policy_module(init, 2.10.0) gen_require(` class passwd rootok; ') ######################################## # # Declarations # ## ##

## Enable support for upstart as the init program. ##

##
gen_tunable(init_upstart, false) ## ##

## Allow all daemons the ability to read/write terminals ##

##
gen_tunable(init_daemons_use_tty, false) ## ##

## Enable systemd to mount on all non-security files. ##

##
gen_tunable(init_mounton_non_security, false) attribute init_mountpoint_type; attribute init_path_unit_loc_type; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; attribute systemdunit; attribute initrc_transition_domain; # Mark process types as daemons attribute daemon; attribute systemprocess; # Mark file type as a daemon pid file attribute daemonpidfile; # # init_t is the domain of the init process. # type init_t, initrc_transition_domain; type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; # # init_runtime_t is the type for /var/run/shutdown.pid and /var/run/systemd. # type init_runtime_t alias init_var_run_t; files_runtime_file(init_runtime_t) init_mountpoint(init_runtime_t) # # init_var_lib_t is the type for /var/lib/systemd. # type init_var_lib_t; files_type(init_var_lib_t) # # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. # type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) type initrc_t, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; init_domain(initrc_t, initrc_exec_t) ifdef(`enable_mcs', ` init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0) ') ifdef(`enable_mls', ` init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0 - mls_systemhigh) ') init_named_socket_activation(initrc_t, init_runtime_t) # should be part of the true block # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) type initrc_devpts_t; term_pty(initrc_devpts_t) files_type(initrc_devpts_t) type initrc_lock_t; files_lock_file(initrc_lock_t) type initrc_runtime_t alias initrc_var_run_t; files_runtime_file(initrc_runtime_t) type initrc_state_t; files_type(initrc_state_t) type initrc_tmp_t; files_tmp_file(initrc_tmp_t) type initrc_var_log_t; logging_log_file(initrc_var_log_t) type systemd_unit_t; init_unit_file(systemd_unit_t) ifdef(`distro_gentoo',` type rc_exec_t; domain_entry_file(initrc_t, rc_exec_t) domtrans_pattern(init_t, rc_exec_t, initrc_t) ') ifdef(`enable_mls',` kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh) ') ######################################## # # Init local policy # # Use capabilities. old rule: allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow init_t self:capability2 { wake_alarm block_suspend }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config # kill: now provided by domain_kill_all_domains() # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_runtime_t:file manage_file_perms; files_runtime_filetrans(init_t, init_runtime_t, file) # for /run/initctl allow init_t init_runtime_t:fifo_file manage_fifo_file_perms; # for systemd to manage service file symlinks allow init_t init_runtime_t:lnk_file manage_lnk_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) files_runtime_filetrans(init_t, initctl_t, fifo_file) # Modify utmp. allow init_t initrc_runtime_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) domain_getattr_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) files_mmap_read_kernel_modules(init_t) files_rw_runtime_files(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) mls_process_set_level(init_t) # the following one is needed for libselinux:is_selinux_enabled() # otherwise the call fails and sysvinit tries to load the policy # again when using the initramfs selinux_get_fs_mount(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) logging_create_devlog(init_t) seutil_read_config(init_t) seutil_read_default_contexts(init_t) miscfiles_read_localization(init_t) ifdef(`init_systemd',` # handle instances where an old labeled init script is encountered. typeattribute init_t init_run_all_scripts_domain; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; allow init_t self:process { setsockcreate setfscreate setrlimit }; allow init_t self:process { getcap setcap getsched setsched }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:system { status reboot halt reload }; # Until systemd is fixed allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; allow