2020-09-09 20:55:06 +00:00
|
|
|
policy_module(init, 2.9.2)
|
2005-04-26 17:00:25 +00:00
|
|
|
|
2005-10-18 15:07:11 +00:00
|
|
|
gen_require(`
|
|
|
|
class passwd rootok;
|
|
|
|
')
|
|
|
|
|
2005-05-05 18:30:00 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
2008-03-10 19:29:47 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Enable support for upstart as the init program.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_tunable(init_upstart, false)
|
2008-03-10 19:29:47 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow all daemons the ability to read/write terminals
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
gen_tunable(init_daemons_use_tty, false)
|
|
|
|
|
2020-01-10 16:42:29 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Enable systemd to mount on all non-security files.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
gen_tunable(init_mounton_non_security, false)
|
|
|
|
|
|
|
|
attribute init_mountpoint_type;
|
2020-01-08 15:51:11 +00:00
|
|
|
attribute init_path_unit_loc_type;
|
2008-08-29 19:00:02 +00:00
|
|
|
attribute init_script_domain_type;
|
|
|
|
attribute init_script_file_type;
|
|
|
|
attribute init_run_all_scripts_domain;
|
2015-10-23 14:16:59 +00:00
|
|
|
attribute systemdunit;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute initrc_transition_domain;
|
2008-08-29 19:00:02 +00:00
|
|
|
|
2006-09-25 18:53:06 +00:00
|
|
|
# Mark process types as daemons
|
|
|
|
attribute daemon;
|
2017-02-24 01:03:23 +00:00
|
|
|
attribute systemprocess;
|
2006-09-25 18:53:06 +00:00
|
|
|
|
Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-25 19:53:00 +00:00
|
|
|
# Mark file type as a daemon pid file
|
|
|
|
attribute daemonpidfile;
|
2012-08-25 18:25:06 +00:00
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
#
|
2005-04-14 20:18:17 +00:00
|
|
|
# init_t is the domain of the init process.
|
|
|
|
#
|
2017-02-24 01:03:23 +00:00
|
|
|
type init_t, initrc_transition_domain;
|
2006-10-04 17:25:34 +00:00
|
|
|
type init_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
domain_entry_file(init_t, init_exec_t)
|
|
|
|
kernel_domtrans_to(init_t, init_exec_t)
|
2006-10-04 17:25:34 +00:00
|
|
|
role system_r types init_t;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
2019-09-08 20:55:02 +00:00
|
|
|
# init_runtime_t is the type for /var/run/shutdown.pid and /var/run/systemd.
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
2019-09-08 20:55:02 +00:00
|
|
|
type init_runtime_t alias init_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(init_runtime_t)
|
2020-05-16 19:41:26 +00:00
|
|
|
init_mountpoint(init_runtime_t)
|
2005-05-25 20:58:21 +00:00
|
|
|
|
2014-09-07 21:28:10 +00:00
|
|
|
#
|
|
|
|
# init_var_lib_t is the type for /var/lib/systemd.
|
|
|
|
#
|
|
|
|
type init_var_lib_t;
|
|
|
|
files_type(init_var_lib_t)
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
#
|
2010-06-08 12:47:26 +00:00
|
|
|
# initctl_t is the type of the named pipe created
|
2005-04-22 22:00:09 +00:00
|
|
|
# by init during initialization. This pipe is used
|
|
|
|
# to communicate with init.
|
|
|
|
#
|
2005-09-26 20:26:32 +00:00
|
|
|
type initctl_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(initctl_t)
|
2005-09-26 20:26:32 +00:00
|
|
|
mls_trusted_object(initctl_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
|
|
|
|
type initrc_exec_t, init_script_file_type;
|
2020-05-17 14:15:41 +00:00
|
|
|
init_domain(initrc_t, initrc_exec_t)
|
2020-05-27 15:00:07 +00:00
|
|
|
|
|
|
|
ifdef(`enable_mcs', `
|
|
|
|
init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0)
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`enable_mls', `
|
|
|
|
init_ranged_daemon_domain(initrc_t, initrc_exec_t, s0 - mls_systemhigh)
|
|
|
|
')
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
init_named_socket_activation(initrc_t, init_runtime_t)
|
2008-03-10 19:29:47 +00:00
|
|
|
# should be part of the true block
|
|
|
|
# of the below init_upstart tunable
|
|
|
|
# but this has a typeattribute in it
|
|
|
|
corecmd_shell_entry_type(initrc_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
|
|
|
type initrc_devpts_t;
|
2005-06-10 01:01:13 +00:00
|
|
|
term_pty(initrc_devpts_t)
|
2005-09-05 18:17:17 +00:00
|
|
|
files_type(initrc_devpts_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type initrc_lock_t;
|
|
|
|
files_lock_file(initrc_lock_t)
|
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type initrc_runtime_t alias initrc_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(initrc_runtime_t)
|
2019-09-11 00:05:46 +00:00
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
type initrc_state_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(initrc_state_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
|
|
|
type initrc_tmp_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
files_tmp_file(initrc_tmp_t)
|
2005-04-22 22:00:09 +00:00
|
|
|
|
2012-07-12 19:24:41 +00:00
|
|
|
type initrc_var_log_t;
|
|
|
|
logging_log_file(initrc_var_log_t)
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_unit_t;
|
|
|
|
init_unit_file(systemd_unit_t)
|
|
|
|
|
2011-09-03 14:19:27 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
type rc_exec_t;
|
|
|
|
domain_entry_file(initrc_t, rc_exec_t)
|
2020-11-17 03:46:26 +00:00
|
|
|
domtrans_pattern(init_t, rc_exec_t, initrc_t)
|
2011-09-03 14:19:27 +00:00
|
|
|
')
|
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
ifdef(`enable_mls',`
|
2009-06-26 14:40:13 +00:00
|
|
|
kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
|
2006-10-04 17:25:34 +00:00
|
|
|
')
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Init local policy
|
|
|
|
#
|
|
|
|
|
2005-05-31 21:25:45 +00:00
|
|
|
# Use capabilities. old rule:
|
2017-08-13 20:21:44 +00:00
|
|
|
allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t self:capability2 { wake_alarm block_suspend };
|
2010-06-08 12:47:26 +00:00
|
|
|
# is ~sys_module really needed? observed:
|
2005-05-31 21:25:45 +00:00
|
|
|
# sys_boot
|
|
|
|
# sys_tty_config
|
|
|
|
# kill: now provided by domain_kill_all_domains()
|
|
|
|
# setuid (from /sbin/shutdown)
|
2005-06-13 17:35:46 +00:00
|
|
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow init_t self:fifo_file rw_fifo_file_perms;
|
2005-05-26 20:38:45 +00:00
|
|
|
|
2005-04-19 18:58:16 +00:00
|
|
|
# Re-exec itself
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec(init_t, init_exec_t)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2005-09-13 13:06:07 +00:00
|
|
|
allow init_t initrc_t:unix_stream_socket connectto;
|
|
|
|
|
2005-04-19 18:58:16 +00:00
|
|
|
# For /var/run/shutdown.pid.
|
2019-09-08 20:55:02 +00:00
|
|
|
allow init_t init_runtime_t:file manage_file_perms;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(init_t, init_runtime_t, file)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
# for /run/initctl
|
2019-09-08 20:55:02 +00:00
|
|
|
allow init_t init_runtime_t:fifo_file manage_fifo_file_perms;
|
2017-04-21 00:00:34 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# for systemd to manage service file symlinks
|
2020-04-14 21:47:06 +00:00
|
|
|
allow init_t init_runtime_t:lnk_file manage_lnk_file_perms;
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
dev_filetrans(init_t, initctl_t, fifo_file)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(init_t, initctl_t, fifo_file)
