policy_module(init,1.5.0) gen_require(` class passwd rootok; ') ######################################## # # Declarations # # used for direct running of init scripts # by admin domains attribute direct_run_init; attribute direct_init; attribute direct_init_entry; # Mark process types as daemons attribute daemon; # # init_t is the domain of the init process. # type init_t; type init_exec_t; domain_type(init_t) domain_entry_file(init_t,init_exec_t) kernel_domtrans_to(init_t,init_exec_t) role system_r types init_t; # # init_var_run_t is the type for /var/run/shutdown.pid. # type init_var_run_t; files_pid_file(init_var_run_t) # # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. # type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) type initrc_t; type initrc_exec_t; domain_type(initrc_t) domain_entry_file(initrc_t,initrc_exec_t) role system_r types initrc_t; type initrc_devpts_t; term_pty(initrc_devpts_t) files_type(initrc_devpts_t) type initrc_state_t; files_type(initrc_state_t) type initrc_tmp_t; files_tmp_file(initrc_tmp_t) type initrc_var_run_t; files_pid_file(initrc_var_run_t) ifdef(`enable_mls',` kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh) ') ######################################## # # Init local policy # # Use capabilities. old rule: allow init_t self:capability ~sys_module; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config # kill: now provided by domain_kill_all_domains() # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t,init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t,init_var_run_t,file) allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t,initctl_t,fifo_file) fs_associate_tmpfs(initctl_t) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) corecmd_exec_sbin(init_t) dev_read_sysfs(init_t) domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t,file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) selinux_set_boolean(init_t) term_use_all_terms(init_t) # Run init scripts. init_domtrans_script(init_t) libs_use_ld_so(init_t) libs_use_shared_libs(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) mcs_killall(init_t) mls_file_read_up(init_t) mls_file_write_down(init_t) mls_rangetrans_target(init_t) seutil_read_config(init_t) miscfiles_read_localization(init_t) ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') ifdef(`targeted_policy',` unconfined_domain(init_t) ') optional_policy(` auth_rw_login_records(init_t) ') optional_policy(` nscd_socket_use(init_t) ') # Run the shell in the sysadm_t domain for single-user mode. optional_policy(` userdom_shell_domtrans_sysadm(init_t) ') ######################################## # # Init script local policy # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability ~{ sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; allow initrc_t self:tcp_socket create_stream_socket_perms; allow initrc_t self:udp_socket create_socket_perms; allow initrc_t self:fifo_file rw_file_perms; allow initrc_t self:netlink_route_socket r_netlink_socket_perms; allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) # Going to single user mode init_exec(initrc_t) can_exec(initrc_t,initrc_exec_t) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t,initrc_var_run_t,file) can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file manage_file_perms; allow initrc_t initrc_tmp_t:dir manage_dir_perms; files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) kernel_read_network_state(initrc_t) kernel_read_ring_buffer(initrc_t) kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) files_read_kernel_symbol_table(initrc_t) corenet_non_ipsec_sendrecv(initrc_t) corenet_tcp_sendrecv_all_if(initrc_t) corenet_udp_sendrecv_all_if(initrc_t) corenet_tcp_sendrecv_all_nodes(initrc_t) corenet_udp_sendrecv_all_nodes(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_read_lvm_control(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs fs_write_ramfs_pipes(initrc_t) # cjp: not sure why these are here; should use mount policy fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) selinux_get_enforce_mode(initrc_t) storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_removable_dev(initrc_t) term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) corecmd_exec_all_executables(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) domain_dontaudit_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) files_delete_all_locks(initrc_t) files_read_all_pids(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) files_etc_filetrans_etc_runtime(initrc_t,file) files_manage_generic_locks(initrc_t) files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) libs_rw_ld_so_cache(initrc_t) libs_use_ld_so(initrc_t) libs_use_shared_libs(initrc_t) libs_exec_lib_files(initrc_t) logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_certs(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_rangetrans_target(initrc_t) modutils_read_module_config(initrc_t) modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) sysnet_read_config(initrc_t) userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_sysadm_terms(initrc_t) ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir) # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) storage_manage_fixed_disk(initrc_t) storage_tmpfs_filetrans_fixed_disk(initrc_t) files_setattr_etc_dirs(initrc_t) ') ifdef(`distro_gentoo',` kernel_dontaudit_getattr_core_if(initrc_t) # seed udev /dev allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) dev_create_generic_dirs(initrc_t) term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks # with /dev/.rcboot to decide if we are in # early init dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) # needed