selinux-refpolicy/refpolicy/policy/modules/system/init.if
2005-06-17 17:59:26 +00:00

434 lines
8.2 KiB
Plaintext

## <module name="init" layer="system">
## <summary>System initialization programs (init and init scripts).</summary>
########################################
#
# init_domain(domain,entrypointfile)
#
define(`init_domain',`
gen_require(`
type init_t;
role system_r;
class fd use;
class fifo_file rw_file_perms;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domain_auto_trans(init_t,$2,$1)
allow $1 init_t:fd use;
allow init_t $1:fd use;
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
files_dontaudit_read_root_file($1)
')
')
########################################
#
# init_daemon_domain(domain,entrypointfile)
#
define(`init_daemon_domain',`
gen_require(`
type initrc_t;
role system_r;
class fifo_file rw_file_perms;
class fd use;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
files_dontaudit_read_root_file($1)
')
')
########################################
#
# init_system_domain(domain,entrypointfile)
#
define(`init_system_domain',`
gen_require(`
type initrc_t;
role system_r;
class fd use;
class fifo_file rw_file_perms;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
files_dontaudit_read_root_file($1)
')
')
########################################
#
# init_domtrans(domain)
#
define(`init_domtrans',`
gen_require(`
type init_t, init_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,init_exec_t,init_t)
allow $1 init_t:fd use;
allow init_t $1:fd use;
allow init_t $1:fifo_file rw_file_perms;
allow init_t $1:process sigchld;
')
########################################
#
# init_get_process_group(domain)
#
define(`init_get_process_group',`
gen_require(`
type init_t;
class process getpgid;
')
allow $1 init_t:process getpgid;
')
########################################
#
# init_getattr_initctl(domain)
#
define(`init_getattr_initctl',`
gen_require(`
type initctl_t;
class fifo_file getattr;
')
allow $1 initctl_t:fifo_file getattr;
')
########################################
#
# init_dontaudit_getattr_initctl(domain)
#
define(`init_dontaudit_getattr_initctl',`
gen_require(`
type initctl_t;
class fifo_file getattr;
')
dontaudit $1 initctl_t:fifo_file getattr;
')
########################################
#
# init_use_initctl(domain)
#
define(`init_use_initctl',`
gen_require(`
type initctl_t;
class fifo_file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
')
########################################
#
# init_dontaudit_use_initctl(domain)
#
define(`init_dontaudit_use_initctl',`
gen_require(`
type initctl_t;
class fifo_file { read write };
')
dontaudit $1 initctl_t:fifo_file { read write };
')
########################################
#
# init_sigchld(domain)
#
define(`init_sigchld',`
gen_require(`
type init_t;
class process sigchld;
')
allow $1 init_t:process sigchld;
')
########################################
#
# init_use_fd(domain)
#
define(`init_use_fd',`
gen_require(`
type init_t;
class fd use;
')
allow $1 init_t:fd use;
')
########################################
#
# init_dontaudit_use_fd(domain)
#
define(`init_dontaudit_use_fd',`
gen_require(`
type init_t;
class fd use;
')
dontaudit $1 init_t:fd use;
')
########################################
#
# init_domtrans_script(domain)
#
define(`init_domtrans_script',`
gen_require(`
type initrc_t, initrc_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
files_list_etc($1)
domain_auto_trans($1,initrc_exec_t,initrc_t)
allow $1 initrc_t:fd use;
allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld;
')
########################################
#
# init_exec_script(domain)
#
define(`init_exec_script',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
can_exec($1,initrc_exec_t)
')
########################################
## <interface name="init_read_script_process_state">
## <description>
## Read the process state (/proc/pid) of the init scripts.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`init_read_script_process_state',`
gen_require(`
type initrc_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
class process { getattr ptrace };
')
#FIXME: search proc dir
allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 initrc_t:process ptrace;
')
########################################
#
# init_use_script_fd(domain)
#
define(`init_use_script_fd',`
gen_require(`
type initrc_t;
class fd use;
')
allow $1 initrc_t:fd use;
')
########################################
#
# init_dontaudit_use_script_fd(domain)
#
define(`init_dontaudit_use_script_fd',`
gen_require(`
type initrc_t;
class fd use;
')
dontaudit $1 initrc_t:fd use;
')
########################################
#
# init_get_script_process_group(domain)
#
define(`init_get_script_process_group',`
gen_require(`
type initrc_t;
class process getpgid;
')
allow $1 initrc_t:process getpgid;
')
########################################
#
# init_use_script_pty(domain)
#
define(`init_use_script_pty',`
gen_require(`
type initrc_devpts_t;
class chr_file rw_term_perms;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file rw_term_perms;
')
########################################
#
# init_dontaudit_use_script_pty(domain)
#
define(`init_dontaudit_use_script_pty',`
gen_require(`
type initrc_devpts_t;
class chr_file { read write ioctl };
')
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
')
########################################
## <interface name="init_rw_script_tmp_files">
## <description>
## Read and write init script temporary data.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`init_rw_script_tmp_files',`
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
# FIXME: read tmp_t dir
allow $1 initrc_tmp_t:file rw_file_perms;
')
########################################
#
# init_read_script_pid(domain)
#
define(`init_read_script_pid',`
gen_require(`
type initrc_var_run_t;
class file r_file_perms;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms;
')
########################################
#
# init_dontaudit_write_script_pid(domain)
#
define(`init_dontaudit_write_script_pid',`
gen_require(`
type initrc_var_run_t;
class file { write lock };
')
dontaudit $1 initrc_var_run_t:file { write lock };
')
########################################
#
# init_rw_script_pid(domain)
#
define(`init_rw_script_pid',`
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
')
########################################
#
# init_dontaudit_rw_script_pid(domain)
#
define(`init_dontaudit_rw_script_pid',`
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
## </module>