|
2005-05-25 20:58:21 +00:00
|
|
|
|
2005-05-31 21:25:45 +00:00
|
|
|
# Modify utmp.
|
2019-09-08 20:55:02 +00:00
|
|
|
allow init_t initrc_runtime_t:file { rw_file_perms setattr };
|
2005-05-31 21:25:45 +00:00
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
kernel_read_system_state(init_t)
|
|
|
|
kernel_share_state(init_t)
|
2014-01-16 16:24:25 +00:00
|
|
|
kernel_dontaudit_search_unlabeled(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-07-13 18:29:08 +00:00
|
|
|
corecmd_exec_chroot(init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
corecmd_exec_bin(init_t)
|
2005-05-24 22:22:26 +00:00
|
|
|
|
2006-05-19 17:44:27 +00:00
|
|
|
dev_read_sysfs(init_t)
|
2010-08-18 15:36:35 +00:00
|
|
|
# Early devtmpfs
|
|
|
|
dev_rw_generic_chr_files(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
domain_getpgid_all_domains(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
domain_kill_all_domains(init_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_getattr_all_domains(init_t)
|
2005-05-27 20:44:05 +00:00
|
|
|
domain_signal_all_domains(init_t)
|
|
|
|
domain_signull_all_domains(init_t)
|
|
|
|
domain_sigstop_all_domains(init_t)
|
|
|
|
domain_sigchld_all_domains(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(init_t)
|
2020-08-12 16:17:19 +00:00
|
|
|
files_mmap_read_kernel_modules(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_rw_runtime_files(init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_manage_etc_runtime_files(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_etc_filetrans_etc_runtime(init_t, file)
|
2005-05-30 21:17:20 +00:00
|
|
|
# Run /etc/X11/prefdm:
|
2005-06-29 14:26:41 +00:00
|
|
|
files_exec_etc_files(init_t)
|
2005-05-24 22:22:26 +00:00
|
|
|
# file descriptors inherited from the rootfs:
|
2006-01-31 19:21:01 +00:00
|
|
|
files_dontaudit_rw_root_files(init_t)
|
|
|
|
files_dontaudit_rw_root_chr_files(init_t)
|
2005-04-19 18:58:16 +00:00
|
|
|
|
2017-01-02 21:11:32 +00:00
|
|
|
fs_getattr_xattr_fs(init_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_list_inotifyfs(init_t)
|
2006-04-03 19:49:47 +00:00
|
|
|
# cjp: this may be related to /dev/log
|
|
|
|
fs_write_ramfs_sockets(init_t)
|
|
|
|
|
2006-05-19 17:44:27 +00:00
|
|
|
mcs_process_set_categories(init_t)
|
2007-08-20 15:15:03 +00:00
|
|
|
mcs_killall(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2007-08-20 18:26:08 +00:00
|
|
|
mls_file_read_all_levels(init_t)
|
|
|
|
mls_file_write_all_levels(init_t)
|
2014-05-23 18:18:10 +00:00
|
|
|
mls_process_write_all_levels(init_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
mls_fd_use_all_levels(init_t)
|
2019-01-08 08:52:40 +00:00
|
|
|
mls_process_set_level(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
2017-01-02 21:11:32 +00:00
|
|
|
# the following one is needed for libselinux:is_selinux_enabled()
|
|
|
|
# otherwise the call fails and sysvinit tries to load the policy
|
|
|
|
# again when using the initramfs
|
|
|
|
selinux_get_fs_mount(init_t)
|
2009-01-13 13:01:48 +00:00
|
|
|
selinux_set_all_booleans(init_t)
|
2006-05-19 17:44:27 +00:00
|
|
|
|
|
|
|
term_use_all_terms(init_t)
|
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_rw_ld_so_cache(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(init_t)
|
|
|
|
logging_rw_generic_logs(init_t)
|
2017-04-16 23:08:40 +00:00
|
|
|
logging_create_devlog(init_t)
|
2005-04-19 20:43:44 +00:00
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
seutil_read_config(init_t)
|
2019-12-08 16:30:44 +00:00
|
|
|
seutil_read_default_contexts(init_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
miscfiles_read_localization(init_t)
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
# handle instances where an old labeled init script is encountered.
|
|
|
|
typeattribute init_t init_run_all_scripts_domain;
|
|
|
|
|
2017-10-12 21:42:23 +00:00
|
|
|
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
allow init_t self:process { setsockcreate setfscreate setrlimit };
|
|
|
|
allow init_t self:process { getcap setcap getsched setsched };
|
|
|
|
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
|
|
|
|
allow init_t self:netlink_selinux_socket create_socket_perms;
|
|
|
|
allow init_t self:system { status reboot halt reload };
|
|
|
|
# Until systemd is fixed
|
|
|
|
allow init_t self:udp_socket create_socket_perms;
|
|
|
|
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
|
|
|
|
allow init_t self:capability2 audit_read;
|
2019-12-08 14:44:25 +00:00
|
|
|
allow init_t self:key { search setattr write };
|
2018-03-21 10:57:45 +00:00
|
|
|
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
|
2017-10-12 21:42:23 +00:00
|
|
|
|
2020-01-10 16:42:29 +00:00
|
|
|
allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
|
|
|
|
|
2020-01-08 15:51:11 +00:00
|
|
|
allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
|
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
# for /run/systemd/inaccessible/{chr,blk}
|
2020-08-14 14:33:08 +00:00
|
|
|
allow init_t init_runtime_t:blk_file create_blk_file_perms;
|
|
|
|
allow init_t init_runtime_t:chr_file create_chr_file_perms;
|
2017-04-21 00:00:34 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t systemprocess:process { dyntransition siginh };
|
|
|
|
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
# setexec and setkeycreate for systemd --user
|
|
|
|
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
|
2016-01-15 10:42:25 +00:00
|
|
|
allow init_t self:capability2 { audit_read block_suspend };
|
2015-10-23 14:16:59 +00:00
|
|
|
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
2016-01-11 18:14:55 +00:00
|
|
|
allow init_t self:unix_dgram_socket lock;
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow init_t init_runtime_t:sock_file manage_sock_file_perms;
|
2017-04-21 00:00:34 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow init_t daemon:unix_dgram_socket create_socket_perms;
|
|
|
|
allow init_t daemon:tcp_socket create_stream_socket_perms;
|
|
|
|
allow init_t daemon:udp_socket create_socket_perms;
|
|
|
|
allow daemon init_t:unix_dgram_socket sendto;
|
|
|
|
|
|
|
|
allow init_run_all_scripts_domain systemdunit:service { status start stop };
|
|
|
|
|
|
|
|
allow systemprocess init_t:unix_dgram_socket sendto;
|
|
|
|
allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
|
|
|
|
|
|
|
|
allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
|
2020-01-08 15:51:11 +00:00
|
|
|
|
|
|
|
allow init_t init_runtime_t:{ dir file } watch;
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_files_pattern(init_t, init_runtime_t, init_runtime_t)
|
|
|
|
manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
|
|
|
|
manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t)
|
|
|
|
manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t)
|
2020-05-27 11:48:18 +00:00
|
|
|
# /memfd:systemd-state
|
|
|
|
fs_tmpfs_filetrans(init_t, init_runtime_t, file)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
|
|
|
|
|
|
|
|
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
|
|
|
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
|
|
|
allow init_t systemd_unit_t:dir relabel_dir_perms;
|
|
|
|
|
|
|
|
kernel_dyntrans_to(init_t)
|
|
|
|
kernel_read_network_state(init_t)
|
|
|
|
kernel_stream_connect(init_t)
|
|
|
|
kernel_getattr_proc(init_t)
|
|
|
|
kernel_read_fs_sysctls(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
kernel_list_unlabeled(init_t)
|
|
|
|
kernel_load_module(init_t)
|
|
|
|
kernel_rw_kernel_sysctl(init_t)
|
|
|
|
kernel_rw_net_sysctls(init_t)
|
|
|
|
kernel_read_all_sysctls(init_t)
|
|
|
|
kernel_read_software_raid_state(init_t)
|
|
|
|
kernel_unmount_debugfs(init_t)
|
2018-04-16 20:08:55 +00:00
|
|
|
kernel_search_key(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
kernel_setsched(init_t)
|
2019-12-08 16:52:28 +00:00
|
|
|
kernel_link_key(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
kernel_rw_unix_sysctls(init_t)