init_t initrc_t:unix_dgram_socket create_socket_perms; allow init_t self:capability2 audit_read; allow init_t self:key { search setattr write }; allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton }; allow init_t init_path_unit_loc_type:{ dir file } { getattr watch }; # for /run/systemd/inaccessible/{chr,blk,fifo} allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto }; allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto }; allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto }; allow init_t systemprocess:process { dyntransition siginh }; allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; allow init_t systemprocess:unix_dgram_socket create_socket_perms; # setexec and setkeycreate for systemd --user allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit }; allow init_t self:capability2 { audit_read block_suspend }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; allow init_t init_runtime_t:sock_file manage_sock_file_perms; allow init_t daemon:unix_stream_socket create_stream_socket_perms; allow init_t daemon:unix_dgram_socket create_socket_perms; allow init_t daemon:tcp_socket create_stream_socket_perms; allow init_t daemon:udp_socket create_socket_perms; allow daemon init_t:unix_dgram_socket sendto; allow init_run_all_scripts_domain systemdunit:service { status start stop }; allow systemprocess init_t:unix_dgram_socket sendto; allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; allow init_t init_runtime_t:{ dir file } watch; manage_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) # /memfd:systemd-state fs_tmpfs_filetrans(init_t, init_runtime_t, file) manage_files_pattern(init_t, systemd_unit_t, systemdunit) manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t) manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t) allow init_t systemd_unit_t:dir relabel_dir_perms; kernel_dyntrans_to(init_t) kernel_read_network_state(init_t) kernel_stream_connect(init_t) kernel_getattr_proc(init_t) kernel_read_fs_sysctls(init_t) kernel_list_unlabeled(init_t) kernel_load_module(init_t) kernel_rw_kernel_sysctl(init_t) kernel_rw_net_sysctls(init_t) kernel_read_all_sysctls(init_t) kernel_read_software_raid_state(init_t) kernel_unmount_debugfs(init_t) kernel_search_key(init_t) kernel_setsched(init_t) kernel_link_key(init_t) kernel_rw_unix_sysctls(init_t) kernel_rw_stream_sockets(init_t) kernel_rw_unix_dgram_sockets(init_t) # run systemd misc initializations # in the initrc_t domain, as would be # done in traditional sysvinit/upstart. corecmd_bin_domtrans(init_t, initrc_t) corecmd_shell_domtrans(init_t, initrc_t) dev_manage_input_dev(init_t) dev_relabel_all_sysfs(init_t) dev_relabel_generic_symlinks(init_t) dev_write_kmsg(init_t) dev_write_urand(init_t) dev_rw_lvm_control(init_t) dev_rw_autofs(init_t) dev_manage_generic_symlinks(init_t) dev_manage_generic_dirs(init_t) dev_manage_null_service(initrc_t) dev_read_generic_chr_files(init_t) dev_relabel_generic_dev_dirs(init_t) dev_relabel_all_dev_nodes(init_t) dev_relabel_all_dev_files(init_t) dev_manage_sysfs_dirs(init_t) dev_relabel_sysfs_dirs(init_t) dev_read_usbfs(initrc_t) # sandbox dev_create_null_dev(init_t) dev_create_zero_dev(init_t) dev_create_rand_dev(init_t) dev_create_urand_dev(init_t) # systemd writes to /dev/watchdog on shutdown dev_write_watchdog(init_t) domain_read_all_domains_state(init_t) # for starting systemd --user in the right domain: domain_subj_id_change_exemption(init_t) domain_role_change_exemption(init_t) files_getattr_all_dirs(init_t) files_getattr_all_files(init_t) files_getattr_all_pipes(init_t) files_getattr_all_sockets(init_t) files_read_all_symlinks(init_t) files_read_all_runtime_files(init_t) files_list_usr(init_t) files_list_var(init_t) files_list_var_lib(init_t) files_watch_root_dirs(init_t) files_search_runtime(init_t) files_relabel_all_runtime_dirs(init_t) files_relabel_all_runtime_files(init_t) files_relabel_all_runtime_symlinks(init_t) files_relabel_all_runtime_sockets(init_t) files_relabelto_etc_runtime_dirs(init_t) files_relabelto_etc_runtime_files(init_t) files_read_all_locks(init_t) files_search_kernel_modules(init_t) files_create_all_runtime_pipes(init_t) files_create_all_runtime_sockets(init_t) files_create_all_spool_sockets(init_t) files_create_lock_dirs(init_t) files_watch_runtime_dirs(init_t) files_delete_runtime_symlinks(init_t) files_delete_all_runtime_files(init_t) files_delete_all_runtime_dirs(init_t) files_delete_all_runtime_sockets(init_t) files_delete_all_runtime_pipes(init_t) files_delete_all_spool_sockets(init_t) files_exec_runtime(init_t) files_list_locks(init_t) files_list_spool(init_t) files_manage_all_runtime_dirs(init_t) files_manage_generic_tmp_dirs(init_t) files_manage_urandom_seed(init_t) files_read_boot_files(initrc_t) files_relabel_all_lock_dirs(init_t) files_search_all(init_t) files_unmount_all_file_type_fs(init_t) # If /etc/localtime is missing, a watch on /etc is added. files_watch_etc_dirs(init_t) files_watch_etc_symlinks(init_t) fs_relabel_cgroup_dirs(init_t) fs_list_auto_mountpoints(init_t) fs_mount_autofs(init_t) fs_manage_hugetlbfs_dirs(init_t) fs_getattr_tmpfs(init_t) fs_read_tmpfs_files(init_t) fs_relabel_cgroup_symlinks(init_t) fs_relabel_pstore_dirs(init_t) fs_dontaudit_getattr_xattr_fs(init_t) fs_create_cgroup_links(init_t) fs_watch_cgroup_files(init_t) fs_getattr_all_fs(init_t) fs_manage_cgroup_dirs(init_t) fs_manage_cgroup_files(init_t) fs_manage_tmpfs_dirs(init_t) fs_mount_all_fs(init_t) fs_remount_all_fs(init_t) fs_relabelfrom_tmpfs_symlinks(init_t) fs_unmount_all_fs(init_t) fs_relabel_tmpfs_blk_files(init_t) fs_relabel_tmpfs_chr_files(init_t) fs_relabel_tmpfs_fifo_files(init_t) # for privatetmp functions fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t) fs_relabelfrom_tmpfs_sockets(init_t) fs_manage_tmpfs_symlinks(init_t) # mount-setup fs_unmount_autofs(init_t) fs_getattr_pstore_dirs(init_t) # for network namespaces fs_read_nsfs_files(init_t) init_manage_all_unit_files(init_t) init_read_script_state(init_t) miscfiles_watch_localization(init_t) mount_watch_runtime_dirs(init_t) # systemd_socket_activated policy mls_socket_write_all_levels(init_t) # read from systemd-journal and similar mls_socket_read_to_clearance(init_t) selinux_unmount_fs(init_t) selinux_validate_context(init_t) selinux_compute_create_context(init_t) selinux_compute_access_vector(init_t) # for starting systemd --user in the right domain: selinux_compute_user_contexts(init_t) selinux_use_status_page(init_t) storage_getattr_removable_dev(init_t) term_relabel_pty_dirs(init_t) auth_manage_var_auth(init_t) auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) auth_domtrans_chk_passwd(init_t) logging_manage_runtime_sockets(init_t) logging_relabelto_devlog_sock_files(init_t) logging_relabel_generic_log_dirs(init_t) logging_audit_socket_activation(init_t) logging_use_syslogd_fd(init_t) # lvm2-activation-generator checks file labels seutil_read_file_contexts(init_t) sysnet_read_config(init_t) systemd_getattr_updated_runtime(init_t) systemd_manage_passwd_runtime_symlinks(init_t) systemd_use_passwd_agent(init_t) systemd_list_tmpfiles_conf(init_t) systemd_relabelto_tmpfiles_conf_dirs(init_t) systemd_relabelto_tmpfiles_conf_files(init_t) systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_files(init_t) systemd_rw_networkd_netlink_route_sockets(init_t) systemd_manage_userdb_runtime_sock_files(init_t) systemd_manage_userdb_runtime_dirs(init_t) systemd_filetrans_userdb_runtime_dirs(init_t) term_create_devpts_dirs(init_t) term_create_ptmx(init_t) term_create_controlling_term(init_t) # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t) # for systemd to read udev status udev_read_runtime_files(init_t) userdom_relabel_user_runtime_root_dirs(init_t) tunable_policy(`init_mounton_non_security',` files_mounton_non_security(init_t) ') optional_policy(` clock_read_adjtime(init_t) ') optional_policy(` systemd_dbus_chat_logind(init_t) systemd_search_all_user_keys(init_t) systemd_create_all_user_keys(init_t) systemd_write_all_user_keys(init_t) ') optional_policy(` dbus_connect_system_bus(init_t) ') optional_policy(` # for systemd --user: unconfined_search_keys(init_t) unconfined_create_keys(init_t) unconfined_write_keys(init_t) ') ',` tunable_policy(`init_upstart',` corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. # causes problems with upstart ifndef(`distro_debian',` sysadm_shell_domtrans(init_t) ') ') ') ifdef(`distro_debian',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") allow init_t initrc_runtime_t:file