00
ssh_setattr_key_files(initrc_t)
')
optional_policy(`
stunnel_read_config(initrc_t)
')
optional_policy(`
2005-06-29 20:53:53 +00:00
sysnet_read_dhcpc_state(initrc_t)
')
optional_policy(`
udev_manage_runtime_files(initrc_t)
udev_manage_runtime_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
')
optional_policy(`
2006-02-16 21:33:18 +00:00
uml_setattr_util_sockets(initrc_t)
')
2010-03-18 14:19:49 +00:00
optional_policy(`
virt_stream_connect(initrc_t)
virt_manage_virt_cache(initrc_t)
2010-03-18 14:19:49 +00:00
')
optional_policy(`
2017-02-24 01:03:23 +00:00
domain_role_change_exemption(initrc_t)
unconfined_domain(initrc_t)
optional_policy(`
mono_domtrans(initrc_t)
')
2017-02-24 01:03:23 +00:00
optional_policy(`
rtkit_scheduled(initrc_t)
')
')
optional_policy(`
rpm_read_db(initrc_t)
rpm_delete_db(initrc_t)
')
2006-04-26 18:18:15 +00:00
optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
optional_policy(`
2005-11-25 19:09:08 +00:00
miscfiles_manage_fonts(initrc_t)
# cjp: is this really needed?
2006-02-02 21:08:12 +00:00
xfs_read_sockets(initrc_t)
2005-11-25 19:09:08 +00:00
')
optional_policy(`
2006-04-06 19:27:41 +00:00
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
# init script wants to check if it needs to update windowmanagerlist
2006-02-07 21:48:00 +00:00
xserver_read_xdm_rw_config(initrc_t)
')
optional_policy(`
zebra_read_config(initrc_t)
')
2017-02-24 01:03:23 +00:00
########################################
#
# Rules applied to all daemons
#
domain_dontaudit_use_interactive_fds(daemon)
# daemons started from init will
# inherit fds from init for the console
term_dontaudit_use_console(daemon)
init_dontaudit_use_fds(daemon)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys(daemon)
ifdef(`init_systemd',`
# Until systemd is fixed
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
fs_search_cgroup_dirs(daemon)
# need write to /var/run/systemd/notify
init_write_runtime_socket(daemon)
')
2017-02-24 01:03:23 +00:00
tunable_policy(`init_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
term_use_all_ttys(daemon)
term_use_all_ptys(daemon)
',`
term_dontaudit_use_unallocated_ttys(daemon)
term_dontaudit_use_generic_ptys(daemon)
term_dontaudit_use_all_ttys(daemon)
term_dontaudit_use_all_ptys(daemon)
')
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(daemon)
')
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_rw_cifs_files(daemon)
')
optional_policy(`
unconfined_dontaudit_rw_pipes(daemon)
unconfined_dontaudit_rw_stream_sockets(daemon)
')
optional_policy(`
userdom_dontaudit_rw_all_users_stream_sockets(daemon)
userdom_dontaudit_read_user_tmp_files(daemon)
userdom_dontaudit_write_user_tmp_files(daemon)
')
########################################
#
# Rules applied to all system processes
#
dontaudit systemprocess init_t:unix_stream_socket getattr;
optional_policy(`
userdom_dontaudit_search_user_home_dirs(systemprocess)
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
userdom_dontaudit_write_user_tmp_files(systemprocess)
')