|
|
|
|
|
|
|
|
# run systemd misc initializations
|
|
|
|
# in the initrc_t domain, as would be
|
|
|
|
# done in traditional sysvinit/upstart.
|
|
|
|
corecmd_bin_domtrans(init_t, initrc_t)
|
|
|
|
corecmd_shell_domtrans(init_t, initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2015-10-20 18:48:38 +00:00
|
|
|
dev_manage_input_dev(init_t)
|
2015-10-20 17:23:35 +00:00
|
|
|
dev_relabel_all_sysfs(init_t)
|
2017-04-21 00:00:34 +00:00
|
|
|
dev_relabel_generic_symlinks(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
dev_write_kmsg(init_t)
|
|
|
|
dev_write_urand(init_t)
|
|
|
|
dev_rw_lvm_control(init_t)
|
|
|
|
dev_rw_autofs(init_t)
|
|
|
|
dev_manage_generic_symlinks(init_t)
|
|
|
|
dev_manage_generic_dirs(init_t)
|
|
|
|
dev_manage_null_service(initrc_t)
|
|
|
|
dev_read_generic_chr_files(init_t)
|
|
|
|
dev_relabel_generic_dev_dirs(init_t)
|
|
|
|
dev_relabel_all_dev_nodes(init_t)
|
|
|
|
dev_relabel_all_dev_files(init_t)
|
|
|
|
dev_manage_sysfs_dirs(init_t)
|
|
|
|
dev_relabel_sysfs_dirs(init_t)
|
|
|
|
dev_read_usbfs(initrc_t)
|
2020-06-04 20:03:34 +00:00
|
|
|
# sandbox
|
|
|
|
dev_create_null_dev(init_t)
|
|
|
|
dev_create_zero_dev(init_t)
|
|
|
|
dev_create_rand_dev(init_t)
|
|
|
|
dev_create_urand_dev(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
# systemd writes to /dev/watchdog on shutdown
|
|
|
|
dev_write_watchdog(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
domain_read_all_domains_state(init_t)
|
2019-04-19 15:50:59 +00:00
|
|
|
# for starting systemd --user in the right domain:
|
|
|
|
domain_subj_id_change_exemption(init_t)
|
|
|
|
domain_role_change_exemption(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2020-01-23 12:40:49 +00:00
|
|
|
files_getattr_all_dirs(init_t)
|
|
|
|
files_getattr_all_files(init_t)
|
|
|
|
files_getattr_all_pipes(init_t)
|
|
|
|
files_getattr_all_sockets(init_t)
|
|
|
|
files_read_all_symlinks(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_read_all_runtime_files(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_list_usr(init_t)
|
|
|
|
files_list_var(init_t)
|
|
|
|
files_list_var_lib(init_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
files_watch_root_dirs(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime(init_t)
|
|
|
|
files_relabel_all_runtime_dirs(init_t)
|
|
|
|
files_relabel_all_runtime_files(init_t)
|
|
|
|
files_relabel_all_runtime_symlinks(init_t)
|
|
|
|
files_relabel_all_runtime_sockets(init_t)
|
2017-04-21 00:00:34 +00:00
|
|
|
files_relabelto_etc_runtime_dirs(init_t)
|
|
|
|
files_relabelto_etc_runtime_files(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_read_all_locks(init_t)
|
|
|
|
files_search_kernel_modules(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_create_all_runtime_pipes(init_t)
|
|
|
|
files_create_all_runtime_sockets(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
files_create_all_spool_sockets(init_t)
|
|
|
|
files_create_lock_dirs(init_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
files_watch_runtime_dirs(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_delete_runtime_symlinks(init_t)
|
|
|
|
files_delete_all_runtime_files(init_t)
|
|
|
|
files_delete_all_runtime_dirs(init_t)
|
|
|
|
files_delete_all_runtime_sockets(init_t)
|
|
|
|
files_delete_all_runtime_pipes(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
files_delete_all_spool_sockets(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_exec_runtime(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
files_list_locks(init_t)
|
|
|
|
files_list_spool(init_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_manage_all_runtime_dirs(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
files_manage_generic_tmp_dirs(init_t)
|
|
|
|
files_manage_urandom_seed(init_t)
|
|
|
|
files_read_boot_files(initrc_t)
|
|
|
|
files_relabel_all_lock_dirs(init_t)
|
|
|
|
files_search_all(init_t)
|
|
|
|
files_unmount_all_file_type_fs(init_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
# If /etc/localtime is missing, a watch on /etc is added.
|
|
|
|
files_watch_etc_dirs(init_t)
|
2020-04-17 18:40:28 +00:00
|
|
|
files_watch_etc_symlinks(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
fs_relabel_cgroup_dirs(init_t)
|
|
|
|
fs_list_auto_mountpoints(init_t)
|
|
|
|
fs_mount_autofs(init_t)
|
|
|
|
fs_manage_hugetlbfs_dirs(init_t)
|
|
|
|
fs_getattr_tmpfs(init_t)
|
|
|
|
fs_read_tmpfs_files(init_t)
|
2017-12-02 21:19:07 +00:00
|
|
|
fs_relabel_cgroup_symlinks(init_t)
|
2017-04-21 00:00:34 +00:00
|
|
|
fs_relabel_pstore_dirs(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
fs_dontaudit_getattr_xattr_fs(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
fs_create_cgroup_links(init_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
fs_watch_cgroup_files(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
fs_getattr_all_fs(init_t)
|
|
|
|
fs_manage_cgroup_dirs(init_t)
|
|
|
|
fs_manage_cgroup_files(init_t)
|
|
|
|
fs_manage_tmpfs_dirs(init_t)
|
|
|
|
fs_mount_all_fs(init_t)
|
|
|
|
fs_remount_all_fs(init_t)
|
|
|
|
fs_relabelfrom_tmpfs_symlinks(init_t)
|
|
|
|
fs_unmount_all_fs(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
# for privatetmp functions
|
|
|
|
fs_relabel_tmpfs_dirs(init_t)
|
|
|
|
fs_relabel_tmpfs_files(init_t)
|
2017-09-10 18:22:22 +00:00
|
|
|
fs_relabelfrom_tmpfs_sockets(init_t)
|
2020-05-17 11:36:56 +00:00
|
|
|
fs_manage_tmpfs_symlinks(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
# mount-setup
|
|
|
|
fs_unmount_autofs(init_t)
|
|
|
|
fs_getattr_pstore_dirs(init_t)
|
2016-01-11 18:14:55 +00:00
|
|
|
# for network namespaces
|
|
|
|
fs_read_nsfs_files(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2020-05-08 17:54:48 +00:00
|
|
|
init_manage_all_unit_files(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
init_read_script_state(init_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2020-01-08 15:51:11 +00:00
|
|
|
miscfiles_watch_localization(init_t)
|
|
|
|
|
|
|
|
mount_watch_runtime_dirs(init_t)
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
# systemd_socket_activated policy
|
|
|
|
mls_socket_write_all_levels(init_t)
|
2019-01-08 08:52:40 +00:00
|
|
|
# read from systemd-journal and similar
|
|
|
|
mls_socket_read_to_clearance(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-10-12 21:42:23 +00:00
|
|
|
selinux_unmount_fs(init_t)
|
|
|
|
selinux_validate_context(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
selinux_compute_create_context(init_t)
|
|
|
|
selinux_compute_access_vector(init_t)
|
2019-04-19 15:50:59 +00:00
|
|
|
# for starting systemd --user in the right domain:
|
|
|
|
selinux_compute_user_contexts(init_t)
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-10-12 21:42:23 +00:00
|
|
|
storage_getattr_removable_dev(init_t)
|
|
|
|
|
|
|
|
term_relabel_pty_dirs(init_t)
|
|
|
|
|
|
|
|
auth_manage_var_auth(init_t)
|
|
|
|
auth_relabel_login_records(init_t)
|
|
|
|
auth_relabel_pam_console_data_dirs(init_t)
|
2020-05-20 16:35:17 +00:00
|
|
|
auth_domtrans_chk_passwd(init_t)
|
2017-10-12 21:42:23 +00:00
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
logging_manage_runtime_sockets(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
logging_relabelto_devlog_sock_files(init_t)
|
2017-10-09 21:15:13 +00:00
|
|
|
logging_relabel_generic_log_dirs(init_t)
|
2020-05-17 14:52:46 +00:00
|
|
|
logging_audit_socket_activation(init_t)
|
2020-05-16 20:25:40 +00:00
|
|
|
logging_use_syslogd_fd(init_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-10-12 21:42:23 +00:00
|
|
|
# lvm2-activation-generator checks file labels
|
|
|
|
seutil_read_file_contexts(init_t)
|
|
|
|
|
2019-02-18 15:15:03 +00:00
|
|
|
sysnet_read_config(init_t)
|
|
|
|
|
2018-06-07 19:19:41 +00:00
|
|
|
systemd_getattr_updated_runtime(init_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
systemd_manage_passwd_runtime_symlinks(init_t)
|
2017-04-21 00:00:34 +00:00
|
|
|
systemd_use_passwd_agent(init_t)
|
2017-09-10 18:22:22 +00:00
|
|
|
systemd_list_tmpfiles_conf(init_t)
|
|
|
|
systemd_relabelto_tmpfiles_conf_dirs(init_t)
|
|
|
|
systemd_relabelto_tmpfiles_conf_files(init_t)
|
2017-10-09 21:15:13 +00:00
|
|
|
systemd_relabelto_journal_dirs(init_t)