manage_file_perms; fs_tmpfs_filetrans(init_t, initrc_runtime_t, file, "utmp") fs_manage_tmpfs_files(initrc_t) sysnet_manage_config(initrc_t) optional_policy(` postfix_read_config(initrc_t) ') ') ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; init_exec_rc(initrc_t) ') ifdef(`distro_redhat',` fs_read_tmpfs_symlinks(init_t) fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') optional_policy(` modutils_read_module_config(init_t) modutils_read_module_deps(init_t) ') optional_policy(` auth_rw_login_records(init_t) ') optional_policy(` dbus_system_bus_client(init_t) optional_policy(` unconfined_dbus_send(init_t) ') ') optional_policy(` nscd_use(init_t) ') optional_policy(` shutdown_domtrans(init_t) ') optional_policy(` sssd_stream_connect(init_t) ') optional_policy(` unconfined_domain(init_t) ') ######################################## # # Init script local policy # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow initrc_t self:capability2 { wake_alarm block_suspend }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; allow initrc_t self:tcp_socket create_stream_socket_perms; allow initrc_t self:udp_socket create_socket_perms; allow initrc_t self:fifo_file rw_fifo_file_perms; allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode init_telinit(initrc_t) can_exec(initrc_t, init_script_file_type) create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile) setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t) manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t) manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_runtime_t:file manage_file_perms; files_runtime_filetrans(initrc_t, initrc_runtime_t, file) allow initrc_t daemon:process siginh; can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) allow initrc_t initrc_tmp_t:dir relabelfrom; manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) logging_log_filetrans(initrc_t, initrc_var_log_t, dir) init_write_initctl(initrc_t) kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) kernel_read_network_state(initrc_t) kernel_read_ring_buffer(initrc_t) kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) kernel_use_fds(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) # cjp: not sure why these are here; should use mount policy kernel_list_unlabeled(initrc_t) kernel_mounton_unlabeled_dirs(initrc_t) files_create_lock_dirs(initrc_t) files_manage_all_locks(initrc_t) files_runtime_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) files_setattr_lock_dirs(initrc_t) corecmd_exec_all_executables(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) corenet_tcp_sendrecv_all_if(initrc_t) corenet_udp_sendrecv_all_if(initrc_t) corenet_tcp_sendrecv_all_nodes(initrc_t) corenet_udp_sendrecv_all_nodes(initrc_t) corenet_tcp_connect_all_ports(initrc_t) corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) dev_dontaudit_read_kmsg(initrc_t) dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_generic_dirs(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) dev_rw_generic_chr_files(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) dev_rw_xserver_misc(initrc_t) dev_map_xserver_misc(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) domain_obj_id_change_exemption(initrc_t) files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) files_manage_boot_files(initrc_t) files_read_all_runtime_files(initrc_t) files_delete_root_files(initrc_t) files_delete_runtime_symlinks(initrc_t) files_delete_all_runtime_files(initrc_t) files_delete_all_runtime_dirs(initrc_t) files_delete_all_runtime_sockets(initrc_t) files_delete_all_runtime_pipes(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) files_etc_filetrans_etc_runtime(initrc_t, file) files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy files_list_default(initrc_t) files_mounton_default(initrc_t) files_manage_mnt_dirs(initrc_t) files_manage_mnt_files(initrc_t) fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) fs_rw_cgroup_files(initrc_t) fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) fs_search_all(initrc_t) fs_getattr_nfsd_files(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) mcs_file_read_all(initrc_t) mcs_file_write_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) mls_file_write_all_levels(initrc_t) mls_process_read_all_levels(initrc_t) mls_process_write_all_levels(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) mls_socket_write_to_clearance(initrc_t) selinux_get_enforce_mode(initrc_t) storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_removable_dev(initrc_t) term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_runtime_files(initrc_t) auth_delete_pam_runtime_files(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) init_get_system_status(initrc_t) init_stream_connect(initrc_t) init_start_all_units(initrc_t) init_stop_all_units(initrc_t) libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) libs_exec_ld_so(initrc_t) logging_send_audit_msgs(initrc_t) logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_manage_generic_cert_files(initrc_t) seutil_read_config(initrc_t) userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_inherited_user_terminals(initrc_t) ifdef(`distro_debian',` kernel_getattr_core_if(initrc_t) dev_getattr_generic_blk_files(initrc_t) fs_tmpfs_filetrans(initrc_t, initrc_runtime_t, dir) # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) storage_manage_fixed_disk(initrc_t) storage_tmpfs_filetrans_fixed_disk(initrc_t) files_setattr_etc_dirs(initrc_t) optional_policy(` exim_manage_var_lib_files(initrc_t) ') optional_policy(` gdomap_read_config(initrc_t) ') optional_policy(` minissdpd_read_config(initrc_t) ') ') ifdef(`distro_gentoo',` kernel_dontaudit_getattr_core_if(initrc_t) # seed udev /dev allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks # with /dev/.rcboot to decide if we are in # early init dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t) files_manage_all_runtime_dirs(initrc_t) files_manage_all_runtime_files(initrc_t) files_manage_all_runtime_symlinks(initrc_t) # allow bootmisc to create /var/lock/.keep. files_manage_generic_locks(initrc_t) files_manage_var_symlinks(initrc_t) files_runtime_filetrans(initrc_t, initrc_state_t, dir, "openrc") # openrc uses tmpfs for its state data fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file }) files_mountpoint(initrc_state_t) # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) # /lib/rcscripts/net/system.sh rewrites resolv.conf :( sysnet_manage_config(initrc_t) optional_policy(` abrt_manage_runtime_files(initrc_t) ') optional_policy(` alsa_read_lib(initrc_t) ') optional_policy(` arpwatch_manage_data_files(initrc_t) ') optional_policy(` dhcpd_setattr_state_files(initrc_t) ') ') ifdef(`distro_redhat',` # this is from kmodule, which should get its own policy: allow initrc_t self:capability sys_admin; allow initrc_t self:process setfscreate; # Red Hat systems seem to have a stray # fd open from the initrd kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) dev_rwx_zero(initrc_t) storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) # Needs to cp localtime to /var dirs files_write_var_dirs(initrc_t) fs_read_tmpfs_symlinks(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) storage_manage_fixed_disk(initrc_t) storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) # readahead asks for these auth_dontaudit_read_shadow(initrc_t) # init scripts cp /etc/localtime over other directories localtime miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) optional_policy(` alsa_manage_config(initrc_t) ') optional_policy(` abrt_manage_runtime_files(initrc_t) ') optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) bind_setattr_zone_dirs(initrc_t) ') optional_policy(` devicekit_append_inherited_log_files(initrc_t) ') optional_policy(` gnome_manage_gconf_config(initrc_t) ') optional_policy(` pulseaudio_stream_connect(initrc_t) ') optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') optional_policy(` rpcbind_stream_connect(initrc_t) ') optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) ') optional_policy(` xserver_delete_log(initrc_t) ') ') ifdef(`distro_suse',` optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) ') ') ifdef(`enabled_mls',` optional_policy(` # allow init scripts to su su_restricted_domain_template(initrc, initrc_t, system_r) ') ') ifdef(`init_systemd',` allow initrc_t init_t:system { start status reboot halt reload }; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) manage_dirs_pattern(initrc_t, init_runtime_t, init_runtime_t) allow initrc_t init_runtime_t:file create_file_perms; allow initrc_t init_runtime_t:lnk_file create_lnk_file_perms; allow initrc_t