until baselayout is fixed to have the # restorecon on /dev to again be immediately after # mounting tmpfs on /dev fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) optional_policy(` arpwatch_manage_data_files(initrc_t) ') optional_policy(` dhcpd_setattr_state_files(initrc_t) ') ') ifdef(`distro_redhat',` # this is from kmodule, which should get its own policy: allow initrc_t self:capability sys_admin; # Red Hat systems seem to have a stray # fd open from the initrd kernel_dontaudit_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) dev_rwx_zero(initrc_t) dev_rx_raw_memory(initrc_t) dev_wx_raw_memory(initrc_t) storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) fs_rw_tmpfs_chr_files(initrc_t) storage_manage_fixed_disk(initrc_t) storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) # readahead asks for these auth_dontaudit_read_shadow(initrc_t) miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) ') optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) ') optional_policy(` sysnet_rw_dhcp_config(initrc_t) ') optional_policy(` xserver_delete_log(initrc_t) ') ') ifdef(`distro_suse',` optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) ') ') ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited unconfined_dontaudit_rw_pipes(daemon) ') tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) ') optional_policy(` mono_domtrans(initrc_t) ') ',` # cjp: require doesnt work in the else of optionals :\ # this also would result in a type transition # conflict if sendmail is enabled # optional_policy(`',` # mta_send_mail(initrc_t) # ') # allow init scripts to su optional_policy(` su_restricted_domain_template(initrc,initrc_t,system_r) ') ') optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) ') optional_policy(` dev_rw_apm_bios(initrc_t) ') optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) ') optional_policy(` automount_exec_config(initrc_t) ') optional_policy(` bind_read_config(initrc_t) # for chmod in start script bind_setattr_pid_dirs(initrc_t) ') optional_policy(` dev_read_usbfs(initrc_t) bluetooth_read_config(initrc_t) ') optional_policy(` clamav_read_config(initrc_t) ') optional_policy(` cpucontrol_stub(initrc_t) dev_getattr_cpu_dev(initrc_t) ') optional_policy(` dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) cups_read_rw_config(initrc_t) #cups init script clears error log cups_write_log(initrc_t) ') optional_policy(` daemontools_manage_svc(initrc_t) ') optional_policy(` dbus_connect_system_bus(initrc_t) dbus_send_system_bus(initrc_t) dbus_system_bus_client_template(initrc,initrc_t) dbus_read_config(initrc_t) optional_policy(` networkmanager_dbus_chat(initrc_t) ') ') optional_policy(` ftp_read_config(initrc_t) ') optional_policy(` gpm_setattr_gpmctl(initrc_t) ') optional_policy(` dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc hotplug_read_config(initrc_t) modutils_read_module_deps(initrc_t) ') optional_policy(` inn_exec_config(initrc_t) ') optional_policy(` ipsec_read_config(initrc_t) ipsec_manage_pid(initrc_t) ') optional_policy(` kerberos_use(initrc_t) ') optional_policy(` ldap_read_config(initrc_t) ldap_list_db(initrc_t) ') optional_policy(` loadkeys_exec(initrc_t) ') optional_policy(` # This is needed to permit chown to read /var/spool/lpd/lp. # This is opens up security more than necessary; this means that ANYTHING # running in the initrc_t domain can read the printer spool directory. # Perhaps executing /etc/rc.d/init.d/lpd should transition # to domain lpd_t, instead of waiting for executing lpd. lpd_list_spool(initrc_t) lpd_read_config(initrc_t) ') optional_policy(` #allow initrc_t lvm_control_t:chr_file unlink; dev_read_lvm_control(initrc_t) dev_create_generic_chr_files(initrc_t) lvm_read_config(initrc_t) ') optional_policy(` mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') optional_policy(` mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') optional_policy(` ifdef(`distro_redhat',` mysql_manage_db_dirs(initrc_t) ') mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) ') optional_policy(` nis_use_ypbind(initrc_t) nis_list_var_yp(initrc_t) ') optional_policy(` nscd_socket_use(initrc_t) ') optional_policy(` openvpn_read_config(initrc_t) ') optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') optional_policy(` postfix_list_spool(initrc_t) ') optional_policy(` quota_manage_flags(initrc_t) ') optional_policy(` raid_manage_mdadm_pid(initrc_t) ') optional_policy(` corecmd_shell_entry_type(initrc_t) fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) rhgb_rw_stream_sockets(initrc_t) rhgb_stream_connect(initrc_t) ') optional_policy(` rpc_read_exports(initrc_t) ') optional_policy(` # bash tries to access a block device in the initrd kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) # for a bug in rm files_dontaudit_write_all_pids(initrc_t) # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) # why is this needed: rpm_manage_db(initrc_t) ') optional_policy(` samba_rw_config(initrc_t) samba_read_winbind_pid(initrc_t) ') optional_policy(` squid_read_config(initrc_t) squid_manage_logs(initrc_t) ') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) ') optional_policy(` sysnet_read_dhcpc_state(initrc_t) ') optional_policy(` udev_rw_db(initrc_t) ') optional_policy(` uml_setattr_util_sockets(initrc_t) ') optional_policy(` vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') optional_policy(` miscfiles_manage_fonts(initrc_t) # cjp: is this really needed? xfs_read_sockets(initrc_t) ') optional_policy(` # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) # init script wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') optional_policy(` zebra_read_config(initrc_t) ')