|
|
|
|
systemd_relabelto_journal_files(init_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
systemd_rw_networkd_netlink_route_sockets(init_t)
|
2017-04-16 23:08:40 +00:00
|
|
|
|
2017-09-12 00:03:58 +00:00
|
|
|
term_create_devpts_dirs(init_t)
|
2020-06-04 20:03:34 +00:00
|
|
|
term_create_ptmx(init_t)
|
|
|
|
term_create_controlling_term(init_t)
|
2017-09-10 18:22:21 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
# udevd is a "systemd kobject uevent socket activated daemon"
|
|
|
|
udev_create_kobject_uevent_sockets(init_t)
|
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
# for systemd to read udev status
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(init_t)
|
2017-04-21 00:00:34 +00:00
|
|
|
|
2017-09-10 18:22:22 +00:00
|
|
|
udev_relabelto_db_sockets(init_t)
|
|
|
|
|
2020-01-10 16:42:29 +00:00
|
|
|
tunable_policy(`init_mounton_non_security',`
|
|
|
|
files_mounton_non_security(init_t)
|
|
|
|
')
|
|
|
|
|
2017-02-19 21:13:14 +00:00
|
|
|
optional_policy(`
|
|
|
|
clock_read_adjtime(init_t)
|
|
|
|
')
|
|
|
|
|
2016-03-07 08:45:36 +00:00
|
|
|
optional_policy(`
|
|
|
|
systemd_dbus_chat_logind(init_t)
|
2019-04-19 15:50:59 +00:00
|
|
|
systemd_search_all_user_keys(init_t)
|
|
|
|
systemd_create_all_user_keys(init_t)
|
|
|
|
systemd_write_all_user_keys(init_t)
|
2016-03-07 08:45:36 +00:00
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
dbus_connect_system_bus(init_t)
|
|
|
|
')
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
# for systemd --user:
|
|
|
|
unconfined_search_keys(init_t)
|
|
|
|
unconfined_create_keys(init_t)
|
|
|
|
unconfined_write_keys(init_t)
|
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
',`
|
|
|
|
tunable_policy(`init_upstart',`
|
|
|
|
corecmd_shell_domtrans(init_t, initrc_t)
|
|
|
|
',`
|
|
|
|
# Run the shell in the sysadm role for single-user mode.
|
|
|
|
# causes problems with upstart
|
2017-02-18 14:39:01 +00:00
|
|
|
ifndef(`distro_debian',`
|
|
|
|
sysadm_shell_domtrans(init_t)
|
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2013-11-09 09:45:07 +00:00
|
|
|
ifdef(`distro_debian',`
|
2013-12-20 19:44:03 +00:00
|
|
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
|
2013-12-10 15:27:44 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow init_t initrc_runtime_t:file manage_file_perms;
|
|
|
|
fs_tmpfs_filetrans(init_t, initrc_runtime_t, file, "utmp")
|
2017-04-21 00:00:34 +00:00
|
|
|
fs_manage_tmpfs_files(initrc_t)
|
|
|
|
|
|
|
|
sysnet_manage_config(initrc_t)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
postfix_read_config(initrc_t)
|
|
|
|
')
|
2013-11-09 09:45:07 +00:00
|
|
|
')
|
|
|
|
|
2006-08-23 03:47:39 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
allow init_t self:process { getcap setcap };
|
2011-09-03 14:19:27 +00:00
|
|
|
|
2011-09-06 17:58:04 +00:00
|
|
|
init_exec_rc(initrc_t)
|
2006-08-23 03:47:39 +00:00
|
|
|
')
|
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_read_tmpfs_symlinks(init_t)
|
2006-01-31 20:29:27 +00:00
|
|
|
fs_rw_tmpfs_chr_files(init_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
2005-05-24 22:22:26 +00:00
|
|
|
')
|
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
optional_policy(`
|
|
|
|
modutils_read_module_config(init_t)
|
|
|
|
modutils_read_module_deps(init_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-13 17:35:46 +00:00
|
|
|
auth_rw_login_records(init_t)
|
2005-05-31 21:25:45 +00:00
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
dbus_system_bus_client(init_t)
|
2018-02-15 22:07:08 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
unconfined_dbus_send(init_t)
|
|
|
|
')
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2012-12-17 20:06:29 +00:00
|
|
|
nscd_use(init_t)
|
2005-10-24 17:06:34 +00:00
|
|
|
')
|
|
|
|
|
2014-06-04 12:32:28 +00:00
|
|
|
optional_policy(`
|
|
|
|
shutdown_domtrans(init_t)
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
sssd_stream_connect(init_t)
|
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
udev_read_db(init_t)
|
|
|
|
udev_relabelto_db(init_t)
|
|
|
|
')
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
optional_policy(`
|
|
|
|
unconfined_domain(init_t)
|
|
|
|
')
|
|
|
|
|
2005-04-22 22:00:09 +00:00
|
|
|
########################################
|
2005-04-19 18:58:16 +00:00
|
|
|
#
|
2005-04-22 22:00:09 +00:00
|
|
|
# Init script local policy
|
2005-04-19 18:58:16 +00:00
|
|
|
#
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
2017-08-13 20:21:44 +00:00
|
|
|
allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
|
2017-04-16 23:08:40 +00:00
|
|
|
allow initrc_t self:capability2 { wake_alarm block_suspend };
|
2006-09-25 18:53:06 +00:00
|
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
2005-04-14 20:18:17 +00:00
|
|
|
allow initrc_t self:passwd rootok;
|
2010-03-18 14:19:49 +00:00
|
|
|
allow initrc_t self:key manage_key_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
# Allow IPC with self
|
2005-06-09 14:50:48 +00:00
|
|
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
2005-06-09 14:50:48 +00:00
|
|
|
allow initrc_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow initrc_t self:udp_socket create_socket_perms;
|
2020-04-14 21:47:06 +00:00
|
|
|
allow initrc_t self:fifo_file rw_fifo_file_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-10-31 22:27:45 +00:00
|
|
|
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
term_create_pty(initrc_t, initrc_devpts_t)
|
2005-10-31 22:27:45 +00:00
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
# Going to single user mode
|
2010-03-18 14:19:49 +00:00
|
|
|
init_telinit(initrc_t)
|
2006-12-04 20:10:56 +00:00
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
can_exec(initrc_t, init_script_file_type)
|
|
|
|
|
Support initrc_t generated pid files with file transition
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-25 19:53:00 +00:00
|
|
|
create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
|
|
|
|
|
2008-08-29 19:00:02 +00:00
|
|
|
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow initrc_t initrc_runtime_t:file manage_file_perms;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(initrc_t, initrc_runtime_t, file)
|
2005-05-11 19:36:36 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t daemon:process siginh;
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec(initrc_t, initrc_tmp_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
|
|
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t initrc_tmp_t:dir relabelfrom;
|
2005-05-05 18:30:00 +00:00
|
|
|
|
2012-07-12 19:24:41 +00:00
|
|
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
|
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
|
|
logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
|
|
|
|
|
2006-02-20 16:31:54 +00:00
|
|
|
init_write_initctl(initrc_t)
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
kernel_read_system_state(initrc_t)
|
|
|
|
kernel_read_software_raid_state(initrc_t)
|
|
|
|
kernel_read_network_state(initrc_t)
|
|
|
|
kernel_read_ring_buffer(initrc_t)
|
|
|
|
kernel_change_ring_buffer_level(initrc_t)
|
|
|
|
kernel_clear_ring_buffer(initrc_t)
|
|
|
|
kernel_get_sysvipc_info(initrc_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_all_sysctls(initrc_t)
|
|
|
|
kernel_rw_all_sysctls(initrc_t)
|
2017-04-29 18:17:30 +00:00
|
|
|
kernel_use_fds(initrc_t)
|
2005-05-02 21:02:14 +00:00
|
|
|
# for lsof which is used by alsa shutdown:
|
2005-06-10 01:01:13 +00:00
|
|
|
kernel_dontaudit_getattr_message_if(initrc_t)
|
2014-01-16 16:24:25 +00:00
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
kernel_list_unlabeled(initrc_t)
|
|
|
|
kernel_mounton_unlabeled_dirs(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2012-07-12 19:24:43 +00:00
|
|
|
files_create_lock_dirs(initrc_t)
|
2017-04-29 18:17:30 +00:00
|
|
|
files_manage_all_locks(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans_lock_dir(initrc_t, "lock")
|
2006-03-02 23:41:11 +00:00
|
|
|
files_read_kernel_symbol_table(initrc_t)
|
2012-07-12 19:24:43 +00:00
|
|
|
files_setattr_lock_dirs(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2009-08-05 14:01:06 +00:00
|
|
|
corecmd_exec_all_executables(initrc_t)