init_runtime_t:service { start status }; manage_dirs_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) manage_chr_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set) create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) allow initrc_t systemd_unit_t:service reload; manage_files_pattern(initrc_t, systemdunit, systemdunit) manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) allow initrc_t systemdunit:service reload; allow initrc_t init_script_file_type:service { stop start status reload }; # Access to notify socket for services with Type=notify kernel_dgram_send(initrc_t) # run systemd misc initializations # in the initrc_t domain, as would be # done in traditional sysvinit/upstart. corecmd_bin_entry_type(initrc_t) dev_create_generic_dirs(initrc_t) # Allow initrc_t to check /etc/fstab "service." It appears that # systemd is conflating files and services. files_get_etc_unit_status(initrc_t) files_create_runtime_dirs(initrc_t) files_setattr_runtime_dirs(initrc_t) # for logsave in strict configuration fstools_write_log(initrc_t) init_get_all_units_status(initrc_t) init_manage_var_lib_files(initrc_t) init_rw_stream_sockets(initrc_t) # Create /etc/audit.rules.prev after firstboot remediation logging_manage_audit_config(initrc_t) # journalctl: logging_watch_runtime_dirs(initrc_t) logging_manage_runtime_sockets(initrc_t) # lvm2-activation-generator checks file labels seutil_read_file_contexts(initrc_t) systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) optional_policy(` # create /var/lock/lvm/ lvm_create_lock_dirs(initrc_t) ') ') optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_runtime_files(initrc_t) ') optional_policy(` dev_rw_acpi_bios(initrc_t) ') optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) # webmin seems to cause this. apache_search_sys_content(daemon) ') optional_policy(` asterisk_setattr_logs(initrc_t) ') optional_policy(` bind_read_config(initrc_t) ') optional_policy(` bluetooth_read_config(initrc_t) ') optional_policy(` cgroup_stream_connect_cgred(initrc_t) domain_setpriority_all_domains(initrc_t) ') optional_policy(` clamav_filetrans_runtime_dir(initrc_t) clamav_read_config(initrc_t) ') optional_policy(` courier_read_config(initrc_t) ') optional_policy(` cpucontrol_stub(initrc_t) dev_getattr_cpu_dev(initrc_t) ') optional_policy(` cron_read_pipes(initrc_t) # managing /etc/cron.d/mailman content cron_manage_system_spool(initrc_t) ') optional_policy(` dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) cups_read_rw_config(initrc_t) #cups init script clears error log cups_write_log(initrc_t) ') optional_policy(` daemontools_manage_svc(initrc_t) ') optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) dbus_manage_lib_files(initrc_t) init_dbus_chat(initrc_t) optional_policy(` networkmanager_dbus_chat(initrc_t) ') optional_policy(` policykit_dbus_chat(initrc_t) ') ') optional_policy(` # /var/run/dovecot/login/ssl-parameters.dat is a hard link to # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up # the directory. But we do not want to allow this. # The master process of dovecot will manage this file. dovecot_dontaudit_unlink_lib_files(initrc_t) ') optional_policy(` ftp_read_config(initrc_t) ') optional_policy(` gpm_setattr_gpmctl(initrc_t) ') optional_policy(` modutils_read_module_deps(initrc_t) ') optional_policy(` inn_exec_config(initrc_t) ') optional_policy(` ipsec_read_config(initrc_t) ipsec_manage_runtime_files(initrc_t) ') optional_policy(` iptables_read_config(initrc_t) ') optional_policy(` iscsi_stream_connect(initrc_t) iscsi_read_lib_files(initrc_t) ') optional_policy(` kerberos_use(initrc_t) ') optional_policy(` knot_read_config_files(initrc_t) ') optional_policy(` ldap_read_config(initrc_t) ldap_list_db(initrc_t) ') optional_policy(` loadkeys_exec(initrc_t) ') optional_policy(` # in emergency/recovery situations use sulogin locallogin_domtrans_sulogin(initrc_t) ') optional_policy(` # This is needed to permit chown to read /var/spool/lpd/lp. # This is opens up security more than necessary; this means that ANYTHING # running in the initrc_t domain can read the printer spool directory. # Perhaps executing /etc/rc.d/init.d/lpd should transition # to domain lpd_t, instead of waiting for executing lpd. lpd_list_spool(initrc_t) lpd_read_config(initrc_t) lpd_manage_spool(init_t) ') optional_policy(` #allow