|
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_netlabel(initrc_t)
|
2005-06-10 01:01:13 +00:00
|
|
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
|
|
|
corenet_udp_sendrecv_all_if(initrc_t)
|
|
|
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
|
|
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
corenet_tcp_connect_all_ports(initrc_t)
|
2006-05-29 15:04:49 +00:00
|
|
|
corenet_sendrecv_all_client_packets(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_rand(initrc_t)
|
|
|
|
dev_read_urand(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_dontaudit_read_kmsg(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_write_kmsg(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_write_rand(initrc_t)
|
|
|
|
dev_write_urand(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
dev_rw_sysfs(initrc_t)
|
|
|
|
dev_list_usbfs(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_framebuffer(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_write_framebuffer(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_realtime_clock(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_read_sound_mixer(initrc_t)
|
|
|
|
dev_write_sound_mixer(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_setattr_generic_dirs(initrc_t)
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_setattr_all_chr_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_rw_lvm_control(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_rw_generic_chr_files(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_delete_lvm_control_dev(initrc_t)
|
2005-09-15 15:34:31 +00:00
|
|
|
dev_manage_generic_symlinks(initrc_t)
|
2005-05-24 15:55:57 +00:00
|
|
|
# Wants to remove udev.tbl:
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_delete_generic_symlinks(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
dev_getattr_all_blk_files(initrc_t)
|
|
|
|
dev_getattr_all_chr_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dev_rw_xserver_misc(initrc_t)
|
2018-07-10 15:03:17 +00:00
|
|
|
dev_map_xserver_misc(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
|
2005-05-05 17:44:11 +00:00
|
|
|
domain_kill_all_domains(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
domain_signal_all_domains(initrc_t)
|
|
|
|
domain_signull_all_domains(initrc_t)
|
|
|
|
domain_sigstop_all_domains(initrc_t)
|
|
|
|
domain_sigchld_all_domains(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_read_all_domains_state(initrc_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
domain_getattr_all_domains(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_getsession_all_domains(initrc_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
# for lsof which is used by alsa shutdown:
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
|
|
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
2005-11-25 19:38:45 +00:00
|
|
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
|
|
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_obj_id_change_exemption(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2005-07-15 15:17:57 +00:00
|
|
|
files_getattr_all_dirs(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_getattr_all_files(initrc_t)
|
2005-07-15 15:17:57 +00:00
|
|
|
files_getattr_all_symlinks(initrc_t)
|
|
|
|
files_getattr_all_pipes(initrc_t)
|
|
|
|
files_getattr_all_sockets(initrc_t)
|
2005-08-05 15:32:27 +00:00
|
|
|
files_purge_tmp(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_manage_boot_files(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_read_all_runtime_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_delete_root_files(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_delete_runtime_symlinks(initrc_t)
|
|
|
|
files_delete_all_runtime_files(initrc_t)
|
|
|
|
files_delete_all_runtime_dirs(initrc_t)
|
|
|
|
files_delete_all_runtime_sockets(initrc_t)
|
|
|
|
files_delete_all_runtime_pipes(initrc_t)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_manage_etc_runtime_files(initrc_t)
|
2009-06-26 14:40:13 +00:00
|
|
|
files_etc_filetrans_etc_runtime(initrc_t, file)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_exec_etc_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_usr_files(initrc_t)
|
|
|
|
files_manage_urandom_seed(initrc_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_manage_generic_spool(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
# Mount and unmount file systems.
|
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
files_list_default(initrc_t)
|
|
|
|
files_mounton_default(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
files_manage_mnt_dirs(initrc_t)
|
|
|
|
files_manage_mnt_files(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
fs_delete_cgroup_dirs(initrc_t)
|
|
|
|
fs_list_cgroup_dirs(initrc_t)
|
|
|
|
fs_rw_cgroup_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_list_inotifyfs(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
fs_register_binary_executable_type(initrc_t)
|
|
|
|
# rhgb-console writes to ramfs
|
|
|
|
fs_write_ramfs_pipes(initrc_t)
|
|
|
|
# cjp: not sure why these are here; should use mount policy
|
|
|
|
fs_mount_all_fs(initrc_t)
|
|
|
|
fs_unmount_all_fs(initrc_t)
|
|
|
|
fs_remount_all_fs(initrc_t)
|
|
|
|
fs_getattr_all_fs(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
fs_search_all(initrc_t)
|
|
|
|
fs_getattr_nfsd_files(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
|
|
|
|
# initrc_t needs to do a pidof which requires ptrace
|
|
|
|
mcs_ptrace_all(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mcs_file_read_all(initrc_t)
|
|
|
|
mcs_file_write_all(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
mcs_killall(initrc_t)
|
|
|
|
mcs_process_set_categories(initrc_t)
|
|
|
|
|
|
|
|
mls_file_read_all_levels(initrc_t)
|
|
|
|
mls_file_write_all_levels(initrc_t)
|
2014-05-23 18:18:10 +00:00
|
|
|
mls_process_read_all_levels(initrc_t)
|
|
|
|
mls_process_write_all_levels(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
mls_rangetrans_source(initrc_t)
|
|
|
|
mls_fd_share_all_levels(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mls_socket_write_to_clearance(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
|
|
|
|
selinux_get_enforce_mode(initrc_t)
|
|
|
|
|
|
|
|
storage_getattr_fixed_disk_dev(initrc_t)
|
|
|
|
storage_setattr_fixed_disk_dev(initrc_t)
|
|
|
|
storage_setattr_removable_dev(initrc_t)
|
|
|
|
|
|
|
|
term_use_all_terms(initrc_t)
|
|
|
|
term_reset_tty_labels(initrc_t)
|
|
|
|
|
|
|
|
auth_rw_login_records(initrc_t)
|
|
|
|
auth_setattr_login_records(initrc_t)
|
|
|
|
auth_rw_lastlog(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
auth_read_pam_runtime_files(initrc_t)
|
|
|
|
auth_delete_pam_runtime_files(initrc_t)
|
2009-08-05 14:01:06 +00:00
|
|
|
auth_delete_pam_console_data(initrc_t)
|
2007-12-04 15:05:55 +00:00
|
|
|
auth_use_nsswitch(initrc_t)
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
init_get_system_status(initrc_t)
|
|
|
|
init_stream_connect(initrc_t)
|
|
|
|
init_start_all_units(initrc_t)
|
|
|
|
init_stop_all_units(initrc_t)
|
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_rw_ld_so_cache(initrc_t)
|
|
|
|
libs_exec_lib_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
libs_exec_ld_so(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
logging_send_audit_msgs(initrc_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(initrc_t)
|
2005-09-13 13:06:07 +00:00
|
|
|
logging_manage_generic_logs(initrc_t)
|
2005-05-26 20:38:45 +00:00
|
|
|
logging_read_all_logs(initrc_t)
|
|
|
|
logging_append_all_logs(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
logging_read_audit_config(initrc_t)
|
2005-04-19 20:43:44 +00:00
|
|
|
|
2005-05-26 20:38:45 +00:00
|
|
|
miscfiles_read_localization(initrc_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
# slapd needs to read cert files from its initscript
|
2017-02-24 01:03:23 +00:00
|
|
|
miscfiles_manage_generic_cert_files(initrc_t)
|
2005-04-25 21:28:25 +00:00
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
seutil_read_config(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_read_user_home_content_files(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
2005-05-19 21:06:06 +00:00
|
|
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
|
|
|
# started from init should be placed in their own domain.
|
2017-02-24 01:03:23 +00:00
|
|
|
userdom_use_inherited_user_terminals(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2006-01-16 18:30:14 +00:00
|
|
|
ifdef(`distro_debian',`
|
2016-08-03 05:48:19 +00:00
|
|
|
kernel_getattr_core_if(initrc_t)
|
|
|
|
|
|
|
|
dev_getattr_generic_blk_files(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
fs_tmpfs_filetrans(initrc_t, initrc_runtime_t, dir)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
|
|
|
# for storing state under /dev/shm
|
2006-01-31 20:29:27 +00:00
|
|
|
fs_setattr_tmpfs_dirs(initrc_t)
|
2006-03-02 23:41:11 +00:00
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
|
|
storage_tmpfs_filetrans_fixed_disk(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
|
2006-01-31 19:21:01 +00:00
|
|
|
files_setattr_etc_dirs(initrc_t)
|
2013-11-09 09:45:10 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
exim_manage_var_lib_files(initrc_t)
|
|
|
|
')
|
2013-11-09 09:45:11 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
gdomap_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
minissdpd_read_config(initrc_t)
|
|
|
|
')
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2005-09-02 14:52:08 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
2006-08-23 03:47:39 +00:00
|
|
|
kernel_dontaudit_getattr_core_if(initrc_t)
|
|
|
|
|
|
|
|
# seed udev /dev
|
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
dev_create_null_dev(initrc_t)
|
|
|
|
dev_create_zero_dev(initrc_t)
|
|
|
|
term_create_console_dev(initrc_t)
|
|
|
|
|
2006-09-19 17:02:29 +00:00
|
|
|
# unfortunately /sbin/rc does stupid tricks
|
|
|
|
# with /dev/.rcboot to decide if we are in
|
|
|
|
# early init
|
|
|
|
dev_create_generic_dirs(initrc_t)
|
|
|
|
dev_delete_generic_dirs(initrc_t)
|
2012-10-30 21:51:53 +00:00
|
|
|
dev_setattr_generic_dirs(initrc_t)
|
2006-09-19 17:02:29 +00:00
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_manage_all_runtime_dirs(initrc_t)
|
|
|
|
files_manage_all_runtime_files(initrc_t)
|
|
|
|
files_manage_all_runtime_symlinks(initrc_t)
|
2010-04-24 16:03:16 +00:00
|
|
|
# allow bootmisc to create /var/lock/.keep.
|
|
|
|
files_manage_generic_locks(initrc_t)
|
2012-10-30 21:51:55 +00:00
|
|
|
files_manage_var_symlinks(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(initrc_t, initrc_state_t, dir, "openrc")
|
2010-04-24 16:03:16 +00:00
|
|
|
|
2009-07-30 12:33:43 +00:00
|
|
|
# openrc uses tmpfs for its state data
|
|
|
|
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
|
2010-11-28 08:44:46 +00:00
|
|
|
files_mountpoint(initrc_state_t)
|
2006-08-18 18:20:22 +00:00
|
|
|
|
2006-08-28 02:46:20 +00:00
|
|
|
# init scripts touch this
|
|
|
|
clock_dontaudit_write_adjtime(initrc_t)
|
|
|
|
|
2006-10-15 00:23:06 +00:00
|
|
|
# for integrated run_init to read run_init_type.
|
|
|
|
# happens during boot (/sbin/rc execs init scripts)
|
|
|
|
seutil_read_default_contexts(initrc_t)
|
|
|
|
|
2008-03-20 14:55:17 +00:00
|
|
|
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
|
2017-04-06 21:37:50 +00:00
|
|
|
sysnet_manage_config(initrc_t)
|
2008-03-20 14:55:17 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
2020-06-27 21:11:48 +00:00
|
|
|
abrt_manage_runtime_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
alsa_read_lib(initrc_t)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
arpwatch_manage_data_files(initrc_t)
|
2005-09-02 14:52:08 +00:00
|
|
|
')
|
2011-02-06 14:42:13 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
2011-02-09 14:27:39 +00:00
|
|
|
dhcpd_setattr_state_files(initrc_t)
|
2011-02-06 14:42:13 +00:00
|
|
|
')
|
2005-09-02 14:52:08 +00:00
|
|
|
')
|
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2005-06-01 13:51:54 +00:00
|
|
|
# this is from kmodule, which should get its own policy:
|
|
|
|
allow initrc_t self:capability sys_admin;
|
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# Red Hat systems seem to have a stray
|
|
|
|
# fd open from the initrd
|
2017-02-24 01:03:23 +00:00
|
|
|
kernel_use_fds(initrc_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_dontaudit_read_root_files(initrc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# These seem to be from the initrd
|
|
|
|
# during device initialization:
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_create_generic_dirs(initrc_t)
|
|
|
|
dev_rwx_zero(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
storage_raw_read_fixed_disk(initrc_t)
|
|
|
|
storage_raw_write_fixed_disk(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
files_create_boot_dirs(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
files_create_boot_flag(initrc_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
files_rw_boot_symlinks(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
# wants to read /.fonts directory
|
|
|
|
files_read_default_files(initrc_t)
|
2005-11-11 16:08:03 +00:00
|
|
|
files_mountpoint(initrc_tmp_t)
|
2007-02-16 23:01:42 +00:00
|
|
|
# Needs to cp localtime to /var dirs
|
|
|
|
files_write_var_dirs(initrc_t)
|
2005-11-11 16:08:03 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
fs_read_tmpfs_symlinks(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
fs_rw_tmpfs_chr_files(initrc_t)
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
|
|
storage_dev_filetrans_fixed_disk(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
storage_getattr_removable_dev(initrc_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
|
2005-05-31 23:02:11 +00:00
|
|
|
# readahead asks for these
|
2006-01-06 22:51:40 +00:00
|
|
|
auth_dontaudit_read_shadow(initrc_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
# init scripts cp /etc/localtime over other directories localtime
|
|
|
|
miscfiles_rw_localization(initrc_t)
|
|
|
|
miscfiles_setattr_localization(initrc_t)
|
|
|
|
miscfiles_relabel_localization(initrc_t)
|
|
|
|
|
2006-02-07 21:48:00 +00:00
|
|
|
miscfiles_read_fonts(initrc_t)
|
|
|
|
miscfiles_read_hwdata(initrc_t)
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
2016-08-14 18:34:19 +00:00
|
|
|
alsa_manage_config(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
2020-06-27 21:11:48 +00:00
|
|
|
abrt_manage_runtime_files(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
bind_manage_config_dirs(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
bind_write_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
bind_setattr_zone_dirs(initrc_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
devicekit_append_inherited_log_files(initrc_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
gnome_manage_gconf_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
pulseaudio_stream_connect(initrc_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
2005-10-24 01:53:13 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-24 01:53:13 +00:00
|
|
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
|
|
rpc_write_exports(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
rpc_manage_nfs_state_data(initrc_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
rpcbind_stream_connect(initrc_t)
|
|
|
|
')
|
2006-02-07 21:48:00 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
sysnet_rw_dhcp_config(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
sysnet_manage_config(initrc_t)
|
2006-02-07 21:48:00 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
xserver_delete_log(initrc_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`distro_suse',`
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-07 21:48:00 +00:00
|
|
|
# set permissions on /tmp/.X11-unix
|
|
|
|
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
|
|
|
')
|
2005-06-01 13:51:54 +00:00
|
|
|
')
|
2005-05-13 14:37:13 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
ifdef(`enabled_mls',`
|
|
|
|
optional_policy(`
|
|
|
|
# allow init scripts to su
|
|
|
|
su_restricted_domain_template(initrc, initrc_t, system_r)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
ifdef(`init_systemd',`
|
2017-04-21 00:00:34 +00:00
|
|
|
allow initrc_t init_t:system { start status reboot halt reload };
|
2017-10-12 21:42:23 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
|
|
|
|
files_lock_filetrans(initrc_t, initrc_lock_t, file)
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(initrc_t, init_runtime_t, init_runtime_t)
|
|
|
|
allow initrc_t init_runtime_t:file create_file_perms;
|
|
|
|
allow initrc_t init_runtime_t:lnk_file create_lnk_file_perms;
|
|
|
|
allow initrc_t init_runtime_t:service { start status };
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
|
|
|
|
manage_chr_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
|
|
|
|
manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t systemd_unit_t:service reload;
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
manage_files_pattern(initrc_t, systemdunit, systemdunit)
|
|
|
|
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
|
2017-02-24 01:03:23 +00:00
|
|
|
allow initrc_t systemdunit:service reload;
|
|
|
|
allow initrc_t init_script_file_type:service { stop start status reload };