initrc_t lvm_control_t:chr_file unlink; dev_read_lvm_control(initrc_t) dev_create_generic_chr_files(initrc_t) lvm_read_config(initrc_t) ') optional_policy(` mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') optional_policy(` modutils_read_module_config(initrc_t) ') optional_policy(` mta_read_config(initrc_t) mta_write_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') optional_policy(` ifdef(`distro_redhat',` mysql_manage_db_dirs(initrc_t) ') mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) mysql_read_config(initrc_t) ') optional_policy(` nis_list_var_yp(initrc_t) ') optional_policy(` openvpn_read_config(initrc_t) ') optional_policy(` plymouthd_stream_connect(initrc_t) ') optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') optional_policy(` postfix_list_spool(initrc_t) ') optional_policy(` puppet_rw_tmp(initrc_t) ') optional_policy(` quota_manage_flags(initrc_t) ') optional_policy(` raid_manage_mdadm_runtime_files(initrc_t) ') optional_policy(` fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) ') optional_policy(` ftp_filetrans_pure_ftpd_runtime(initrc_t) ') optional_policy(` rpc_read_exports(initrc_t) ') optional_policy(` # bash tries to access a block device in the initrd kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) # for a bug in rm files_dontaudit_write_all_runtime_files(initrc_t) # bash tries ioctl for some reason files_dontaudit_ioctl_all_runtime_files(initrc_t) ') optional_policy(` samba_rw_config(initrc_t) samba_read_winbind_runtime_files(initrc_t) ') optional_policy(` # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') optional_policy(` squid_read_config(initrc_t) squid_manage_logs(initrc_t) ') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) ssh_setattr_key_files(initrc_t) ') optional_policy(` stunnel_read_config(initrc_t) ') optional_policy(` sysnet_read_dhcpc_state(initrc_t) ') optional_policy(` udev_manage_runtime_files(initrc_t) udev_manage_runtime_dirs(initrc_t) udev_manage_rules_files(initrc_t) ') optional_policy(` uml_setattr_util_sockets(initrc_t) ') optional_policy(` virt_stream_connect(initrc_t) virt_manage_virt_cache(initrc_t) ') optional_policy(` domain_role_change_exemption(initrc_t) unconfined_domain(initrc_t) optional_policy(` mono_domtrans(initrc_t) ') optional_policy(` rtkit_scheduled(initrc_t) ') ') optional_policy(` rpm_read_db(initrc_t) rpm_delete_db(initrc_t) ') optional_policy(` vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') optional_policy(` miscfiles_manage_fonts(initrc_t) # cjp: is this really needed? xfs_read_sockets(initrc_t) ') optional_policy(` # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) # init script wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') optional_policy(` zebra_read_config(initrc_t) ') ######################################## # # Rules applied to all daemons # domain_dontaudit_use_interactive_fds(daemon) # daemons started from init will # inherit fds from init for the console term_dontaudit_use_console(daemon) init_dontaudit_use_fds(daemon) # init script ptys are the stdin/out/err # when using run_init init_use_script_ptys(daemon) ifdef(`init_systemd',` # Until systemd is fixed allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify init_write_runtime_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) term_use_all_ttys(daemon) term_use_all_ptys(daemon) ',` term_dontaudit_use_unallocated_ttys(daemon) term_dontaudit_use_generic_ptys(daemon) term_dontaudit_use_all_ttys(daemon) term_dontaudit_use_all_ptys(daemon) ') tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(daemon) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files(daemon) ') optional_policy(` unconfined_dontaudit_rw_pipes(daemon) unconfined_dontaudit_rw_stream_sockets(daemon) ') optional_policy(` userdom_dontaudit_rw_all_users_stream_sockets(daemon) userdom_dontaudit_read_user_tmp_files(daemon) userdom_dontaudit_write_user_tmp_files(daemon) ') ######################################## # # Rules applied to all system processes # dontaudit systemprocess init_t:unix_stream_socket getattr; optional_policy(` userdom_dontaudit_search_user_home_dirs(systemprocess) userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) userdom_dontaudit_write_user_tmp_files(systemprocess) ')