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
# run systemd misc initializations
|
|
|
|
# in the initrc_t domain, as would be
|
|
|
|
# done in traditional sysvinit/upstart.
|
|
|
|
corecmd_bin_entry_type(initrc_t)
|
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
dev_create_generic_dirs(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2015-10-20 18:33:56 +00:00
|
|
|
# Allow initrc_t to check /etc/fstab "service." It appears that
|
|
|
|
# systemd is conflating files and services.
|
|
|
|
files_get_etc_unit_status(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_create_runtime_dirs(initrc_t)
|
|
|
|
files_setattr_runtime_dirs(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-04-21 00:00:34 +00:00
|
|
|
# for logsave in strict configuration
|
|
|
|
fstools_write_log(initrc_t)
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
init_get_all_units_status(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_manage_var_lib_files(initrc_t)
|
|
|
|
init_rw_stream_sockets(initrc_t)
|
|
|
|
|
|
|
|
# Create /etc/audit.rules.prev after firstboot remediation
|
|
|
|
logging_manage_audit_config(initrc_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
# journalctl:
|
|
|
|
logging_watch_runtime_dirs(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
# lvm2-activation-generator checks file labels
|
|
|
|
seutil_read_file_contexts(initrc_t)
|
|
|
|
|
|
|
|
systemd_start_power_units(initrc_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
systemd_watch_networkd_runtime_dirs(initrc_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
# create /var/lock/lvm/
|
|
|
|
lvm_create_lock_dirs(initrc_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-07 21:15:24 +00:00
|
|
|
amavis_search_lib(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
amavis_setattr_runtime_files(initrc_t)
|
2006-03-07 21:15:24 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2017-04-26 10:36:20 +00:00
|
|
|
dev_rw_acpi_bios(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-05 21:17:22 +00:00
|
|
|
apache_read_config(initrc_t)
|
|
|
|
apache_list_modules(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
# webmin seems to cause this.
|
|
|
|
apache_search_sys_content(daemon)
|
2005-10-05 21:17:22 +00:00
|
|
|
')
|
|
|
|
|
2012-03-26 18:50:52 +00:00
|
|
|
optional_policy(`
|
|
|
|
asterisk_setattr_logs(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-23 17:26:19 +00:00
|
|
|
bind_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-06 22:51:40 +00:00
|
|
|
bluetooth_read_config(initrc_t)
|
2005-10-07 21:45:04 +00:00
|
|
|
')
|
|
|
|
|
2010-06-07 18:25:59 +00:00
|
|
|
optional_policy(`
|
2010-08-08 10:05:41 +00:00
|
|
|
cgroup_stream_connect_cgred(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_setpriority_all_domains(initrc_t)
|
2010-06-07 18:25:59 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-07 21:15:24 +00:00
|
|
|
clamav_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2012-09-08 15:45:53 +00:00
|
|
|
optional_policy(`
|
|
|
|
courier_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-08 22:00:30 +00:00
|
|
|
cpucontrol_stub(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_getattr_cpu_dev(initrc_t)
|
2005-09-20 18:15:35 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
cron_read_pipes(initrc_t)
|
|
|
|
# managing /etc/cron.d/mailman content
|
|
|
|
cron_manage_system_spool(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-06-08 17:18:25 +00:00
|
|
|
dev_getattr_printer_dev(initrc_t)
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
cups_read_log(initrc_t)
|
2006-06-08 17:18:25 +00:00
|
|
|
cups_read_rw_config(initrc_t)
|
2006-09-28 14:37:29 +00:00
|
|
|
#cups init script clears error log
|
|
|
|
cups_write_log(initrc_t)
|
2005-11-29 21:27:15 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-16 18:30:14 +00:00
|
|
|
daemontools_manage_svc(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-28 14:34:26 +00:00
|
|
|
dbus_connect_system_bus(initrc_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
dbus_system_bus_client(initrc_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
dbus_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
dbus_manage_lib_files(initrc_t)
|
|
|
|
|
|
|
|
init_dbus_chat(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
consolekit_dbus_chat(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
consolekit_manage_log(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-25 16:43:03 +00:00
|
|
|
networkmanager_dbus_chat(initrc_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
')
|
2010-03-18 14:19:49 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
policykit_dbus_chat(initrc_t)
|
|
|
|
')
|
2005-10-28 14:34:26 +00:00
|
|
|
')
|
|
|
|
|
2008-02-25 19:31:03 +00:00
|
|
|
optional_policy(`
|
|
|
|
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
|
|
|
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
|
|
|
# the directory. But we do not want to allow this.
|
|
|
|
# The master process of dovecot will manage this file.
|
|
|
|
dovecot_dontaudit_unlink_lib_files(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-27 22:29:45 +00:00
|
|
|
ftp_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-17 21:28:31 +00:00
|
|
|
gpm_setattr_gpmctl(initrc_t)
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
hal_write_log(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-05-31 23:02:11 +00:00
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
|
|
hotplug_read_config(initrc_t)
|
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
modutils_read_module_deps(initrc_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-08 13:23:11 +00:00
|
|
|
inn_exec_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-18 18:31:49 +00:00
|
|
|
ipsec_read_config(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
ipsec_manage_runtime_files(initrc_t)
|
2005-07-18 18:31:49 +00:00
|
|
|
')
|
|
|
|
|
2017-04-29 18:17:30 +00:00
|
|
|
optional_policy(`
|
|
|
|
iptables_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
|
|
|
iscsi_stream_connect(initrc_t)
|
|
|
|
iscsi_read_lib_files(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-01 13:31:34 +00:00
|
|
|
kerberos_use(initrc_t)
|
|
|
|
')
|
|
|
|
|
2019-07-10 12:54:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
knot_read_config_files(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-17 18:33:43 +00:00
|
|
|
ldap_read_config(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
ldap_list_db(initrc_t)
|
2005-08-17 18:33:43 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-15 14:46:17 +00:00
|
|
|
loadkeys_exec(initrc_t)
|
|
|
|
')
|
|
|
|
|
2007-07-19 18:57:48 +00:00
|
|
|
optional_policy(`
|
|
|
|
# in emergency/recovery situations use sulogin
|
|
|
|
locallogin_domtrans_sulogin(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-22 21:09:03 +00:00
|
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
|
|
lpd_list_spool(initrc_t)
|
|
|
|
|
|
|
|
lpd_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
lpd_manage_spool(init_t)
|
2005-10-22 21:09:03 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-05-31 23:02:11 +00:00
|
|
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_read_lvm_control(initrc_t)
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_create_generic_chr_files(initrc_t)
|
2006-01-11 15:28:14 +00:00
|
|
|
|
|
|
|
lvm_read_config(initrc_t)
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-11 15:36:53 +00:00
|
|
|
mailman_list_data(initrc_t)
|
|
|
|
mailman_read_data_symlinks(initrc_t)
|
|
|
|
')
|
|
|
|
|
2017-02-18 14:39:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
modutils_read_module_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-06 22:51:40 +00:00
|
|
|
mta_read_config(initrc_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
mta_write_config(initrc_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-03 17:56:26 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2006-02-02 21:08:12 +00:00
|
|
|
mysql_manage_db_dirs(initrc_t)
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
mysql_stream_connect(initrc_t)
|
|
|
|
mysql_write_log(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
mysql_read_config(initrc_t)
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-24 20:37:09 +00:00
|
|
|
nis_list_var_yp(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-04-14 20:07:01 +00:00
|
|
|
openvpn_read_config(initrc_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
plymouthd_stream_connect(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-19 21:17:45 +00:00
|
|
|
postgresql_manage_db(initrc_t)
|
|
|
|
postgresql_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-23 20:18:36 +00:00
|
|
|
postfix_list_spool(initrc_t)
|
|
|
|
')
|
|
|
|
|
2009-11-09 22:54:00 +00:00
|
|
|
optional_policy(`
|
|
|
|
puppet_rw_tmp(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-08-11 14:49:58 +00:00
|
|
|
quota_manage_flags(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-04-14 20:07:01 +00:00
|
|
|
optional_policy(`
|
2020-06-27 21:11:48 +00:00
|
|
|
raid_manage_mdadm_runtime_files(initrc_t)
|
2006-04-14 20:07:01 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-09 19:02:29 +00:00
|
|
|
fs_write_ramfs_sockets(initrc_t)
|
|
|
|
fs_search_ramfs(initrc_t)
|
|
|
|
|
|
|
|
rhgb_rw_stream_sockets(initrc_t)
|
|
|
|
rhgb_stream_connect(initrc_t)
|
2005-05-26 20:38:45 +00:00
|
|
|
')
|
|
|
|
|
2006-04-14 20:07:01 +00:00
|
|
|
optional_policy(`
|
|
|
|
rpc_read_exports(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-05-31 23:02:11 +00:00
|
|
|
# bash tries to access a block device in the initrd
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
# for a bug in rm
|
2020-06-27 21:11:48 +00:00
|
|
|
files_dontaudit_write_all_runtime_files(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
|
|
|
# bash tries ioctl for some reason
|
2020-06-27 21:11:48 +00:00
|
|
|
files_dontaudit_ioctl_all_runtime_files(initrc_t)
|
2005-05-31 23:02:11 +00:00
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
2005-05-24 15:55:57 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-14 18:33:53 +00:00
|
|
|
samba_rw_config(initrc_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
samba_read_winbind_runtime_files(initrc_t)
|
2005-09-14 18:33:53 +00:00
|
|
|
')
|
|
|
|
|
2011-03-21 13:42:12 +00:00
|
|
|
optional_policy(`
|
|
|
|
# shorewall-init script run /var/lib/shorewall/firewall
|
|
|
|
shorewall_lib_domtrans(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-02 19:11:07 +00:00
|
|
|
squid_read_config(initrc_t)
|
|
|
|
squid_manage_logs(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-10-18 15:07:11 +00:00
|
|
|
ssh_dontaudit_read_server_keys(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
ssh_setattr_key_files(initrc_t)
|
2005-06-22 21:14:48 +00:00
|
|
|
')
|
|
|
|
|
2012-12-17 09:42:48 +00:00
|
|
|
optional_policy(`
|
|
|
|
stunnel_read_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-29 20:53:53 +00:00
|
|
|
sysnet_read_dhcpc_state(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:48:35 +00:00
|
|
|
optional_policy(`
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_manage_runtime_files(initrc_t)
|
|
|
|
udev_manage_runtime_dirs(initrc_t)
|
2010-04-16 06:27:36 +00:00
|
|
|
udev_manage_rules_files(initrc_t)
|
2006-03-24 16:48:35 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-16 21:33:18 +00:00
|
|
|
uml_setattr_util_sockets(initrc_t)
|
|
|
|
')
|
|
|
|
|
2010-03-18 14:19:49 +00:00
|
|
|
optional_policy(`
|
2012-04-11 18:35:57 +00:00
|
|
|
virt_stream_connect(initrc_t)
|
2012-12-14 12:58:49 +00:00
|
|
|
virt_manage_virt_cache(initrc_t)
|
2010-03-18 14:19:49 +00:00
|
|
|
')
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
optional_policy(`
|
2017-02-24 01:03:23 +00:00
|
|
|
domain_role_change_exemption(initrc_t)
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
unconfined_domain(initrc_t)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
mono_domtrans(initrc_t)
|
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
rtkit_scheduled(initrc_t)
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
rpm_read_db(initrc_t)
|
|
|
|
rpm_delete_db(initrc_t)
|
2007-10-02 16:04:50 +00:00
|
|
|
')
|
|
|
|
|
2006-04-26 18:18:15 +00:00
|
|
|
optional_policy(`
|
|
|
|
vmware_read_system_config(initrc_t)
|
|
|
|
vmware_append_system_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-11-25 19:09:08 +00:00
|
|
|
miscfiles_manage_fonts(initrc_t)
|
|
|
|
|
|
|
|
# cjp: is this really needed?
|
2006-02-02 21:08:12 +00:00
|
|
|
xfs_read_sockets(initrc_t)
|
2005-11-25 19:09:08 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-04-06 19:27:41 +00:00
|
|
|
# Set device ownerships/modes.
|
|
|
|
xserver_setattr_console_pipes(initrc_t)
|
|
|
|
|
|
|
|
# init script wants to check if it needs to update windowmanagerlist
|
2006-02-07 21:48:00 +00:00
|
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-09 13:24:11 +00:00
|
|
|
zebra_read_config(initrc_t)
|
|
|
|
')
|
2017-02-24 01:03:23 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Rules applied to all daemons
|
|
|
|
#
|
|
|
|
|
|
|
|
domain_dontaudit_use_interactive_fds(daemon)
|
|
|
|
|
|
|
|
# daemons started from init will
|
|
|
|
# inherit fds from init for the console
|
|
|
|
term_dontaudit_use_console(daemon)
|
|
|
|
|
|
|
|
init_dontaudit_use_fds(daemon)
|
|
|
|
# init script ptys are the stdin/out/err
|
|
|
|
# when using run_init
|
|
|
|
init_use_script_ptys(daemon)
|
|
|
|
|
2017-10-12 21:42:23 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
# Until systemd is fixed
|
|
|
|
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
|
|
|
|
|
|
|
|
fs_search_cgroup_dirs(daemon)
|
|
|
|
|
|
|
|
# need write to /var/run/systemd/notify
|
2019-01-11 20:07:57 +00:00
|
|
|
init_write_runtime_socket(daemon)
|
2017-10-12 21:42:23 +00:00
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
tunable_policy(`init_daemons_use_tty',`
|
|
|
|
term_use_unallocated_ttys(daemon)
|
|
|
|
term_use_generic_ptys(daemon)
|
|
|
|
term_use_all_ttys(daemon)
|
|
|
|
term_use_all_ptys(daemon)
|
|
|
|
',`
|
|
|
|
term_dontaudit_use_unallocated_ttys(daemon)
|
|
|
|
term_dontaudit_use_generic_ptys(daemon)
|
|
|
|
term_dontaudit_use_all_ttys(daemon)
|
|
|
|
term_dontaudit_use_all_ptys(daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
|
|
fs_dontaudit_rw_nfs_files(daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
|
|
fs_dontaudit_rw_cifs_files(daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
|
|
unconfined_dontaudit_rw_stream_sockets(daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
userdom_dontaudit_rw_all_users_stream_sockets(daemon)
|
|
|
|
userdom_dontaudit_read_user_tmp_files(daemon)
|
|
|
|
userdom_dontaudit_write_user_tmp_files(daemon)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Rules applied to all system processes
|
|
|
|
#
|
|
|
|
|
|
|
|
dontaudit systemprocess init_t:unix_stream_socket getattr;
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
userdom_dontaudit_search_user_home_dirs(systemprocess)
|
|
|
|
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
|
|
|
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
|
|
|
')
|